CHAPTER II

LITERATURE REVIEW ON INTRUSION DETECTION

Several techniques are available in the literature for detecting the intrusion

behaviour. In recent times, intrusion detection has received a lot of interest among the

researchers since it is widely applied for preserving the security within a network.

Here, we present some of the techniques used for intrusion detection.

S. F. Owens and R. R. Levary have stated that intruder detection systems have

been commonly constructed using expert system technology. But, Intrusion Detection

System (IDS) researchers have been biased in constructing systems that are difficult to

handle, lack insightful user interfaces and are inconvenient to use in real-life

circumstances. The proposed adaptive expert system has utilized fuzzy sets to find out

attacks. The expert system comparatively easy to implement when used with computer

system networks has the capability of adjusting to the nature and/or degree of the threat.

Experiments with Clips 6.10 have been used to prove the adjusting capability of the

system. Alok Sharma have focused on the use of text processing techniques on the

system call sequences for intrusion detection. Host-based intrusions have been detected

by introducing a kernel based similarity measure. Processes have been classified either as

normal or abnormal using the k-nearest neighbor (kNN) classifier. They have assessed

the proposed method on the DARPA-1998 database and compared its operation with

other existing methods present in the literature.

Shi-Jinn Horng have used a combination of hierarchical clustering algorithm, easy

feature selection method, and SVM technique in their proposed SVM-based intrusion

detection system. Fewer, abstracted, and higher-qualified training instances that are

derived from the KDD Cup 1999 training set has been given to the SVM by the

hierarchical clustering algorithm. The simple feature selection method employed for the

removal of insignificant features from the training set has enabled the proposed SVM

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 model to achieve more precise classification of the network traffic data. The proposed

system has been assessed using the renowned KDD Cup 1999 dataset. Compared to other

intrusion detection systems that are based on the same dataset, the proposed method has

exhibited superior performance in identifying DoS and Probe attacks and an overall best

performance in accuracy.

B. Shanmugam and Norbik Bashah Idris have proposed an advanced fuzzy and

data mining methods based hybrid model to find out both misuse and anomaly attacks.

Their objective was to decrease the quantity of data kept for processing and also to

improve the detection rate of the existing IDS using attribute selection process and data

mining technique respectively. A modified version of APRIORI algorithm which is an

improved Kuok fuzzy data mining algorithm utilized for implementing fuzzy rules has

enabled the generation of if-then rules that show common ways of expressing security

attacks. They have achieved faster decision making using mamdani inference mechanism

with three variable inputs in the fuzzy inference engine which they have employed.

The DARPA 1999 data set has been used to test and benchmark the efficiency of the

proposed model. In addition, the test results against the “live” networking environment

within the campus have been analyzed.

O. A. Adebayo has presented a method that uses Fuzzy-Bayesian to detect

real-time network anomaly attack for discovering malicious activity against computer

network. They have established the effectiveness of the method by describing the

framework. The overall performance of the intrusion detection system (IDS) based on

Bayes has been improved by a combination of fuzzy with Bayesian classifier. In addition,

by the experiment carried out on KDD 1999 IDS data set, the practicability of the method

has been verified. Abadeh, M.S. and Habibi, J. have proposed a method to develop fuzzy

classification rules for intrusion detection use in computer networks. The method of

fuzzy rule base system design has been based on the iterative rule learning approach

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 (IRL). Using the evolutionary algorithm to optimize one fuzzy classifier rule at a time,

the fuzzy rule base has been created in an incremental fashion. Intrusion detection

problem has been used as a high-dimensional classification problem to analyze the

functioning of the final fuzzy classification system. Results have demonstrated that the

fuzzy rules generated by the proposed algorithm can be utilized to build a reliable

intrusion detection system.

Arman Tajbakhsh have presented a data mining technique based framework for

constructing an IDS. In the framework, Association Based Classification (ABC) has been

used by the classification engine which is in fact the central part of the IDS. Fuzzy

association rules have been used by the proposed classification to construct classifiers.

Some matching measures have been used to evaluate the consistency of any new sample

(which is to be categorized) with various class rule sets and the label of the sample has

been declared as the class that is analogous to the best matched rule set. A method which

decreases the items that may be included in extracted rules has also been proposed to

reduce the time taken by the rule induction algorithm. The framework has been assessed

using KDD-99 dataset. The results have shown that the achieved total detection rate and

detection rate of known attacks are large and false positive rate is small, though the

results are not bright for unknown attacks.

