Академический Документы
Профессиональный Документы
Культура Документы
Several techniques are available in the literature for detecting the intrusion
behaviour. In recent times, intrusion detection has received a lot of interest among the
researchers since it is widely applied for preserving the security within a network.
S. F. Owens and R. R. Levary have stated that intruder detection systems have
been commonly constructed using expert system technology. But, Intrusion Detection
System (IDS) researchers have been biased in constructing systems that are difficult to
handle, lack insightful user interfaces and are inconvenient to use in real-life
circumstances. The proposed adaptive expert system has utilized fuzzy sets to find out
attacks. The expert system comparatively easy to implement when used with computer
system networks has the capability of adjusting to the nature and/or degree of the threat.
Experiments with Clips 6.10 have been used to prove the adjusting capability of the
system. Alok Sharma have focused on the use of text processing techniques on the
system call sequences for intrusion detection. Host-based intrusions have been detected
by introducing a kernel based similarity measure. Processes have been classified either as
normal or abnormal using the k-nearest neighbor (kNN) classifier. They have assessed
the proposed method on the DARPA-1998 database and compared its operation with
feature selection method, and SVM technique in their proposed SVM-based intrusion
detection system. Fewer, abstracted, and higher-qualified training instances that are
derived from the KDD Cup 1999 training set has been given to the SVM by the
hierarchical clustering algorithm. The simple feature selection method employed for the
removal of insignificant features from the training set has enabled the proposed SVM
system has been assessed using the renowned KDD Cup 1999 dataset. Compared to other
intrusion detection systems that are based on the same dataset, the proposed method has
exhibited superior performance in identifying DoS and Probe attacks and an overall best
performance in accuracy.
B. Shanmugam and Norbik Bashah Idris have proposed an advanced fuzzy and
data mining methods based hybrid model to find out both misuse and anomaly attacks.
Their objective was to decrease the quantity of data kept for processing and also to
improve the detection rate of the existing IDS using attribute selection process and data
improved Kuok fuzzy data mining algorithm utilized for implementing fuzzy rules has
enabled the generation of if-then rules that show common ways of expressing security
attacks. They have achieved faster decision making using mamdani inference mechanism
with three variable inputs in the fuzzy inference engine which they have employed.
The DARPA 1999 data set has been used to test and benchmark the efficiency of the
proposed model. In addition, the test results against the “live” networking environment
real-time network anomaly attack for discovering malicious activity against computer
network. They have established the effectiveness of the method by describing the
framework. The overall performance of the intrusion detection system (IDS) based on
Bayes has been improved by a combination of fuzzy with Bayesian classifier. In addition,
by the experiment carried out on KDD 1999 IDS data set, the practicability of the method
has been verified. Abadeh, M.S. and Habibi, J. have proposed a method to develop fuzzy
classification rules for intrusion detection use in computer networks. The method of
fuzzy rule base system design has been based on the iterative rule learning approach
the fuzzy rule base has been created in an incremental fashion. Intrusion detection
functioning of the final fuzzy classification system. Results have demonstrated that the
fuzzy rules generated by the proposed algorithm can be utilized to build a reliable
Arman Tajbakhsh have presented a data mining technique based framework for
constructing an IDS. In the framework, Association Based Classification (ABC) has been
used by the classification engine which is in fact the central part of the IDS. Fuzzy
association rules have been used by the proposed classification to construct classifiers.
