Intrusion Detection Systems: A Survey and Taxonomy - PowerPoint PPT Presentation


PPT – Intrusion Detection Systems: A Survey and Taxonomy PowerPoint presentation | free to view - id: 6f5b5e-ZjRmO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Intrusion Detection Systems: A Survey and Taxonomy


Intrusion Detection Systems: A Survey and Taxonomy A presentation by Emily Fetchko About the paper By Stefan Axelson of Chalmers University of Technology, Sweden From ... – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 28
Provided by: Emily188


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Intrusion Detection Systems: A Survey and Taxonomy

Intrusion Detection Systems A Survey and Taxonomy
  • A presentation by Emily Fetchko

About the paper
  • By Stefan Axelson of Chalmers University of
    Technology, Sweden
  • From 2000
  • Cited by 92 (Google Scholar)
  • Featured on InfoSysSec
  • Used in Network Security (691N)
  • Followup to 1999 IBM paper Towards a Taxonomy of
    Intrusion Detection Systems

  • New and Significant
  • What is a taxonomy?
  • Introduction to IDS
  • Introduction to classification
  • Taxonomy by Intrusion Detection Principle
  • Example systems
  • Taxonomy by System Characteristics
  • Trends in Research and Conclusion

New and Significant
  • First taxonomy paper
  • Predicts research areas for Intrusion Detection
  • Followup to 93 page survey report of research and
    IBM paper

What is a taxonomy?
  • either a hierarchical classification of things,
    or the principles underlying the classification
  • Serves three purposes
  • Description
  • Prediction
  • Explanation

Intrusion Detection Systems
  • Compare them to burglar alarms
  • Alarm/siren component
  • Something that alerts
  • Security officer/response team component
  • Something to respond/correct
  • Different from perimeter defense systems (such as
    a firewall)

Types of intrusions
  • Masquerader
  • Steals identity of user
  • Legitimate users who abuse the system
  • Exploits
  • Trojan horse, backdoor, etc.
  • And more

Two major types of detection
  • Anomaly detection
  • abnormal behavior
  • May not be undesirable behavior
  • High false positive rate
  • Signature detection
  • Close to previously-defined bad behavior
  • Has to be constantly updated
  • Slow to catch new malicious behavior

Approaches to classfication
  • Type of intrusion detected
  • Type of data gathered
  • Rules to detect intrusion

Taxonomy by Intrusion Detection Principles
  • self-learning
  • Trains on normal behavior
  • programmed
  • User must know difference between normal
  • signature inspired
  • Combination of anomaly and signature methods

Anomaly detection
  • Time series vs. non time series
  • Rule modeling
  • Create rules describing normal behavior
  • Raise alarm if activity does not match rules
  • Descriptive statistics
  • Compute distance vector between current system
    statistcs and normal stats
  • ANN Artificial Neural Network
  • Black box modeling approach

Anomaly detection, continued
  • Descriptive Statistics
  • Collect statistics about parameters such as
    logins, connections, etc.
  • Simple statistics abstract
  • Rule-based
  • Threshold
  • Default Deny
  • Define safe states
  • All other states are deny states

Signature Detection
  • State-modeling
  • If the system is in this state (or followed a
    series of states) then an intrusion has occurred
  • Petri-net states form a petri net, a type of
    directed bipartite graph (place vs transition

Signature Detection, continued
  • Expert system
  • Reasoning based on rules
  • Forward-chaining most popular
  • String-matching
  • Look for text transmitted
  • Simple rule-based
  • Less advanced but speeder than expert system

Signature Inspired Detection
  • Only one system in the taxonomy (Signature
    Inspired and Self Learning)
  • Automatic feature selection
  • Automatically determines which features are
  • Isolate, use them to decide if intrusion or not

Classification by Type of Intrusion
  • Well-known intrusions
  • Correspond to signature detection systems
  • Generalized intrusions
  • Like a well-known intrusion, but with some
    parameters left blank
  • Correspond to signature-inspired detectors
  • Unknown intrusions
  • Correspond to anomaly detectors

Effectiveness of Detection
  • Two categories marked as least effective
  • Anomaly Self Learning Non-time series
  • Weak in collecting statistics on normal behavior
  • Will create many false positives
  • Anomaly Programmed Descriptive Statistics
  • If attacker knows stats used, can avoid them
  • Leads to false negatives

Taxonomy by System Characteristics
  • Define system beyond the detection principle
  • Time of detection
  • Real time or non real time
  • Granularity of data processing
  • Continuous or batch
  • Source of audit data
  • Network or host

System Characteristics, continued
  • Response to detected intrusions
  • Active or passive
  • Modify attacked or attacking system
  • Locus of data processing
  • Centralized or distributed
  • Locus of data collection
  • Security (ability to defend against direct
  • Degree of interoperability
  • Work with other systems
  • Accept other forms of data

Example Systems
  • Haystack, 1988
  • Air Force
  • Anomaly detection based on per user profile, and
    user group profile
  • Signature based detection
  • MIDAS, 1988
  • National Computer Security Centre and Computer
    Science Laboratory, SRI International
  • Heuristic intrusion detection
  • Expert system with two-tiered rule base

Example Systems, continued
  • IDES Intrusion Detection Expert System,
  • Multiple authors, long term effort
  • Real time expert system with statistics
  • Compare current profile with known profile
  • Distinction between on and off days
  • NIDES next generation IDES
  • NSM Network Security Monitor
  • Monitors broadcast traffic
  • Layered approach connection lower layers
  • Profile by protocol (telnet, etc)

Example Systems, continued
  • DIDS Distributed IDS, 1992
  • Incorporates Haystack and NSM
  • Three components Host monitor, LAN monitor, DIDS
  • DIDS director contains expert system
  • Bro, 1998
  • Network-based (with traffic analysis)
  • Custom scripting language
  • Prewritten policy scripts
  • Signature matching
  • Action after detection
  • Snort compatibility

System Characteristics, continued
System characteristics, continued
Trends in Research
  • Active response
  • Legal ramifications, however
  • Distributed detection
  • Corresponds with distributed computing in general
  • Increased security
  • Increased interoperability

Opportunities for Further Research
  • Taxonomies by other classifications
  • Signature self-learning detectors
  • Two tiered detectors
  • False positive rates for anomaly detectors
  • Active response detectors
  • Distributed detectors
  • High security detectors

  • Stefan Axelson. Intrusion Detection Systems A
    Survey and Taxonomy. Chalmers University of
    Technology, Sweden, 2000.
  • Debar, Decier and Wespi. Towards a taxonomy of
    intrusion-detection systems. Computer Networks,
    p805-822, 1999.
  • Bro Intrusion Detection System,
  • Google Scholar, http//