Zhenwei Yu have presented an automatically tuning intrusion detection system

(ATIDS). According to the feedback supplied by the system operator, when false

predictions are detected, the proposed system automatically tunes the detection model

on-the-fly. The KDDCup'99 intrusion detection dataset has been used to assess the

system. In the experimental results, the system has demonstrated a 35% enhancement

with regard to misclassification cost compared to a system that is not using the tuning

feature. If the model has been tuned using only 10% false predictions still a 30%

improvement is achieved by the system. Moreover, the model tuned using only 1.3% of

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 the false predictions have been capable of achieving about 20% improvement provided

the tuning is not delayed too long. Building a practical system based on ATIDS has been

proved to be feasible by the results of the experiments: Because predictions ascertained to

be false have been used for tuning the detection model, system operators can concentrate

on confirmation of predictions with low confidence.

2.1 Intrusion Detection Systems

An intrusion detection system (IDS) is a device or software application that

monitors network and/or system activities for malicious activities or policy violations and

produces reports to a Management Station. Some systems may attempt to stop an

intrusion attempt but this is neither required nor expected of a monitoring system.

Intrusion detection and prevention systems (IDPS) are primarily focused on identifying

possible incidents, logging information about them, and reporting attempts. In addition,

organizations use IDPS for other purposes, such as identifying problems with security

policies, documenting existing threats, and deterring individuals from violating security

policies. IDPS (Intrusion Detection prevention system)have become a necessary addition

to the security infrastructure of nearly every organization.

IDPS typically record information related to observed events, notify security

administrators of important observed events, and produce reports. Many IDPSes can also

respond to a detected threat by attempting to prevent it from succeeding. They use several

response techniques, which involve the IDPS stopping the attack itself, changing the

security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

Intrusion detection systems (IDS) can be classified into different ways. The major

classifications are Active and passive IDS, Network Intrusion detection systems (NIDS)

and host Intrusion detection systems (HIDS)

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 2.1.1 Active and passive IDS

An active Intrusion Detection Systems (IDS) is also known as Intrusion Detection

and Prevention System (IDPS). Intrusion Detection and Prevention System (IDPS) is

configured to automatically block suspected attacks without any intervention required by

an operator. Intrusion Detection and Prevention System (IDPS) has the advantage of

providing real-time corrective action in response to an attack.

A passive IDS is a system that’s configured to only monitor and analyze network

traffic activity and alert an operator to potential vulnerabilities and attacks. A passive IDS

is not capable of performing any protective or corrective functions on its own.

2.1.2 Network Intrusion detection systems (NIDS) and Host Intrusion detection

systems (HIDS)

Network Intrusion Detection Systems (NIDS) usually consists of a network

appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous

mode and a separate management interface. The IDS is placed along a network segment

or boundary and monitors all traffic on that segment. Network intrusion detection system

(NIDS) is an independent platform that identifies intrusions by examining network traffic

and monitors multiple hosts. Network intrusion detection systems gain access to network

traffic by connecting to a network hub, network switch configured for port mirroring, or

network tap. In a NIDS, sensors are located at choke points in the network to be

monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture

all network traffic and analyze the content of individual packets for malicious traffic.

A Host Intrusion Detection Systems (HIDS) and software applications (agents)

installed on workstations which are to be monitored. The agents monitor the operating

system and write data to log files and/or trigger alarms. A host Intrusion detection

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 systems (HIDS) can only monitor the individual workstations on which the agents are

installed and it cannot monitor the entire network. Host based IDS systems are used to

monitor any intrusion attempts on critical servers.

The drawbacks of Host Intrusion Detection Systems (HIDS) are

• Difficult to analyse the intrusion attempts on multiple computers.

• Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large

networks with different operating systems and configurations

• Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the

system is compromised.

Host-based intrusion detection system (HIDS) It consists of an agent on a host

that identifies intrusions by analyzing system calls, application logs, file-system

modifications (binaries, password files, capability databases, Access control lists, etc.)

and other host activities and state. In a HIDS, sensors usually consist of a software agent.

Some application-based IDS are also part of this category. intrusion detection systems

(IDS) can be classified into different ways. The major classifications are Active and

passive IDS, Network Intrusion detection systems (NIDS) and host Intrusion detection

systems (HIDS)

2.1.3 Knowledge-based (Signature-based) IDS and behaviour-based (Anomaly-

based) IDS

A knowledge-based (Signature-based) Intrusion Detection Systems (IDS) references

a database of previous attack signatures and known system vulnerabilities. The meaning

of word signature, when we talk about Intrusion Detection Systems (IDS) is recorded

evidence of an intrusion or attack. Each intrusion leaves a footprint behind (e.g., nature of

data packets, failed attempt to run an application, failed logins, file and folder access etc.).