Some matching measures have been used to evaluate the consistency of any new sample
(which is to be categorized) with various class rule sets and the label of the sample has
been declared as the class that is analogous to the best matched rule set. A method which
decreases the items that may be included in extracted rules has also been proposed to
reduce the time taken by the rule induction algorithm. The framework has been assessed
using KDD-99 dataset. The results have shown that the achieved total detection rate and
detection rate of known attacks are large and false positive rate is small, though the
(ATIDS). According to the feedback supplied by the system operator, when false
predictions are detected, the proposed system automatically tunes the detection model
on-the-fly. The KDDCup'99 intrusion detection dataset has been used to assess the
system. In the experimental results, the system has demonstrated a 35% enhancement
with regard to misclassification cost compared to a system that is not using the tuning
feature. If the model has been tuned using only 10% false predictions still a 30%
improvement is achieved by the system. Moreover, the model tuned using only 1.3% of
the tuning is not delayed too long. Building a practical system based on ATIDS has been
be false have been used for tuning the detection model, system operators can concentrate
monitors network and/or system activities for malicious activities or policy violations and
intrusion attempt but this is neither required nor expected of a monitoring system.
Intrusion detection and prevention systems (IDPS) are primarily focused on identifying
possible incidents, logging information about them, and reporting attempts. In addition,
organizations use IDPS for other purposes, such as identifying problems with security
policies, documenting existing threats, and deterring individuals from violating security
administrators of important observed events, and produce reports. Many IDPSes can also
respond to a detected threat by attempting to prevent it from succeeding. They use several
response techniques, which involve the IDPS stopping the attack itself, changing the
Intrusion detection systems (IDS) can be classified into different ways. The major
classifications are Active and passive IDS, Network Intrusion detection systems (NIDS)
and Prevention System (IDPS). Intrusion Detection and Prevention System (IDPS) is
an operator. Intrusion Detection and Prevention System (IDPS) has the advantage of
A passive IDS is a system that’s configured to only monitor and analyze network
traffic activity and alert an operator to potential vulnerabilities and attacks. A passive IDS
2.1.2 Network Intrusion detection systems (NIDS) and Host Intrusion detection
systems (HIDS)
appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous
mode and a separate management interface. The IDS is placed along a network segment
or boundary and monitors all traffic on that segment. Network intrusion detection system
and monitors multiple hosts. Network intrusion detection systems gain access to network
traffic by connecting to a network hub, network switch configured for port mirroring, or
network tap. In a NIDS, sensors are located at choke points in the network to be
monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture
all network traffic and analyze the content of individual packets for malicious traffic.
installed on workstations which are to be monitored. The agents monitor the operating
system and write data to log files and/or trigger alarms. A host Intrusion detection
installed and it cannot monitor the entire network. Host based IDS systems are used to
• Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large
• Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the
system is compromised.
modifications (binaries, password files, capability databases, Access control lists, etc.)
and other host activities and state. In a HIDS, sensors usually consist of a software agent.
Some application-based IDS are also part of this category. intrusion detection systems
(IDS) can be classified into different ways. The major classifications are Active and
passive IDS, Network Intrusion detection systems (NIDS) and host Intrusion detection
systems (HIDS)
based) IDS
a database of previous attack signatures and known system vulnerabilities. The meaning
of word signature, when we talk about Intrusion Detection Systems (IDS) is recorded
evidence of an intrusion or attack. Each intrusion leaves a footprint behind (e.g., nature of
data packets, failed attempt to run an application, failed logins, file and folder access etc.).
Higher false alarms are often related with Behaviour-based Intrusion Detection
Systems (IDS).
we can explain what kinds of IDSs you’re likely to encounter and how they do their jobs.
First and foremost, it’s possible to distinguish IDSs on the basis of the kinds of activities,
traffic, transactions, or systems they monitor. In this case, IDSs may be divided into
network-based, host-based, and application-based IDS types. IDSs that monitor network
backbones and look for attack signatures are called network-based IDSs, whereas those
that operate on hosts defend and monitor the operating and file systems for signs of
intrusion and are called host-based IDSs. Some IDSs monitor only specific applications
and are called application-based IDSs. (This type of treatment is usually reserved for
systems, accounting systems, and so forth.) Read on to learn more about these various
10
Pros: Network-based IDSs can monitor an entire, large network with only a few
IDSs are mostly passive devices that monitor ongoing network activity without adding
significant overhead or interfering with network operation. They are easy to secure
against attack and may even be undetectable to attackers; they also require little effort to
Cons: Network-based IDSs may not be able to monitor and analyze all traffic on large,
busy networks and may therefore overlook attacks launched during peak traffic periods.
