Improving Intrusion Detection System

1
Improving Intrusion Detection System

• Taminee Shinasharkey
• CS689
• 11/2/00

2
Introduction

• Intrusion is when the user takes an action that
  the user was not legally allowed to
• take.
• Intrusion attempt (Anderson,1980) is defined to
  be potential possibility of an unauthorized
  attempt to
• Access information
• Manipulate information, or
• Render a system unreliable or unusable.

3
Introduction (cont)

• Intruder detection involves determining that an
  intruder has tried to gain or has gained
  unauthorized access to the system.
• Most intrusion detection systems attempt to
  detect a presumed intrusion and alert a system
  administrator. System administrators take action
  to prevent intrusion.
• Audit record is a record of activities on a
  system that are logged to a file in sorted order.

4

• From Lincoln LaboratoryMassachusetts Institute
  of Technology

5
Intrusion Classification

• The COAST group at Purdue University defined an
  intruder as any set of actions that attempt to
  compromise the integrity, confidentiality or
  availability of a resource.
• There are two techniques of intrusion detection
• Anomaly Detection based on observations of
  deviations from normal system usage patterns.
• Misuse Detection attacks on weak point of a
  system.

6
Anomaly Detection

• Try to detect the complement of bad behavior.
• This system could verify a normal activity
  profile for a system and flag all states altering
  from the verified profile.
• Must be able to distinguish between anomalous and
  normal behavior.

7
Anomaly Detection

• A block diagram of a typical anomaly detection
  system

8
Misuse Detection

• Try to recognize known bad behavior.
• This system detects by using the form of pattern
  or a signature , so that variations of the same
  attack can be detected.
• Concerned with catching intruders who are attempt
  to break into a system by exploiting some known
  vulnerability.

9
Misuse Detection

• A block diagram of a typical misuse detection
  system

10
Intruder Classification

• Intruders are classified into two groups.
• External intruders who are unauthorized users
  of the systems they attacks.
• Internal intruders who have some authority
• - Masqueraders external intruders who have
  succeeded in the gaining access to the
  system.(credit card defrauder)
• - Legitimates intruders who have access to
  sensitive data, but misuse this access.
• - Clandestine intruders who have the power to
  control the system and have power to turn off
  audit control for themselves.

11
Problem Description

• An Application Intrusion Detection System will
  be concerned with anomaly detection more than
  misuse detection. Since OS Intrusion Detection
  and Application Intrusion Detection have many
  relations on the same basic observation entity,
  there should be some correlation between events
  at the operating system and application levels.
  Is it possible to have these two systems
  cooperate in order to improve the effectiveness
  of Intrusion Detection System.

12
Research Objectives

• The goal of this research is to try to improve
  the effectiveness of Intruder Detection and to
  see the possibilities of how the OS Intrusion
  Detection System might cooperate with Application
  Intrusion Detection System to achieve this goal.

13
OS Intrusion Detection System
The different between an OS and an Application

• Detects external intruders
• Organizes in such a way that the process the user
  that started the process or whoever the process
  was executed is associated with each event.
• Lower resolution
• Views the file as a container whose contents
  cannot be deciphered except for changes in size.
• Can only define a relation on a file as a whole,
  such as whether or not it was changed in the last
  period of time.

14
Application Intrusion Detection System

• Only detects internal intruders after they either
  penetrated the operating system to get access to
  the application ,or they were given some
  legitimate access to the application.
• May not be set up to perform mapping between the
  event and the event causing entity.
• Higher resolution
• Can define a relation on the different records of
  fields of the file.

15
Similarities

• Attempts to detect intrusion by evaluating
  relations to differentiate between anomalous and
  normal behavior.
• The database file are the same size.
• Could build event records containing listings of
  all events and associated event causing entities
  of the application using whatever form of
  identification available.
• Structure.

16
Literature review

• The COAST laboratory at Purdue University
  characterized a good Intrusion Detection System
  as having the following qualities
• Run continually
• The system must be reliable enough to allow it to
  run in the background of the system being
  observed.
• Fault tolerant
• The system must survive a system crash and not
  have its knowledge-base rebuilt at start.
• Resist subversion
• The system can monitor itself to ensure that it
  has not been subverted

17
Literature Review (cont)

• Minimal overhead
• The system that slows a computer to a creep will
  not be used.
• Observe deviations (from normal behavior.)
• Easily tailored
• Every system has a different usage pattern, and
  the defense mechanism should be easily adapt to
  the patterns.
• Changing system behavior
• The system profile will change over time, and the
  Intrusion Detection System must be able to adapt.
• Difficult to fool

18
Literature Review (cont)

• The Information Systems Technology Group of MIT
  Lincoln Laboratory, under Defense Advanced
  Research Projects Agency (DARPA) Information
  Technology Office and Air Force Research
  Laboratory (AFRL/SNHS) sponsorship, has collected
  and evaluated computer network intrusion
  detection systems since 1998 - 1999.

19
Benefits of this Research

• We will know the ability of application
  intrusion detection system cooperate with OS
  Intrusion Detection System and improve ability of
  Intrusion Detection Systems to defend against
  intruders.

20
Research Design

• Case study of Application Intrusion Detection
  System
• Study the differences and cooperation between the
  Application Intrusion Detection System and the OS
  Intrusion Detection System
• Research the possibility of the two systems
  working cooperatively.

21
Conclusion

• The Application Intrusion Detection System can
  be more effective in detecting intruders than the
  OS Intrusion Detection System because Application
  Intrusion Detection operates with a higher
  resolution. Since the Application Intrusion
  Detection System depends on OS Intrusion
  Detection System and only OS Intrusion Detection
  System can detect the external intruders, we need
  both an OS Intrusion Detection System and an
  Application Intrusion Detection System to
  cooperate for increased potential in detecting
  intruders.

22
Thank you.