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 These footprints are called signatures and can be used to identify and prevent the same

attacks in the future. Based on these signatures Knowledge-based (Signature-based) IDS

identify intrusion attempts.

The disadvantages of Signature-based Intrusion Detection Systems (IDS) are

signature database must be continually updated and maintained and Signature-based

Intrusion Detection Systems (IDS) may fail to identify a unique attacks.

A Behavior-based (Anomaly-based) Intrusion Detection Systems (IDS) references

a baseline or learned pattern of normal system activity to identify active intrusion

attempts. Deviations from this baseline or pattern cause an alarm to be triggered.

Higher false alarms are often related with Behaviour-based Intrusion Detection

Systems (IDS).

2.1.4 Characterizing Intrusion Detection Systems

IDS systems vary according to a number of criteria. By explaining those criteria,

we can explain what kinds of IDSs you’re likely to encounter and how they do their jobs.

First and foremost, it’s possible to distinguish IDSs on the basis of the kinds of activities,

traffic, transactions, or systems they monitor. In this case, IDSs may be divided into

network-based, host-based, and application-based IDS types. IDSs that monitor network

backbones and look for attack signatures are called network-based IDSs, whereas those

that operate on hosts defend and monitor the operating and file systems for signs of

intrusion and are called host-based IDSs. Some IDSs monitor only specific applications

and are called application-based IDSs. (This type of treatment is usually reserved for

important applications such as database management systems, content management

systems, accounting systems, and so forth.) Read on to learn more about these various

types of IDS monitoring approaches:

10

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 Network-based IDS characteristics

Pros: Network-based IDSs can monitor an entire, large network with only a few

well-situated nodes or devices and impose little overhead on a network. Network-based

IDSs are mostly passive devices that monitor ongoing network activity without adding

significant overhead or interfering with network operation. They are easy to secure

against attack and may even be undetectable to attackers; they also require little effort to

install and use on existing networks.

Cons: Network-based IDSs may not be able to monitor and analyze all traffic on large,

busy networks and may therefore overlook attacks launched during peak traffic periods.

Network-based IDSs may not be able to monitor switch-based (high-speed) networks

effectively, either. Typically, network-based IDSs cannot analyze encrypted data, nor do

they report whether or not attempted attacks succeed or fail. Thus, network-based IDSs

require a certain amount of active, manual involvement from network administrators to

gauge the effects of reported attacks.

Host-based IDS characteristics

Pros: Host-based IDS can analyze activities on the host it monitors at a high level of

detail; it can often determine which processes and/or users are involved in malicious

activities. Though they may each focus on a single host, many host-based IDS systems

use an agent-console model where agents run on (and monitor) individual hosts but report

to a single centralized console (so that a single console can configure, manage, and

consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable

to the network-based IDS and can gauge attack effects quite accurately. Host-based IDSs

can use host-based encryption services to examine encrypted traffic, data, storage, and

activity. Host-based IDSs have no difficulties operating on switch-based networks, either.

11

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 Cons: Data collection occurs on a per-host basis; writing to logs or reporting activity

requires network traffic and can decrease network performance. Clever attackers who

compromise a host can also attack and disable host-based IDSs. Host-based IDSs can be

foiled by DoS attacks (since they may prevent any traffic from reaching the host where

they’re running or prevent reporting on such attacks to a console elsewhere on a network).

Most significantly, a host-based IDS does consume processing time, storage, memory,

and other resources on the hosts where such systems operate.

Application-based IDS characteristics

Pros: An application-based IDS concentrates on events occurring within some specific

application. They often detect attacks through analysis of application log files and can

usually identify many types of attack or suspicious activity. Sometimes application-based

IDS can even track unauthorized activity from individual users. They can also work with

encrypted data, using application-based encryption/decryption services.

Cons: Application-based IDSs are sometimes more vulnerable to attack than the

host-based IDS. They can also consume significant application (and host) resources.

In practice, most commercial environments use some combination of network-

and host- and/or application-based IDS systems to observe what’s happening on the

network while also monitoring key hosts and applications more closely.

IDSs may also be distinguished by their differing approaches to event analysis.

Some IDSs primarily use a technique called signature detection. This resembles the way

many antivirus programs use virus signatures to recognize and block infected files,

programs, or active Web content from entering a computer system, except that it uses a

database of traffic or activity patterns related to known attacks, called attack signatures.