effectively, either. Typically, network-based IDSs cannot analyze encrypted data, nor do
they report whether or not attempted attacks succeed or fail. Thus, network-based IDSs
Pros: Host-based IDS can analyze activities on the host it monitors at a high level of
detail; it can often determine which processes and/or users are involved in malicious
activities. Though they may each focus on a single host, many host-based IDS systems
use an agent-console model where agents run on (and monitor) individual hosts but report
to a single centralized console (so that a single console can configure, manage, and
consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable
to the network-based IDS and can gauge attack effects quite accurately. Host-based IDSs
can use host-based encryption services to examine encrypted traffic, data, storage, and
11
requires network traffic and can decrease network performance. Clever attackers who
compromise a host can also attack and disable host-based IDSs. Host-based IDSs can be
foiled by DoS attacks (since they may prevent any traffic from reaching the host where
Most significantly, a host-based IDS does consume processing time, storage, memory,
application. They often detect attacks through analysis of application log files and can
IDS can even track unauthorized activity from individual users. They can also work with
Cons: Application-based IDSs are sometimes more vulnerable to attack than the
host-based IDS. They can also consume significant application (and host) resources.
and host- and/or application-based IDS systems to observe what’s happening on the
network while also monitoring key hosts and applications more closely.
Some IDSs primarily use a technique called signature detection. This resembles the way
many antivirus programs use virus signatures to recognize and block infected files,
programs, or active Web content from entering a computer system, except that it uses a
database of traffic or activity patterns related to known attacks, called attack signatures.
Indeed, signature detection is the most widely used approach in commercial IDS
12
distinguish anomalies from normal system behavior and to monitor, report on, or block
anomalies as they occur. Some IDSs support limited types of anomaly detection; most
experts believe this kind of capability will become part of how more IDSs operate in the
future. Read on for more information about these two kinds of event analysis techniques:
for matches with known patterns of events specific to known attacks. As with antivirus
and some way to actively compare and match current behavior against a large collection
of signatures. Except when entirely new, uncataloged attacks occur, this technique works
extremely well.
Cons: Signature databases must be constantly updated, and IDSs must be able to
compare and match activities against large collections of attack signatures. If signature
definitions are too specific, signature-based IDS may miss variations on known attacks.
(A common technique for creating new attacks is to change existing, known attacks
rather than to create entirely new ones from scratch.) Signature-based IDSs can also
impose noticeable performance drags on systems when current behavior matches multiple
behaviour for anomalies on networks or systems that may indicate attack. The underlying
principle is the notion that “attack behaviour” differs enough from “normal user
behaviour” that it can be detected by cataloging and identifying the differences involved.
13
gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for
Cons: Because normal behaviour can change easily and readily, anomaly-based IDS
systems are prone to false positives where attacks may be reported based on changes to
the norm that are “normal,” rather than representing real attacks. Their intensely
statistically significant baselines (to separate normal behaviour from anomalies); they’re
detection characteristics, but only a few IDSs incorporate both approaches. Most experts
expect anomaly-based detection to become more widespread in IDSs, but research and
Finally, some IDSs are capable of responding to attacks when they occur.
This behavior is desirable from two points of view. For one thing, a computer system can
track behavior and activity in near-real time and respond much more quickly and
decisively during early stages of an attack. Since automation helps hackers mount attacks,
it stands to reason that it should also help security professionals fend them off as they
occur. For another thing, IDSs run 24/7, but network administrators may not be able to
respond as quickly during off hours as they can during peak hours (even if the IDS can
page them with an alarm that an attack has begun). By automating a response to block
incoming traffic from one or more addresses from which an attack originates, the IDS can
halt an attack in process and block future attacks from the same address.
