CSCE 465 Lecture 18

« previous | Thursday, March 28, 2013 | next »

Intrusion Detection System

Intrusion: a set of actions aimed to compromise security goals (CIA)

Intrusion detection is the process of identifying and responding to intrusion activities

Why is this necessary?

• Prevention is not always perfect
• Detection can stop some attacks that circumvent prevention
• multi-layered defense

Assumptions

1. System activities are observable
2. intrusive activities have distinct evidence vs. normal activities

Components

From algorithmic perspective:

• Features: capture intrusion evidence
• Models: pierce evidence together and make decision (attack vs. normal)

From system architecture perspective:

• Audit data (pre)processor (collect observable data: logs, system calls, events, etc.)
• knowledge base / detection models (what kind of behavior is good/bad?)
• decision engine (uses KB to make decision)
• alarm generation and response

Approaches

• Deployment:
  • Network-based
  • Host-based
• Analysis (require foundation on "what an attack looks like")
  • Misuse detection
    • Signature-based / pattern recognition
    • Always reactive: Cannot detect new attacks
    • e.g. looking for shell-code in incoming packets
  • Anomaly detection
    • statistical-based
    • Training session builds up data of normal activity
    • Can detect new attacks
    • higher false-positive rate: new nomal activities may be interpreted as anomalies
• Development and Maintenance
  • Hand-coding of "expert knowledge" (good, but time-consuming with slow turnaround)
  • Machine learning based on audit data

Performance Metrics

(See STAT 211 Topic 2#Conditional Probability→)

Algorithm: (Alarm = A, Intrusion = I)

• True Positive rate = ${\displaystyle Pr[A\mid I]}$
• False Negative rate = ${\displaystyle Pr[\neg A\mid I]}$
• False Positive rate = ${\displaystyle Pr[A\mid \neg I]}$
• True Negative Rate = ${\displaystyle Pr[\neg A\mid \neg I]}$
• Bayesian detection rate = ${\displaystyle Pr[I|A]}$ ("Given that an action is an intrusion, how likely is the IDS to catch it?"

		detection
		T	F
intrusion	T	True Positive	False Negative
	F	False Positive	True Negative

Tradeoff between True Positive Rate and False Positive Rate

Baye's Theorem

(See STAT 211 Topic 2#Bayes' Theorem→)

${\displaystyle Pr[I\mid A]={\frac {Pr[I]\,Pr[A\mid I]}{Pr[I]\,Pr[A\mid I]+Pr[\neg I]\,Pr[A\mid \neg I]}}}$

• ${\displaystyle Pr[I]}$ is the base rate

for example. Suppose ${\displaystyle Pr[A\mid I]=1}$, ${\displaystyle Pr[A\mid \neg I]=10^{-5}}$, ${\displaystyle Pr[I]=2\times 10^{-5}}$. The Bayesian detection rate is only ${\displaystyle Pr[I\mid A]=0.66}$!

Probability plotted on ROC curve

Host-Based IDS

Uses OS auditing mechanisms (logs, system events)

"A Sense of Self: Immunology Approach"

Anomaly detection for Unix processes

• Simple and short sequences of events (system calls per process) to distinguish "self" from not (e.g. open, read, mmap, mmap, open, getrlimit, mmap, close, ...)
• Sliding window of length ${\displaystyle k}$ (e.g. ${\displaystyle k=5}$ in [open, read, mmap, mmap, open], getrlimit, mmap, close, ... → open, [read, mmap, mmap, open, getrlimit], mmap, close, ...)
• Percentage matched > ε → normal

Network IDS

• Deployment at strategic locations (packet sniffing via tcpdump at routers
• Inspecting network traffic for violations of protocols and unusual connection params.
• Monitoring user activities
• May be defeated by encryption (e.g. SSH)