Improving Intrusion Detection System

Download Report

Transcript Improving Intrusion Detection System

Improving Intrusion Detection
System
Taminee Shinasharkey
CS689
11/2/00
Introduction
Intrusion is when the user takes an
action that the user was not legally allowed to
take.
Intrusion attempt (Anderson,1980) is defined
to be potential possibility of an unauthorized
attempt to
- Access information
- Manipulate information, or
- Render a system unreliable or unusable.
Introduction (cont)
Intruder detection involves determining
that an intruder has tried to gain or has gained
unauthorized access to the system.
Most intrusion detection systems attempt
to detect a presumed intrusion and alert a
system administrator. System administrators
take action to prevent intrusion.
Audit record is a record of activities on a
system that are logged to a file in sorted order.
From Lincoln Laboratory
Massachusetts Institute of Technology
Intrusion Classification
The COAST group at Purdue University
defined an intruder as any set of actions that
attempt to compromise the integrity,
confidentiality or availability of a resource.
There are two techniques of intrusion detection
1. Anomaly Detection – based on
observations of deviations from normal
system usage patterns.
2. Misuse Detection – attacks on weak point
of a system.
Anomaly Detection
• Try to detect the complement of bad
behavior.
• This system could verify a normal activity
profile for a system and flag all states
altering from the verified profile.
• Must be able to distinguish between
anomalous and normal behavior.
Anomaly Detection
A block diagram of a typical anomaly detection system
Misuse Detection
• Try to recognize known bad behavior.
• This system detects by using the form of
pattern or a signature , so that variations of
the same attack can be detected.
• Concerned with catching intruders who are
attempt to break into a system by exploiting
some known vulnerability.
Misuse Detection
A block diagram of a typical misuse detection system
Intruder Classification
Intruders are classified into two groups.
1. External intruders – who are unauthorized users
of the systems they attacks.
2. Internal intruders – who have some authority
- Masqueraders – external intruders who have
succeeded in the gaining access to the
system.(credit card defrauder)
- Legitimates – intruders who have access to
sensitive data, but misuse this access.
- Clandestine – intruders who have the power to
control the system and have power to turn off
audit control for themselves.
Problem Description
An Application Intrusion Detection System
will be concerned with anomaly detection more
than misuse detection. Since OS Intrusion Detection
and Application Intrusion Detection have many
relations on the same basic observation entity, there
should be some correlation between events at the
operating system and application levels. Is it
possible to have these two systems cooperate in
order to improve the effectiveness of Intrusion
Detection System.
Research Objectives
The goal of this research is to try to
improve the effectiveness of Intruder
Detection and to see the possibilities of
how the OS Intrusion Detection System
might cooperate with Application Intrusion
Detection System to achieve this goal.
The different between an OS and an
Application
OS Intrusion Detection System
• Detects external intruders
• Organizes in such a way that the process the user
that started the process or whoever the process was
executed is associated with each event.
• Lower resolution
• Views the file as a container whose contents cannot
be deciphered except for changes in size.
• Can only define a relation on a file as a whole,
such as whether or not it was changed in the last
period of time.
Application Intrusion Detection System
• Only detects internal intruders after they
either penetrated the operating system to get
access to the application ,or they were given
some legitimate access to the application.
• May not be set up to perform mapping
between the event and the event causing
entity.
• Higher resolution
• Can define a relation on the different records
of fields of the file.
Similarities
• Attempts to detect intrusion by evaluating
relations to differentiate between anomalous
and normal behavior.
• The database file are the same size.
• Could build event records containing
listings of all events and associated event
causing entities of the application using
whatever form of identification available.
• Structure.
Literature review
The COAST laboratory at Purdue University
characterized a good Intrusion Detection
System as having the following qualities
- Run continually
- The system must be reliable enough to allow it to
run in the background of the system being observed.
- Fault tolerant
- The system must survive a system crash and not
have its knowledge-base rebuilt at start.
- Resist subversion
- The system can monitor itself to ensure that it has
not been subverted
Literature Review (cont)
- Minimal overhead
- The system that slows a computer to a creep will
not be used.
- Observe deviations (from normal behavior.)
- Easily tailored
- Every system has a different usage pattern, and the
defense mechanism should be easily adapt to the
patterns.
- Changing system behavior
- The system profile will change over time, and the
Intrusion Detection System must be able to adapt.
- Difficult to fool
Literature Review (cont)
• The Information Systems Technology
Group of MIT Lincoln Laboratory, under
Defense Advanced Research Projects
Agency (DARPA) Information Technology
Office and Air Force Research Laboratory
(AFRL/SNHS) sponsorship, has collected
and evaluated computer network intrusion
detection systems since 1998 - 1999.
Benefits of this Research
We will know the ability of
application intrusion detection system
cooperate with OS Intrusion Detection
System and improve ability of Intrusion
Detection Systems to defend against
intruders.
Research Design
• Case study of Application Intrusion
Detection System
• Study the differences and cooperation
between the Application Intrusion Detection
System and the OS Intrusion Detection
System
• Research the possibility of the two systems
working cooperatively.
Conclusion
The Application Intrusion Detection System
can be more effective in detecting intruders than the
OS Intrusion Detection System because Application
Intrusion Detection operates with a higher resolution.
Since the Application Intrusion Detection System
depends on OS Intrusion Detection System and only
OS Intrusion Detection System can detect the
external intruders, we need both an OS Intrusion
Detection System and an Application Intrusion
Detection System to cooperate for increased
potential in detecting intruders.
Thank you.