14
hackers alike. Although experts are more difficult to block entirely, these techniques can
attack packets to servers or hosts under attack stops most attacks cold—even DoS
or DDoS attacks. This works for attacker addresses and for protocols or services
under attack (by blocking traffic at different layers of the ARPA networking model,
so to speak).
• Deploying automated disconnects for routers, firewalls, or servers can halt all
activity when other measures fail to stop attackers (as in extreme DDoS attack
situations, where filtering would only work effectively on the ISP side of an
Internet link, if not higher up the ISP chain, as close to Internet backbones as
possible).
activity to all ISPs in the routes used between the attacker and the attackee. Because
such responses may themselves raise legal issues, experts recommend obtaining
Due to a growing number of intrusion events and also because the Internet and
various systems that monitor IT security breaches. This is the second article devoted to
these systems. The previous article dealt with IDS categorization and architecture. At this
15
fundamental concepts of IDS methodology: audit trail analysis and on-the-fly processing
applications that create a distributed system. The latter have a particular architecture with
autonomous agents that are able to take pre-emptive and reactive measures and even to
move over the network. One may categorize intrusion detection systems in terms of
behaviour i.e., they may be passive (those that simply generate alerts and log network
packets). They may also be active which means that they detect and respond to attacks,
attempt to patch software holes before getting hacked or act proactively by logging out
16
information (Real-time IDS and Interval-based IDS respectively) and hence they use two
different intrusion detection approaches. Audit trail analysis is the prevalent method
environments are designed for online monitoring and analyzing system events and user
actions.
There are many issues related to audit trail (event log) processing. Storing audit
trail reports in a single file must be avoided since intruders may use this feature to make
unwanted changes. It is far better to keep a certain number of event log copies spread
over the network, though it would imply adding some overheads to both the system and
network.
Further, from the functionality point of view, recording every event possible
means a noticeable consumption of system resources (both the local system and network
involved). Log compression, instead, would increase the system load. Specifying which
events are to be audited is difficult because certain types of attacks may pass undetected.
It is also difficult to predict how large audit files can be – through experience one can
only make a rough estimate. Also, an appropriate setting of a storage period for current
audit files is not a straightforward task. In general, this depends on a specific IDS
solution and its correlation engine. Certainly, archive files should be stored as copies for
Log processing systems are vulnerable to Denial of Service (DoS) attacks that
render audit mechanisms unreliable and unusable by overflowing the system’s free space.
17
attack attempts);
• Development of access and user signatures and definition of network traffic rules that
• Repelling potential intruders by simply making them aware of the existence of the
auditing means.
• The audit reporting may provide a form of defense for an innocent user, for example
• The log event-based IDS method needs to have the following capabilities:
• Allowing of parameterization for easy recording of system event logs and user
activities,
18
• CMDS (Computer Misuse Detection System). With its built-in expert system, it
search and process a database of incidents generated by various security tools such as
IDSs, firewalls and network traffic analyzers. ACID has a user query builder, which
can analyze packets down to their payload, in order to find identical alerts among
databases, which match certain criteria. It can also manage alerts and generate a
variety of statistics.
With on the fly processing, an IDS performs online verification of system events.
Generally, a stream of network packets is constantly monitored constantly. With this type
of processing, intrusion detection uses the knowledge of current activities over the
network to sense possible attack attempts (it does not look for successful attacks in the
past).
Given the computation complexity, the algorithms are limited to quick and
efficient procedures that are often algorithmically simple. This is due to a compromise
between the main requisite – attack detection capability and the complexity of data
large amount of RAM (buffers) since no data storage is used. Therefore, such an IDS
may sometime miss packets, because realistic processing of too many packets is not
available.
19
contents. Hence, only small portions of information can be analyzed for searching certain
packets in a data stream get inspected, and the inspection process only looks for "state"
packet size and threshold values are manifestations of a denial of service attack, also at
the transport layer, for example Ping of Death attack. Another example of standard
packet inspection IDSs include detecting email viruses before they get to email boxes by
looking for matching email titles or attachment names. One may also search for malicious
code which may compromise the system if it is attacked by, for example, buffer overflow
exploits looking for signatures that monitor the user session status to disallow, for
example, listing of directory structure on a FTP server before a successful user login.