Indeed, signature detection is the most widely used approach in commercial IDS

technology today. Another approach is called anomaly detection. It uses rules or

12

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 predefined concepts about “normal” and “abnormal” system activity (called heuristics) to

distinguish anomalies from normal system behavior and to monitor, report on, or block

anomalies as they occur. Some IDSs support limited types of anomaly detection; most

experts believe this kind of capability will become part of how more IDSs operate in the

future. Read on for more information about these two kinds of event analysis techniques:

Signature-based IDS characteristics

Pros: A signature-based IDS examines ongoing traffic, activity, transactions, or behavior

for matches with known patterns of events specific to known attacks. As with antivirus

software, a signature-based IDS requires access to a current database of attack signatures

and some way to actively compare and match current behavior against a large collection

of signatures. Except when entirely new, uncataloged attacks occur, this technique works

extremely well.

Cons: Signature databases must be constantly updated, and IDSs must be able to

compare and match activities against large collections of attack signatures. If signature

definitions are too specific, signature-based IDS may miss variations on known attacks.

(A common technique for creating new attacks is to change existing, known attacks

rather than to create entirely new ones from scratch.) Signature-based IDSs can also

impose noticeable performance drags on systems when current behavior matches multiple

(or numerous) attack signatures, either in whole or in part.

Anomaly-based IDS characteristics

Pros: An anomaly-based IDS examines ongoing traffic, activity, transactions, or

behaviour for anomalies on networks or systems that may indicate attack. The underlying

principle is the notion that “attack behaviour” differs enough from “normal user

behaviour” that it can be detected by cataloging and identifying the differences involved.

By creating baselines of normal behaviour, anomaly-based IDS systems can observe

13

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 when current behaviour deviates statistically from the norm. This capability theoretically

gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for

which signatures have been created.

Cons: Because normal behaviour can change easily and readily, anomaly-based IDS

systems are prone to false positives where attacks may be reported based on changes to

the norm that are “normal,” rather than representing real attacks. Their intensely

analytical behaviour can also impose sometimes-heavy processing overheads on systems

where they’re running. Furthermore, anomaly-based systems take a while to create

statistically significant baselines (to separate normal behaviour from anomalies); they’re

relatively open to attack during this period.

Today, many antivirus packages include both signature-based and anomaly-based

detection characteristics, but only a few IDSs incorporate both approaches. Most experts

expect anomaly-based detection to become more widespread in IDSs, but research and

programming breakthroughs will be necessary to deliver the kind of capability that

anomaly-based detection should be, but is currently not, able to deliver.

Finally, some IDSs are capable of responding to attacks when they occur.

This behavior is desirable from two points of view. For one thing, a computer system can

track behavior and activity in near-real time and respond much more quickly and

decisively during early stages of an attack. Since automation helps hackers mount attacks,

it stands to reason that it should also help security professionals fend them off as they

occur. For another thing, IDSs run 24/7, but network administrators may not be able to

respond as quickly during off hours as they can during peak hours (even if the IDS can

page them with an alarm that an attack has begun). By automating a response to block

incoming traffic from one or more addresses from which an attack originates, the IDS can

halt an attack in process and block future attacks from the same address.

14

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 By implementing the following techniques, IDSs can fend off expert and novice

hackers alike. Although experts are more difficult to block entirely, these techniques can

slow them down considerably:

• Breaking TCP connections by injecting reset packets into attacker connections

causes attacks to fall apart.

• Deploying automated packet filters to block routers or firewalls from forwarding

attack packets to servers or hosts under attack stops most attacks cold—even DoS

or DDoS attacks. This works for attacker addresses and for protocols or services

under attack (by blocking traffic at different layers of the ARPA networking model,

so to speak).

• Deploying automated disconnects for routers, firewalls, or servers can halt all

activity when other measures fail to stop attackers (as in extreme DDoS attack

situations, where filtering would only work effectively on the ISP side of an

Internet link, if not higher up the ISP chain, as close to Internet backbones as

possible).

• Actively pursuing reverse DNS lookups or other ways of attempting to establish

hacker identity is a technique used by some IDSs, generating reports of malicious

activity to all ISPs in the routes used between the attacker and the attackee. Because

such responses may themselves raise legal issues, experts recommend obtaining

legal advice before repaying hackers in kind.

