IDSIC:%20A%20Modeling%20of%20Intrusion%20Detection%20System%20with%20Identification%20Capability

1
IDSIC A Modeling of Intrusion Detection System
with Identification Capability

• Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih
• Cryptology Network Security Lab.
• Electrical Engineering Department
• National Cheng Kung University

2
Outline

1. Introduction
2. Traditional IDS model
3. A New model IDSIC
4. Implementation issues of IDSIC
5. Conclusion

3
1.Introduction

• Three fundamental functional components of
  intrusion detection system (IDS)
• Collection
• collects the different sources of information
• Detection
• analyze the information sources
• Response
• notifies the system managers when or where an
  intrusion happens
• Active measures Passive measures

4
1.Introduction (cont.)

• In some security standards, e.g., ISO 17799, it
  suggests that there should be an inner auditor
  periodically checks the security issues in the
  enterprise networks
• In order to discover the real security holes or
  vulnerabilities, the security tools using by the
  auditors are the same tools used by the outside
  hackers

5
1.Introduction (cont.)

• These tests can be separated into two situations
• Rehearsal
• the auditors notify the system managers when the
  security auditing starts and how the security
  tests go on
• both the system managers and the auditors know
  scenarios of security tests, the testing results
  in this situation are very little

6
1.Introduction (cont.)

• auditors imitate hackers behaviors when
  performing security test
• The system managers do not know when, where, and
  how the tests will take place in advance
• active response measure would enable
  self-protecting ability
• passive response measure will alert much alarms
  notifying the system managers to cope with

7
1.Introduction (cont.)

• Lee et al. propose a cost-sensitive model for
  IDSs by using some major cost factors, such as
  damage cost, response cost, operational cost,
  etc, to evaluate the total cost of IDSs
• IDSs should minimize these costs

W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E.
Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of
Computer Security, Vol. 10, Numbers 1,2, 2002.
8
Motivation

• The traditional IDSs (TIDSs) do not consider the
  behavior of the security auditors.
• We are motived to study whether the IDSs cost is
  minimal in the top-secret enterprise network with
  security auditors.

9
2.Traditional IDS model

• Traditional IDSs (TIDSs) requirements
• Roles and costs in TIDSs

10
TIDSs requirements
J. Cannady. An Adaptive Neural Network Approach
to Intrusion Detection and Response. Ph.D Thesis,
Nova Southeastern University, 2000.

• Detection of known attacks
• should have the ability to determine the
  malicious attackers
• Real-time/near real-time analysis
• analyze information sources gathered by the IDS
  sensor as soon as possible
• Minimal resource
• use the minimal resource in the systems when
  monitoring
• High accuracy
• make sure the detection is correct and lower the
  false alarms

11
The roles in TIDSs

• Hackers
• People who attempt to gain unauthorized access to
  a computer system. These people are often
  malicious and have many tools for breaking into a
  system.
• System Manager (SM)
• the person who takes charge to minimize the use
  of excess, network management, and system
  maintenance costs. If a system under some attacks
  results IDSs alarms, they have to make efforts to
  find out where the problem is.

12
The roles in TIDSs (cont.)

• Detection System (DS)
• the system that monitor the events occurring in
  protected hosts or networks and analyze them for
  signs of intrusions.

13
The roles and relationships in TIDSs
14
The costs of TIDSs
W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E.
Zadok. Toward Cost Sensitive Modeling for
Intrusion Detection and Response. Journal of
Computer Security, Vol. 10, Numbers 1,2, 2002.

• damage cost (DCost)
• the cost of damage caused by hackers when IDSs do
  not work appropriately
• response cost (RCost)
• the costs of actions when response components
  generate alarms
• operational cost (OpCost)
• the cost of processing and analyzing the
  activities of events

15
The costs of TIDSs (cont.)

• False Negative cost is the cost of not detecting
  an attack, but an attack really happened.
• False Positive cost occurs when normal behavior
  is misidentified as the attack .
• True Positive cost means the detection cost when
  attacks really happen.
• True Negative is incurred when an IDS correctly
  decides there are no attacks.

16
The costs of TIDSs (cont.)
?1 the function of the events progress
17
The costs of TIDSs (cont.)
18
3.A New model IDSIC

• Roles and components in IDSIC
• New Requirements in IDSIC
• Cost analysis in IDSIC

19
Roles in IDSIC

• Security Auditor (SA)
• A person appointed and authorized to audit
  whether the security equipments work regularly or
  not by using the vulnerability testing tools.
• One of security auditors main works is to check
  the security holes or vulnerabilities in the
  system.
• Note traditional IDSs have no abilities to
  distinguish the security auditors and hackers.

20
Roles in IDSIC (cont.)

• Detection System with Identification Capability
  (DSIC)
• One type of DS that runs the same function of DS.
  However, it has an extra functionality to
  distinguish between the roles of hackers and SAs.
  