A drawback of the high layer analysis approach lies in the fact that it is time-consuming
• They excel at detecting attacks in progress and even responding to (blocking) them;
many types of attacks, particularly DoS, which cannot be detected using a common
• The system resources are less consumed than in the case of audit trail processing.
20
• Source identification is accomplished based on the network address derived from the
packet. The source address may be spoofed, making attacks harder to trace and
respond to automatically.
• That they cannot handle encrypted packets thereby not providing essential
• Since the analytical module uses a limited portion of source information (buffer
• A continuous scanning of network traffic reduces the network throughout the segment
on which the IDS sits. This is of particular importance when an IDS tool is deployed
(not security-critical) and abnormal user activities, to discover malicious attempts in time.
security-related decision is often not that simple , many behaviour patterns are
unpredictable and unclear . In order to classify actions, intrusion detection systems take
21
Normal behaviour patterns are useful in predicting both user and system
behaviour. Here, anomaly detectors construct profiles that represent normal usage and
then use current behaviour data to detect a possible mismatch between profiles and
In order to match event profiles, the system is required to produce initial user
profiles to train the system with regard to legitimate user behaviours. There is a problem
associated with profiling: when the system is allowed to “learn” on its own, experienced
intruders (or users) can train the system to the point where previously intrusive behaviour
becomes normal behaviour. An inappropriate profile will be able to detect all possible
intrusive activities. Furthermore, there is an obvious need for profile updating and system
Given a set of normal behaviour profiles, everything that does not match the
characterized by very high detection efficiency (they are able to recognize many attacks
that are new to the system), but their tendency to generate false alarms is generally a
problem.
• anomalies are recognized without getting inside their causes and characteristics
22
• A substantial false alarm rate. System usage is not monitored during the profile
construction and training phases. Hence, all user activities skipped during these
• User behaviours can vary with time, thereby requiring a constant update of the
normal behaviour profile database (this may imply the need to close the system
from time to time and may also be associated with greater false alarm rates).
• The necessity of training the system for changing behaviour makes a system
based systems) are often used in real-time intrusion detection systems (because of their
• Attack signatures – they describe action patterns that may pose a security threat.
• Selected text strings – signatures to match text strings which look for suspicious
Any action that is not clearly considered prohibited is allowed. Hence, their
accuracy is very high (low number of false alarms). Typically, they do not achieve
23
(Ping of Death or TCP Stealth Scanning) exploit flaws in IP, TCP, UDP or ICMP packets.
With a very simple verification of flags set on specific packets it is possible to determine
packet fragmentation and the need for re-assembly. Similarly, some problems may be
associated with the TCP/IP layer of the system being protected. It is well known that
connection. In order to effectively detect such attacks, the IDS must have implemented
The signature detection methods have the following advantages: very low false
alarm rate, simple algorithms, easy creation of attack signature databases, easy
Some disadvantages:
• They are inherently unable to detect unknown, novel attacks. A continuous update
24
(because of the lack of information on user privileges and attack signature structure).
Commercially offered IDS products often use the signature detection method for
two reasons. Firstly, it is easier for a given signature to be associated with a known attack
abstraction and to assign a name to an attack, e.g. Ping of Death, which is used
worldwide (a suitable signature can be attached to the installation version), than the
signature database must be updated regularly (by adding signatures of newly discovered
attacks and exploits), which may create a fairly good source of income for vendors of
IDS tools. A database update is at the same time a less cumbersome task than that
associated with the change of typical user behaviour profiles. In the latter case, a
temporary closing down of the system may be required, what cannot be tolerated on
certain applications.
The third method of intrusion detection is subtler than the two mentioned earlier.