2.1.5 Intrusion Detection Systems methods and Techniques

Due to a growing number of intrusion events and also because the Internet and

local networks have become so ubiquitous, organizations are increasingly implementing

various systems that monitor IT security breaches. This is the second article devoted to

these systems. The previous article dealt with IDS categorization and architecture. At this

15

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 point we will provide further in depth guidance. This includes an overview of the

classification of intrusion detection systems and introduces the reader to some

fundamental concepts of IDS methodology: audit trail analysis and on-the-fly processing

as well as anomaly detection and signature detection approaches.

The IDS can operate as standalone, centralized applications or integrated

applications that create a distributed system. The latter have a particular architecture with

autonomous agents that are able to take pre-emptive and reactive measures and even to

move over the network. One may categorize intrusion detection systems in terms of

behaviour i.e., they may be passive (those that simply generate alerts and log network

packets). They may also be active which means that they detect and respond to attacks,

attempt to patch software holes before getting hacked or act proactively by logging out

potential intruders, or blocking services. Fig-1 shows the Classification o f IDS.

Figure 1: Classification of intrusion detection systems

16

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 2.2 Audit trail processing vs. on-the-fly processing

Intrusion detection systems can run on either a continuous or periodic feed of

information (Real-time IDS and Interval-based IDS respectively) and hence they use two

different intrusion detection approaches. Audit trail analysis is the prevalent method

used by periodically operated systems. In contrast, the IDS deployable in real-time

environments are designed for online monitoring and analyzing system events and user

actions.

Audit Trail Processing

There are many issues related to audit trail (event log) processing. Storing audit

trail reports in a single file must be avoided since intruders may use this feature to make

unwanted changes. It is far better to keep a certain number of event log copies spread

over the network, though it would imply adding some overheads to both the system and

network.

Further, from the functionality point of view, recording every event possible

means a noticeable consumption of system resources (both the local system and network

involved). Log compression, instead, would increase the system load. Specifying which

events are to be audited is difficult because certain types of attacks may pass undetected.

It is also difficult to predict how large audit files can be – through experience one can

only make a rough estimate. Also, an appropriate setting of a storage period for current

audit files is not a straightforward task. In general, this depends on a specific IDS

solution and its correlation engine. Certainly, archive files should be stored as copies for

retrieval analysis purposes.

Log processing systems are vulnerable to Denial of Service (DoS) attacks that

render audit mechanisms unreliable and unusable by overflowing the system’s free space.

17

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 The main reasons for having an audit function include:

• detection of attack manifestations for post-mortem analysis;

• detection of recurring intrusion activity (yielding unauthorized privileges, abuse,

attack attempts);

• identification of successful intruders;

• identification of own system weaknesses;

• Development of access and user signatures and definition of network traffic rules that

are important for anomaly detection-based Intrusion Detection Systems.

• Repelling potential intruders by simply making them aware of the existence of the

auditing means.

• The audit reporting may provide a form of defense for an innocent user, for example

possible involved in hacking attempts.

• The log event-based IDS method needs to have the following capabilities:

• Allowing of parameterization for easy recording of system event logs and user

activities,

• Providing an option of self-disengagement of logging mechanisms in the event of

insufficient space or DoS attacks;

• Audit trail processing using additional mechanisms (aggregation, artificial

intelligence, and data mining) because of large file sizes,

• A reasonable minimum system resource consumption for auditing purposes.

18

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 Examples of intrusion detection systems that use audit trail processing are:

• Secure View that checks logs produced by Checkpoint Firewall-1

• CMDS (Computer Misuse Detection System). With its built-in expert system, it

analyzes all event logs to recognize abnormal user behaviour.

• ACID (Analysis Console for Intrusion Databases) is a PHP-based analysis engine to

search and process a database of incidents generated by various security tools such as

IDSs, firewalls and network traffic analyzers. ACID has a user query builder, which

can analyze packets down to their payload, in order to find identical alerts among

databases, which match certain criteria. It can also manage alerts and generate a

variety of statistics.

On-the fly processing

With on the fly processing, an IDS performs online verification of system events.

Generally, a stream of network packets is constantly monitored constantly. With this type

of processing, intrusion detection uses the knowledge of current activities over the

network to sense possible attack attempts (it does not look for successful attacks in the

past).

Given the computation complexity, the algorithms are limited to quick and

efficient procedures that are often algorithmically simple. This is due to a compromise

between the main requisite – attack detection capability and the complexity of data

processing mechanisms used in the detection itself.

At the same time, construction of an on-the-fly processing IDS tool requires a

large amount of RAM (buffers) since no data storage is used. Therefore, such an IDS

may sometime miss packets, because realistic processing of too many packets is not

available.

