Intrusion detection

1
Intrusion detection

• Anomaly detection models compare a users normal
  behavior statistically to parameters of the
  current session, in order to find significant
  deviations.
• Misuse detection models compare a users session
  to known techniques used by attackers to
  penetrate a system.
• Purpose is to reduce the amount of audit data to
  be manually reviewed.

2
Intrusion Detection Expert System

• IDES is a real-time system developed at SRI. (Its
  model has been used in other systems.)
• IDES monitors external threats (users trying to
  penetrate the system) and internal threats (users
  trying to abuse their authorizations).
• IDES is based on experience and learning from
  watching the system, not on fixed rules.
• IDES learns the normal behavior of users (in
  order to learn what abnormal behavior is.)

3
Intrusion Detection Expert System

• Threats-behaviors relationships
• Intrusion attempt many login attempts.
• Masquerading legitimate login (but stolen)
  followed by abnormal usage pattern.
• Penetration by legitimate users trying to
  circumvent the security controls if successful
  they start commands which were normally
  forbidden this behavior is then detected.
• Spreading of data by authorized users user logs
  in at abnormal times, performs many reads, uses
  printers more, prints more copies, etc.

4
Intrusion Detection Expert System

• Threats-behaviors relationships
• Inference by authorized users confidential data
  is obtained by aggregation or inference. This
  probably involves abnormal frequency and type of
  queries.
• Trojan Horses inserted or substituted program
  probably exhibits different usage of resources.
• Viruses cause increased frequency of writing to
  executable files.
• Denial of service intruder locks a resource, and
  exhibits high activity rate for that resource.

5
Intrusion Detection Expert System

• Metrics
• Event counter the normal frequency (time
  dependent) of different types of events is
  characterized, in order to detect abnormal usage.
• Time interval the normal time interval between
  correlated events is computed, to detect abnormal
  (most likely short) intervals.
• Resource measurement the normal use of
  resources of each type of action is computed.
  Abnormal use of resources can then be detected.

6
Intrusion Detection Expert System

• Statistical models
• Operational model compare observations to
  threshold which is determined by an expert.
• Average and standard deviation model detect
  deviation beyond the standard deviation.
• Multivaried model finds deviations in
  correlation between two or more metrics.
• Markovian model uses types of events as state
  variables and a state transition matrix to
  characterize the frequencies of transitions.
• Time series model uses event counter,
  measurement of resources and interval times.

7
Intrusion Detection Expert System

• Login and session activity profiles
• Login frequency detect logins at abnormal times
  or frequency.
• Location frequency detect logins from locations
  never used by this user.
• Last login useful to detect intrusion threats
  through dead accounts.
• Session duration detect abnormally short or long
  sessions.
• Session output detect sessions in which more
  output is generated than usual.

8
Intrusion Detection Expert System

• Login and session activity profiles
• CPU per session, I/O per session use standard
  deviation method to find abnormal resource usage.
• Password failures count number of password
  failures before successful login.
• Location failures locations from where failed
  logins are attempted are detected.

9
Intrusion Detection Expert System

• Command and program execution profiles
• Execution frequency for one user to detect
  attempts to break security for all users to
  detect Trojan Horse attack.
• CPU per program, I/O per program to detect
  viruses or Trojan Horses.
• Denied executions find users trying to execute a
  program they are not authorized for.
• Saturation of program resources detect that a
  program often terminates abnormally this could
  be an attempt to use abnormal termination as a
  covert channel.

10
Intrusion Detection Expert System

• File or record access profiles
• Read, write, create and delete frequency
  anomalies in create/delete or read/write
  operations may indicate inference attempts or
  penetration by a user who does not normally have
  that access.
• Read/written records number of different records
  read or written.
• Read/write/delete/create failures user may be
  attempting something but (still) failing.
• File resource exhaustion such failures may again
  indicate failures being used as a covert channel.

11
Intrusion Detection Expert System

• IDES has been implemented using Oracle for
  management of all IDES information.
• IDES runs on a different machine from the one
  with the main database
• Performance the presence of IDES does not
  increase system response time of the database.
• Security IDES can be protected from the
  monitored system.
• Integration IDES can be easily adapted to
  different environments and integrated with
  various types of host system.

12
Other Intrusion Detection Systems

• The Haystack system developed for the US Air
  Force computer systems (not specifically to audit
  databases).
• The Multics Intrusion Detection and Alerting
  System (MIDAS) expert system developed for the
  US National Computer Security Center
  Multics-based network.
• Wisdom and Sense anomaly detection system
  developed at Los Alamos National Laboratory.