Computer System Intrusion Detection: A Survey

1
Computer System Intrusion Detection A Survey

• Anita K. Jones Robert S. Sielken
• Presented by Peixian Li (Rick)
• For CS551/651 Computer Security

2
Overview

• Why IDS
• IDS Overview
• Anomaly Detection
• UNM Pattern Matching
• Misuse Detection
• Extended to Networked Systems
• Conclusion

3
Why IDS ?

• In defending network resources, we have
• Firewalls
• Encryption technology
• Authentication devices
• Vulnerability checking tools
• Others

4
Why IDS ? -2-

• But computer system is still susceptible
• Due to unknown system flaws
• Due to known system flaws better stay than gone
  because of functionality or cost.
• Due to social engineering tricks
• A recent news
• An 18 year old boy broke into a eCom web site
• Thousands customer's credit info was stolen
• Including Bill Gates

5
Why IDS ? -3-

• Based on the fact that
• Penetrations always exist
• We need
• A second line of defense
• A mechanism to detect the penetrations and the
  attempting intrusions
• Which is in the form of an Intrusion Detection
  System
• Even attempts are guaranteed to fail
• IDS can still help us to find out potential
  vulnerabilities

6
Approaches

• Anomaly Detection
• Defines and Characterizes correct static form and
  acceptable dynamic behavior
• Detects anomalous changes or behaviors which may
  not be intrusions

• Misuse Detection
• Characterizes known ways to penetrate a system as
  patterns
• Monitors for explicit patterns which are known to
  be intrusions

7
Anomaly vs. Misuse

• Anomaly Detection
• May have high rate of false alarms
• Can detect novel attacks
• Normal databases are relatively more stable

• Misuse Detection
• May miss novel attacks
• Complexity grows as the number of well-known
  attacks grows
• Difficult to keep them updated as the catalog of
  attacks grows

8
Three Generations

• First Generation
• The emphasis was on single computer systems
• O/S audit records were post-processed
• Second Generation
• Extended and scaled to address distributed
  system.
• More sophisticated
• Primitive real-time alerts became possible

9
Three Generations -2-

• The Third Generation
• Further extended to address loosely coupled
  networks, such as LAN
• Two Primary Challenges
• Tracking users as they move through nodes
• Managing the data as the size of the network
  scales up

10
What Makes A Good IDS ?

• Manage the volume of data, communications, and
  processing in large scale networks
• Increase coverage, i.e. miss ALAP
• Decrease false alarms
• Detect intrusion in progress
• React in real-time

11
Basic Components

• Focus
• Which entitys self or which elements of the
  entity do we try to focus on
• Definitions of events or behavior of interest
• Representation
• How to represent signatures effective and
  efficient

12
Basic Components -2-

• Initial Database
• Initial behavior profile or normal database
• Which can characterize behavior of interest
• Which can represent entity of interest
• Detection Algorithm
• Statistical processing techniques for divining
  the difference between normal and anomalous
  behavior (effective and efficient)

13
Anomaly Detection

• Static
• Assume that a portion of the system remain
  constant
• System code and portion of system data
• Represented as a binary bit string or a set of
  such string
• A single bit change

• Dynamic
• Assume that systems behavior is stable
• Include a definition behavior
• Represented as a sequence of distinct events
• Empirical threshold

14
Static Anomaly Detection

• How does it work?
• Defines the desired state of the system using
  static bit strings
• Archives a representation of the state
• Periodically compares the current state and the
  archived state
• Any difference signals an error

15
Signature

• Storing and comparing actual bit strings
  representation is quite costly
• Compressed representation is called signature
• Signatures include checksums, message-digest
  algorithms and hash functions
• Meta-data knowledge about the structure

16
Some Actual Systems

• Tripwire
• A file integrity checker
• Uses signatures as well as Unix file meta-data
• Virus Checkers
• Uses actual bit string inserted by the virus
• Strings are short, thus uncompressed
• Self-Noself
• Unlike Tripwire, the Self-Nonself signatures are
  for unwanted string values

17
Dynamic Anomaly Detection

• Before Running
• For each individual entity, IDS creates a base
  profile to characterize normal, acceptable
  behavior
• Entities can be users, workstations, remote
  hosts, or applications
• Behaviors can be preferred choices, resources
  consumed, representative sequences of actions

18
Dynamic Anomaly Detection -2-

• Two ways to build up base profiles
• By synthetically running the system
• Can it represents the real system?
• By observing normal user behavior over a
  sufficiently long time
• Can we be sure that no intrusion undertaking
  during the period of time?