19

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 The amount of data collected by the detector is small since it views only buffer

contents. Hence, only small portions of information can be analyzed for searching certain

values or sequences. As a contrast with standard inspection methods, only selective

packets in a data stream get inspected, and the inspection process only looks for "state"

information, such as whether a packet contains malicious code.

The method assumes that anomalies found in packet inspection, checking of

packet size and threshold values are manifestations of a denial of service attack, also at

the transport layer, for example Ping of Death attack. Another example of standard

packet inspection IDSs include detecting email viruses before they get to email boxes by

looking for matching email titles or attachment names. One may also search for malicious

code which may compromise the system if it is attacked by, for example, buffer overflow

exploits looking for signatures that monitor the user session status to disallow, for

example, listing of directory structure on a FTP server before a successful user login.

A drawback of the high layer analysis approach lies in the fact that it is time-consuming

and operating environment-dependent (application layer protocols that vary from

operating system to operating system).

The real-time based IDSs offer the following advantages:

• They excel at detecting attacks in progress and even responding to (blocking) them;

• The ability to cover network-inherent security holes associated with vulnerability to

many types of attacks, particularly DoS, which cannot be detected using a common

audit trail analysis approach—network traffic analysis is needed here;

• The system resources are less consumed than in the case of audit trail processing.

20

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 Disadvantages include:

• Source identification is accomplished based on the network address derived from the

packet. The source address may be spoofed, making attacks harder to trace and

respond to automatically.

• That they cannot handle encrypted packets thereby not providing essential

information required for intrusion detection.

• Since the analytical module uses a limited portion of source information (buffer

content only), its detection capability is limited.

• A continuous scanning of network traffic reduces the network throughout the segment

on which the IDS sits. This is of particular importance when an IDS tool is deployed

near the firewall.

2.2.1 Anomaly vs. signature detection

Intrusion detection systems must be capable of distinguishing between normal

(not security-critical) and abnormal user activities, to discover malicious attempts in time.

However translating user behaviours (or a complete user-system session) in a consistent

security-related decision is often not that simple , many behaviour patterns are

unpredictable and unclear . In order to classify actions, intrusion detection systems take

advantage of the anomaly detection approach, sometimes referred to as behaviour based

or attack signatures i.e. a descriptive material on known abnormal behaviour (signature

detection)] also called knowledge based.

Figure 2: Behaviour of the user in the system

21

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 Normal behaviour patterns - Anomaly detection

Normal behaviour patterns are useful in predicting both user and system

behaviour. Here, anomaly detectors construct profiles that represent normal usage and

then use current behaviour data to detect a possible mismatch between profiles and

recognize possible attack attempts.

In order to match event profiles, the system is required to produce initial user

profiles to train the system with regard to legitimate user behaviours. There is a problem

associated with profiling: when the system is allowed to “learn” on its own, experienced

intruders (or users) can train the system to the point where previously intrusive behaviour

becomes normal behaviour. An inappropriate profile will be able to detect all possible

intrusive activities. Furthermore, there is an obvious need for profile updating and system

training which is a difficult and time-consuming task.

Given a set of normal behaviour profiles, everything that does not match the

stored profile is considered to be a suspicious action. Hence, these systems are

characterized by very high detection efficiency (they are able to recognize many attacks

that are new to the system), but their tendency to generate false alarms is generally a

problem.

Advantages of this anomaly detection method are:

• possibility of detection of novel attacks as intrusions

• anomalies are recognized without getting inside their causes and characteristics

• less dependence of IDSs on operating environment (as compared with attack

signature-based systems); ability to detect abuse of user privileges.

22

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 The biggest disadvantages of this method are:

• A substantial false alarm rate. System usage is not monitored during the profile

construction and training phases. Hence, all user activities skipped during these

phases will be illegitimate.

• User behaviours can vary with time, thereby requiring a constant update of the

normal behaviour profile database (this may imply the need to close the system

from time to time and may also be associated with greater false alarm rates).

• The necessity of training the system for changing behaviour makes a system

immune to anomalies detected during the training phase (false negative).

Misbehaviour signatures - Signature detection

Systems possessing information on abnormal, unsafe behaviour (attack signature-

based systems) are often used in real-time intrusion detection systems (because of their

low computational complexity).

The misbehaviour signatures fall into two categories:

• Attack signatures – they describe action patterns that may pose a security threat.

Typically, they are presented as a time-dependent relationship between series of

activities that may be interlaced with neutral ones.

• Selected text strings – signatures to match text strings which look for suspicious

action (for example – calling /etc/password).

