A Survey of Intrusion Detection Techniques Teresa F

A Survey of Intrusion Detection Techniques Teresa F. Lunt

Discussion Layout n n n Introduction u What is Intrusion Detection? u How does Intrusion Detection work? Different approaches to Intrusion Detection Where and when should Intrusion Detection be implemented Privacy issues The future of Intrusion Detection Conclusion

What is Intrusion Detection? n What is Intrusion Detection? u Intrusion Detection should detect: t External penetrators • Persons unauthorized to use the computer t Internal penetrators • Persons authorized to use the computer, but accessing an unauthorized program, data, or resource • Masqueradors-users operating under a false password • Clandestine users-users who evade auditing t Misfeasors • Authorized users who abuse their privileges

What is Intrusion Detection? n n Detect external penetrators by keeping track of failed login attempts Detect masqueradors by establishing “normal” user behavior and flagging instances where a user has strayed from this behavior Difficult to detect clandestine users because they may have privileges that allow them to work outside or monitored areas on the system u A solution to this is to monitor certain system-wide parameters Difficult to detect normal users who abuse their privileges

How does Intrusion Detection work? n n How does Intrusion Detection Work? u Access controls t Not a complete defense against insider attack or outside penetration t No protection from privilege abuse u Auditing t Audit trials collect information on use of the computer and normal user activity t Audit data must be interpreted correctly, and the collected information must be relevant The rest of this talk will focus on tools developed to interpret audited information

Auditing Audit data interpretation for security purposes can be: u In-depth offline – this is after the fact analysis of audit data u Real-time – this is immediate testing of audit data allowing for a timely response u Damage Assessment This talk will focus on the first two types of audit interpretation n

Approaches to interpreting audit data for security analysis n n n Determining user norms Using expert systems Model-based reasoning The IDES resolver Other approaches

User norms-IDES n IDES (Intrusion Detection Expert System)-used for auditing and interpreting data u This was developed by SRI u Flags departures from established user “norms” in order to detect system penetration u Maintains a dynamic user profile that determines regular use

User norms-IDES n How the audit information in the IDES can be stored: u Ordinal measure t Count of numerically quantifiable behavior-e. g. , the amount of CPU time used u Categorical measure t Function of observed behavior over a finite set of categories-each value is determined in relation to other categories u Binary categorical measure t Has a finite number of categories, and assigns each a 1 or 0 depending on whether or not they are invoked u Linear categorical measure t This has a score function that counts the number of times each category occurs

User norms-IDES n n Disadvantages to establishing normal user behavior: u Depends greatly on the consistency of the user u An insider may know that behavior is monitored and intentionally change it over time u A user’s behavior is subject to change without notice Alternatives to auditing normal behavior in the IDES u Profiling the normal behavior of programs u Use keystroke dynamics to continuously verify user identity

User norms-Neural Networks n SRI has looked into Neural Networks (NN) to counter the following IDES problems: u The need for accurate statistical distributions t NNs do not require assumptions about normal user behavior u Difficulty in evaluating detection measures t NNs can evaluate the effectiveness of detection measures u High cost of algorithm development t NN simulators are easier to modify for new user communities u Difficulty in scaling t NNs could be used to classify users depending on their observed behavior as opposed to manual groupings

User norms-Neural Networks So, what IS a Neural Network? u In principle, NNs can compute any computable function, i. e. , they can do everything a normal digital computer can do. u In practice, NNs are especially useful for classification and function approximation/mapping problems which are tolerant of some imprecision, which have lots of training data available, but to which hard and fast rules (such as those that might be used in an expert system) cannot easily be applied. Source: http: //www. rdt. monash. edu. au/~app/CSC 437 nn/Lnts/L 01. html#CITEnn. FAQ n In general, NNs are capable of “learning” and can be used for such purposes as pattern recognition n