• Fingerprint
• some secret information is used to let DSIC
  distinguish the difference between hackers and SAs

21
Components in IDSIC

• In IDSIC, we include the basic components such
  that collection, detection, and response
  components in TIDSs
• The fingerprint adder
• use fingerprint generation algorithms calculating
  and adding the fingerprint into the packets
• The fingerprint checker
• include some validation algorithms that help DSIC
  to differentiate hackers attack and SAs tests
  from packets

22
The roles and components in IDSIC
23
New Requirements in IDSIC

• Generating fingerprint ability
• SAs must have the ability to calculate the
  fingerprint
• The needed power for calculating fingerprint must
  be as less as possible
• Validity ability
• DSIC needs to have the validity ability to
  determine if any fingerprint in the packets
• this ability of determination must be as fast as
  possible

24
New Requirements in IDSIC (cont.)

• Security
• Hackers cannot generate a fingerprint without the
  SAs secret
• The probability of forging a fingerprint is as
  small as possible

25
Cost analysis in IDSIC

• The damage cost (DCost) could be divided into two
  parts
• HDCost(e) means the damage cost caused by hackers
  that may harm to the systems
• SDCost(e) is the amount of security testing cost
  that may damage to the systems caused by SAs
• HDCost(e) gtgt SDCost(e)
• the response cost (RCost) will also be separated
  into two parts
• HRCost(e) and SRCost(e)
• HRCost(e) SRCost(e)

26
Cost analysis in IDSIC (cont.)

• False Negative (FNIC)
• False Positive (FPIC)

?2 the function of the events progress
Therefore, FNIC lt FN
CASE 1
CASE 2
Therefore, FPIC ? FP
27
Cost analysis in IDSIC (cont.)

• True Positive (TPIC)
• True Negative (TNIC) 0

CASE 1
CASE 2
?3 the function of the events progress
Therefore, TPIC ? TP
28
CCost v.s. ICCost
29
Cost analysis in IDSIC (cont.)

• OpCost(e) is similar in TIDS and IDSIC
• CCost(e) in TIDS is greater than ICCost(e) in
  IDSIC
• IDSIC could have smaller CumulativeCost(E) than
  TIDS.

30
4.Implementation issues of IDSIC

• How to generate the fingerprint
• Where and How to put the fingerprint in the
  packets
• Where to put the fingerprint checker component in
  IDSIC

31
How to generate the fingerprint

• packet messages (m)
• Information about IPs, the sequential number, the
  packet timestamp, and so on
• Three approaches to generate the needed
  fingerprint
• HMAC (Hashed Message Authentication Code)
• HMAC using secret value
• signature

32
HMAC
33
HMAC using secret value
34
signature

• uses Public Key Infrastructure (PKI)
• the SAs should sign the packet messages with
  their private keys and the DSIC uses SAs public
  keys to check the signature
• No matter what approaches are used, it should
  satisfy the minimal resource requirement.

35
Where to put the fingerprint in the packets

• We suggest using the IP identification field in
  IP header to store fingerprint
• This field is currently used to differentiate IP
  fragments that belong to different packets
• less than 0.25 of all Internet traffic is
  fragments
• Savage et al. use this field in IP marking
  technique

36
IP Header
37
How to put the fingerprint in the packets

• The IP identification field contains only 16 bits
  and the hackers forging probability is 2-16
• We could set a threshold k reducing the hackers
  forging probability to (2-16)k

38
Where to put the fingerprint checker in IDSIC

• two choices to deploy the fingerprint checker
  component

Collection
Collection
Fingerprint checker
Detection
Before
Detection
Fingerprint checker
After
Response
Response
39
Where to put the fingerprint checker in IDSIC
(cont.)

• before the detection component
• claims the fingerprint checker has to check every
  receiving packet
• may spend lots of time for checking
• the fingerprint checker may lost some packets
  under mounts of packets

40
Where to put the fingerprint checker in IDSIC
(cont.)

• after the detection component
• IDSIC would first determine whether an intrusion
  happens
• DSIC can work like DS and the fingerprint checker
  only has to check the doubtful intrusion packets
• if the SAs often perform the security tests, then
  the detection component may be busy dealing with
  these testing packets.

41
Where to put the fingerprint checker in IDSIC
(cont.)

• The best deployment depends on
• the frequency of security tests (fst)(from SAs)
• the frequency of attacks (fa) (from Hackers)
• the fingerprint checker examining time (tfc)
• the DSIC dealing time (tDSIC)
• For example, in rehearsal situation, fst is
  greater than fa, thus it would be better to
  deploy the fingerprint checker before the
  detection component.

42
Conclusion

• We propose a new model, IDSIC, based on the
  auditing point of view and propose the new
  requirements in IDSIC.
• We prove the CumulativeCost in TIDS does not
  reach to minimal cost under the roles of SA
  exists.