Any action that is not clearly considered prohibited is allowed. Hence, their

accuracy is very high (low number of false alarms). Typically, they do not achieve

completeness and are not immune to novel attacks.

23

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 There are two main approaches associated with signature detection

Verification of the pathology of lower layer packets— many types of attacks

(Ping of Death or TCP Stealth Scanning) exploit flaws in IP, TCP, UDP or ICMP packets.

With a very simple verification of flags set on specific packets it is possible to determine

whether a packet is legitimate or not. Difficulties may be encountered with possible

packet fragmentation and the need for re-assembly. Similarly, some problems may be

associated with the TCP/IP layer of the system being protected. It is well known that

hackers use packet fragmentation to bypass many IDS tools.

Verification of application layer protocols - many types of attacks exploit

programming flaws, for example, out-of-band data sent to an established network

connection. In order to effectively detect such attacks, the IDS must have implemented

many application layer protocols.

The signature detection methods have the following advantages: very low false

alarm rate, simple algorithms, easy creation of attack signature databases, easy

implementation and typically minimal system resource usage.

Some disadvantages:

• Difficulties in updating information on new types of attacks (when maintaining the

attack signature database updated as appropriate).

• They are inherently unable to detect unknown, novel attacks. A continuous update

of the attack signature database for correlation is a must.

• Maintenance of an IDS is necessarily connected with analyzing and patching of

security holes, which is a time-consuming process.

• The attack knowledge is operating environment–dependent, so misbehavior

signature-based intrusion detection systems must be configured in strict compliance

with the operating system (version, platform, applications used etc.)

24

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 • They seemed to have difficulty handling internal attacks. Typically, abuse of

legitimate user privileges is not sensed by the system as a malicious activity

(because of the lack of information on user privileges and attack signature structure).

Commercially offered IDS products often use the signature detection method for

two reasons. Firstly, it is easier for a given signature to be associated with a known attack

abstraction and to assign a name to an attack, e.g. Ping of Death, which is used

worldwide (a suitable signature can be attached to the installation version), than the

normal behaviour of a certain John Brown in an organization. Secondly, the attack

signature database must be updated regularly (by adding signatures of newly discovered

attacks and exploits), which may create a fairly good source of income for vendors of

IDS tools. A database update is at the same time a less cumbersome task than that

associated with the change of typical user behaviour profiles. In the latter case, a

temporary closing down of the system may be required, what cannot be tolerated on

certain applications.

Parameter Pattern Matching

The third method of intrusion detection is subtler than the two mentioned earlier.

It reasons on the fact, that system administrators monitor various systems and network

attributes (not necessarily targeting security issues). As a rule, information obtained in

this way has a constant specific environment. This method involves the use of day-to-day

operational experience of the administrators as the basis for detecting anomalies. It can be

considered as a special case of Normal Profile Methods. The difference lies in the fact

that a profile here is part of the human knowledge.

This is a very powerful technique, since it allows intrusions based on unknown

type attacks. The system operator can detect subtle changes that are not obvious to the

25

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 operator himself. Its inherent disadvantage is connected with the fact that humans can

process and hence understand only a limited portion of information at a time, what means

that certain attacks may pass undetected.

2.2.2 Data processing techniques used in intrusion detection systems

Depending on the type of approach taken in intrusion detection, various

processing mechanisms (techniques) are employed for data that is to reach an IDS. Below,

several systems are described briefly:

• Fuzzy Logic Fuzzy concepts derive from fuzzy phenomena that commonly occur in

the natural world. For instance “rain” is a fuzzy statement of ”Today raining heavily”

since there is no clear boundary between “rain” and “heavy rain”. In intrusion

detection suppose we want to write a rule as given below we need a reason about a

quantity such as the number of different destination IP addresses in the last 2 seconds.

IF the number of different destination addresses during the

last n seconds was high

THEN an unusual situation exists.

Fuzzy logic, which is utilized, is a superset of conventional logic that has been

extended to handle the concept of partial truth, which lies between completely true and

completely false.

• Expert systems these work on a previously defined set of rules describing an

attack. All security related events incorporated in an audit trail are translated in

terms of if-then-else rules. Examples are Wisdom & Sense and Computer Watch.

• Signature analysis Similarly to expert System approach, this method is based on

the attack knowledge. They transform the semantic description of an attack into the

appropriate audit trail format. Thus, attack signatures can be found in logs or input

26

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 data streams in a straightforward way. An attack scenario can be described, for

example, as a sequence of audit events that a given attack generates or patterns of

searchable data that are captured in the audit trail. This method uses abstract

equivalents of audit trail data. Detection is accomplished by using common text

string matching mechanisms. Typically, it is a very powerful technique and as such

very often employed in commercial systems .