19
Dynamic Anomaly Detection -3-

• When Running
• Observes events related or attributed to the
  entity
• Incrementally builds a current profile
• Some operate in real-time, or near real-time, or
  directly observe the events during occurrence

20
Dynamic Anomaly Detection -4-

• Static detections do not care the degree of the
  difference
• Dynamic detections do care
• Comparison is based on empirically determined
  thresholds
• Only those mismatch over the thresholds will
  result in alert

21
UNM Pattern Matching

• Focus
• Individual application and its behavior
• E.g. Sendmail
• Representation
• Uses privileged system call sequences to
  represent an applications behavior
• E.g. (open, read, mmap), (read, mmap, mmap)
• Sequence length usually between 3 to 6

22
UNM Pattern Matching -2-

• Initial Database
• Built either by synthetically running the
  application or by observing its real running
• Normal sequences are stored as forest in normal
  database to save space
• Detection Algorithm
• Largest Minimum Hamming Distance
• Normalized LMHD
• Local Frame Count

23
UNM Pattern Matching -3-
24
UNM Pattern Matching -4-

• 1.sendmai
• 2.ftpd
• 3.lpr
• 4.ps

25
UNM Pattern Matching -5-
26
Misuse Detection

• Remember known technique
• Monitor the system if any of those known
  technique presents
• Intrusion scenario A description of a fairly
  precisely know kind of intrusion which usually a
  sequence of actions

27
Rule-Based vs. State-Based

• Rule-Based
• Encode scenarios as a set of rules, where rules
  reflect the sequence of actions
• Fact base is a collection of assertions based on
  accumulated data
• Rule base contains the rules that describe known
  intrusion scenarios
• Rule-face binding
• Rule firs

• State-Based
• Attribute-value pairs characterize systems states
  of interest
• Actions are defined as transitions between states
• Monitor the actions and then change the state
• If compromised state reached, the intrusion
  happens

28
Extended to Networked Systems

• New situations
• Cooperative intrusions are more frequent
• Intruder(s) use multiple nodes in an attempt to
• Parallel actions to make intrusion faster
• Distribute actions to disguise their activities
• New elements in Network IDS
• Include network traffic as part of behavior
• Data sharing and communication

29
Centralized vs. Decentralized

• Centralized Analysis
• Audit data is collected on individual systems
• Reported to some centralized location
• Intrusion detection analysis is performed there
• Dont work well for large network due to sheer
  volume of data
• Need data translation in heterogeneous systems

• Decentralized Analysis
• Distributed audit data collection
• Distribute intrusion detection analysis
• Works well for large networks because less data
  shared between different components
• Can eliminate translation problem by grouping
  homogeneous systems

30
Partition

• In decentralized system, entire system is divided
  into smaller domains for the purpose of
  communication
• Partition can base on
• Geography
• Administrative control
• Collections of similar software platforms
• Anticipated types of intrusions
• Still centralized within a domain

31
Vulnerabilities

• Intrusion detection software themselves are not
  inherently survivable and need protection also
• Initialization will be flawed if the intrusions
  are present
• Audit data must be timely available
• IDS should not compete resource with the rest of
  the system

32
Conclusion

• Why IDS
• The generations of IDS
• What makes a good IDS
• Basic components of an IDS
• Different approaches used in IDS
• Exam how the UNM pattern matching works with
• How IDS extended for networked systems
• What is the vulnerabilities of IDS