Expert Systems n n n The Expert System approach simply monitors audit data for suspicious activity This approach is likened to a security officer’s duties The Expert System uses a set of defined activities to look for u This set of rules cannot possibly be comprehensive The set of rules is fixed-it does not depend on previous activity There may be a way to combine this approach with the statistical approach u Compare rule violation with normal user behavior and try to detect a correspondence

Model-based reasoning n n This type of Intrusion Detection relies on the fact that there are usually known procedures to breach system security u Known password attacks u Known system vulnerabilities Model-based reasoning would monitor known user attacks via a specific model or proscribed activities Gather “evidence” of an intrusive procedure by looking for intrusion scenarios Top-down models allow the system to predict the action an intruder would take if following such a scenario and determine specifically which audit data to examine next

Model-based reasoning n n Data is systematically examined until enough “evidence” is gathered to support the suspicion of an attack Good candidates for model-based reasoning are u Attacks which are easily recognizable u Attacks which contain sets of instructions unique to that specific attack u Attacks which contain sets of instructions that are not associated with normal behavior

Model-based reasoning n n Benefits: u Narrow down the information that needs to be processed u Intuitive explanations of detected attacks u Be able to take preventative actions before an attack is completed Drawbacks: u Can only detect known attacks u An intruder may be able to vary the scenario and avoid detection

The IDES resolver n n n This will combine statistical and expert system components Can make more complex deductions about suspicious behavior Reduce the number of false positive rates Be able to detect with more accuracy the gravity of a situation Correlate audit data with other available data u Information about changes in user status (new users, user locations…) u Information about files, directories, devices, authorizations…

Other approaches n n n Define acceptable, as opposed to suspicious, behavior Use trap doors (bait malicious users) u Bogus passwords u “tripwire” files Good Intrusion Detection systems will incorporate a number of methods for system security

More thoughts on auditing n n In addition to normal security audit data, the following information should be maintained: u Facts about user status, new users, terminated users, users on vacations, changed job assignments, etc. u Facts about files, directories, devices, and authorizations u Profiles of expected or socially acceptable user behavior Users, even privileged ones, should not be able to tamper with the audit mechanisms

What is the appropriate level of auditing? n n Auditing should be implemented at the lowest level possible so that those users with direct programming access cannot bypass the security checks u This will detect clandestine users It is also useful to audit at the command line and application level u This allows for expert systems and model-based security.

Where should auditing take place? n n n Auditing ideally takes place on a separate system devoted to monitoring user behavior u An advantage to this is that performance is not affected on the monitored system u Another advantage is that a higher level of security could be implemented on the Intrusion Detection system Data should be preprocessed on the monitored system to reduce storage and performance requirements on the Intrusion Detection systems could be generalized to monitor more than one machine at one time

Privacy issues? n n Maintaining a large database of user activity could be a major violation of privacy u Employee monitoring may take place The audit files may fall in to the wrong hands

Future n n So, what’s going on with IDES now? u Visit the Intrusion Detection Homepage at: t http: //www. sdl. sri. com/intrusion/index. html What happened to the IDES? u It was revised and became if NIDES at some point after 1993 u According to SRI: t These efforts did, however, have some inherent limitations in scalability, applicability to network environments by their focus on users as the analysis targets, and lack of features to support interoperability

Future n n Now SRI is working on EMERALD, the successor system to NIDES This system will “considerably extend the NIDES concept to accommodate network-based analyses and dramatically increase interoperability and ease of integration into distributed computing environments. This effort will include extending components for profile-based analysis, signature-based analysis, and localized results fusion with automated response capability. In addition, we are considerably extending our results analysis capability to facilitate hierarchical interpretations of our distributed monitoring units, which will enable cross-platform analysis at various layers of abstraction, and successive refinement of the resulting analyses within increasingly broader scopes” (Intrusion Detection Homepage).

Conclusion n n There is no perfect Intrusion Detection system Only through a combination of systems can the best possible security monitoring be implemented Probably the best approach is to maintain a profile of normal user activity and check this profile against a set of known suspicious behaviors Although privacy may be an issue, it is possible to implement regulations on auditing to protect the users and maintain security