• Colored Petri Nets The Colored Petri Nets approach is often used to generalize

attacks from expert knowledge bases and to represent attacks graphically. Purdue

University’s IDIOT system uses Colored Petri Nets. With this technique, it is easy

for system administrators to add new signatures to the system. However, matching a

complex signature to the audit trail data may be time-consuming. The technique is

not used in commercial systems.

• State-transition analysis Here, an attack is described with a set of goals and

transitions that must be achieved by an intruder to compromise a system.

Transitions are represented on state-transition diagrams.

• Statistical analysis approach This is a frequently used method. The user or system

behaviour (set of attributes) is measured by a number of variables over time.

Examples of such variables are: user login, logout, number of files accessed in a

period of time, usage of disk space, memory, CPU etc. The frequency of updating

can vary from a few minutes to, for example, one month. The system stores mean

values for each variable used for detecting exceeds that of a predefined threshold.

Yet, this simple approach was unable to match a typical user behaviour model.

Approaches that relied on matching individual user profiles with aggregated group

variables also failed to be efficient. Therefore, a more sophisticated model of user

behaviour has been developed using short- and long-term user profiles.

27

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 These profiles are regularly updated to keep up with the changes in user behaviours.

Statistical methods are often used in implementations of normal user behaviour

profile-based Intrusion Detection Systems.

• Neural Networks Neural networks use their learning algorithms to learn about the

relationship between input and output vectors and to generalize them to extract new

input/output relationships. With the neural network approach to intrusion detection,

the main purpose is to learn the behaviour of actors in the system (e.g., users,

daemons). It is known that statistical methods partially equate neural networks.

The advantage of using neural networks over statistics resides in having a simple

way to express nonlinear relationships between variables, and in learning about

relationships automatically. Experiments were carried out with neural network

prediction of user behaviours. From the results it has been found that the behaviour

of UNIX super-users (roots) is predictable (because of very regular functioning of

automatic system processes). With few exceptions, behaviour of most other users is

also predictable. Neural networks are still a computationally intensive technique,

and are not widely used in the intrusion detection community.

• User intention identification This technique (that to our knowledge has only been

used in the SECURENET project) models normal behaviour of users by the set of

high-level tasks they have to perform on the system (in relation to the users’

functions). These tasks are taken as series of actions, which in turn are matched to

the appropriate audit data. The analyzer keeps a set of tasks that are acceptable for

each user. Whenever a mismatch is encountered, an alarm is produced.

• Computer immunology Analogies with immunology has lead to the development

of a technique that constructs a model of normal behaviour of UNIX network

services, rather than that of individual users. This model consists of short sequences

of system calls made by the processes. Attacks that exploit flaws in the application

28

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

 code are very likely to take unusual execution paths. First, a set of reference audit

data is collected which represents the appropriate behaviour of services, then the

knowledge base is added with all the known “good” sequences of system calls.

These patterns are then used for continuous monitoring of system calls to check

whether the sequence generated is listed in the knowledge base; if not — an alarm

is generated. This technique has a potentially very low false alarm rate provided

that the knowledge base is fairly complete. Its drawback is the inability to detect

errors in the configuration of network services. Whenever an attacker uses

legitimate actions on the system to gain unauthorized access, no alarm is generated.

• Machine learning This is an artificial intelligence technique that stores the

user-input stream of commands in a vectorial form and is used as a reference of

normal user behaviour profile. Profiles are then grouped in a library of user

commands having certain common characteristics..

• Data mining generally refers to a set of techniques that use the process of extracting

previously unknown but potentially useful data from large stores of data. Data mining

method excels at processing large system logs (audit data). However they are less

useful for stream analysis of network traffic. One of the fundamental data mining

techniques used in intrusion detection is associated with decision trees Decision tree

models allow one to detect anomalies in large databases. Another technique refers to

segmentation, allowing extraction of patterns of unknown attacks . This is done by

matching patterns extracted from a simple audit set with those referred to warehoused

unknown attacks. A typical data mining technique is associated with finding

association rules. It allows one to extract previously unknown knowledge on new

attacks or built on normal behaviour patterns. Anomaly detection often generates false

alarms. With data mining it is easy to correlate data related to alarms with mined audit

data, thereby considerably reducing the rate of false alarms.

29

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.