It reasons on the fact, that system administrators monitor various systems and network
this way has a constant specific environment. This method involves the use of day-to-day
operational experience of the administrators as the basis for detecting anomalies. It can be
considered as a special case of Normal Profile Methods. The difference lies in the fact
type attacks. The system operator can detect subtle changes that are not obvious to the
25
process and hence understand only a limited portion of information at a time, what means
processing mechanisms (techniques) are employed for data that is to reach an IDS. Below,
• Fuzzy Logic Fuzzy concepts derive from fuzzy phenomena that commonly occur in
the natural world. For instance “rain” is a fuzzy statement of ”Today raining heavily”
since there is no clear boundary between “rain” and “heavy rain”. In intrusion
detection suppose we want to write a rule as given below we need a reason about a
quantity such as the number of different destination IP addresses in the last 2 seconds.
Fuzzy logic, which is utilized, is a superset of conventional logic that has been
extended to handle the concept of partial truth, which lies between completely true and
completely false.
attack. All security related events incorporated in an audit trail are translated in
terms of if-then-else rules. Examples are Wisdom & Sense and Computer Watch.
the attack knowledge. They transform the semantic description of an attack into the
appropriate audit trail format. Thus, attack signatures can be found in logs or input
26
searchable data that are captured in the audit trail. This method uses abstract
• Colored Petri Nets The Colored Petri Nets approach is often used to generalize
attacks from expert knowledge bases and to represent attacks graphically. Purdue
University’s IDIOT system uses Colored Petri Nets. With this technique, it is easy
for system administrators to add new signatures to the system. However, matching a
complex signature to the audit trail data may be time-consuming. The technique is
• Statistical analysis approach This is a frequently used method. The user or system
Examples of such variables are: user login, logout, number of files accessed in a
period of time, usage of disk space, memory, CPU etc. The frequency of updating
can vary from a few minutes to, for example, one month. The system stores mean
values for each variable used for detecting exceeds that of a predefined threshold.
Yet, this simple approach was unable to match a typical user behaviour model.
Approaches that relied on matching individual user profiles with aggregated group
behaviour has been developed using short- and long-term user profiles.
27
• Neural Networks Neural networks use their learning algorithms to learn about the
relationship between input and output vectors and to generalize them to extract new
the main purpose is to learn the behaviour of actors in the system (e.g., users,
The advantage of using neural networks over statistics resides in having a simple
prediction of user behaviours. From the results it has been found that the behaviour
automatic system processes). With few exceptions, behaviour of most other users is
• User intention identification This technique (that to our knowledge has only been
used in the SECURENET project) models normal behaviour of users by the set of
high-level tasks they have to perform on the system (in relation to the users’
functions). These tasks are taken as series of actions, which in turn are matched to
the appropriate audit data. The analyzer keeps a set of tasks that are acceptable for
services, rather than that of individual users. This model consists of short sequences
of system calls made by the processes. Attacks that exploit flaws in the application
28
data is collected which represents the appropriate behaviour of services, then the
knowledge base is added with all the known “good” sequences of system calls.
These patterns are then used for continuous monitoring of system calls to check
whether the sequence generated is listed in the knowledge base; if not — an alarm
is generated. This technique has a potentially very low false alarm rate provided
that the knowledge base is fairly complete. Its drawback is the inability to detect
normal user behaviour profile. Profiles are then grouped in a library of user
• Data mining generally refers to a set of techniques that use the process of extracting
previously unknown but potentially useful data from large stores of data. Data mining
method excels at processing large system logs (audit data). However they are less
useful for stream analysis of network traffic. One of the fundamental data mining
techniques used in intrusion detection is associated with decision trees Decision tree
models allow one to detect anomalies in large databases. Another technique refers to
matching patterns extracted from a simple audit set with those referred to warehoused
attacks or built on normal behaviour patterns. Anomaly detection often generates false
alarms. With data mining it is easy to correlate data related to alarms with mined audit
29