Technical Aspects of Intrusion Detection Techniques

Similar documents
Detecting Denial of Service using BENEF Model: An Alternative Approach. Abstract

Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows

Effective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System

A NEW APPROACH TO INTRUSION DETECTION SYSTEM

A Rule-Based Intrusion Alert Correlation System for Integrated Security Management *

DNS Query Access and Backscattering SMTP Distributed Denial-of-Service Attack

CS 392 Network Security. Nasir Memon Polytechnic University Module 5 Intrusion Detection

DNA Intrusion Detection Methodology. James T. Dollens, Ph.D Cox Road Roswell, GA (678)

CARDS: A DISTRIBUTED SYSTEM FOR DETECTING COORDINATED ATTACKS

Statistical Analysis in Syslog Files in DNS and Spam SMTP Relay Servers

Introduction to Security

Computer Intrusion Detection Through EWMA for Autocorrelated and Uncorrelated Data

A S T U D Y I N U S I N G N E U R A L N E T W O R K S F O R A N O M A L Y A N D M I S U S E D E T E C T I O N

FUZZY DATA MINING AND GENETIC ALGORITHMS APPLIED TO INTRUSION DETECTION. Abstract

ADAPTIVE NETWORK ANOMALY DETECTION USING BANDWIDTH UTILISATION DATA

Security Audit Trail Analysis Using Inductively Generated Predictive Rules

User Scope. Runtime. Commands

Can the Best Defense be to Attack?

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Intrusion Detection Systems Overview

DNS. Analysis of IPv6 Based DNS Query Traffic

Detection of Mass Mailing Worm-infected IP address by Analysis of Syslog for DNS server

EVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM

Knowledge-Based Intrusion Detection

SIMS: A Modeling and Simulation Platform for Intrusion Monitoring/Detection Systems

Ensemble of Soft Computing Techniques for Intrusion Detection. Ensemble of Soft Computing Techniques for Intrusion Detection

Efficient Network Intrusion Detection System Navaneethakrishnan.P a*,theivanathan.g b

Fuzzy Intrusion Detection System

Performance Analysis of Intrusion Detection in MANET

Combining Multiple Host-Based Detectors Using Decision Tree

Towards the Scalable Implementation of a User Level Anomaly Detection System

Artificial Immune System against Viral Attack

Evidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.

Communication Pattern Anomaly Detection in Process Control Systems

Development of Automatic Detection and Prevention Systems of DNS Query PTR record-based Distributed Denial-of-Service Attack

INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK

Efficient anomaly detection by modeling privilege flows using hidden Markov model

Network Intrusion Detection Types and Computation

Input Data Processing Techniques in Intrusion Detection Systems Short Review

Clustering of Windows Security Events by means of Frequent Pattern Mining

Detection and Analysis of Threats to the Energy Sector (DATES)

INTRUSION DETECTION AND CORRELATION. Challenges and Solutions

Learning Program Behavior Profiles for Intrusion Detection

Web Security Vulnerabilities: Challenges and Solutions

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Post-Class Quiz: Access Control Domain

Undergraduate Admission File

A Comprehensive Survey on Anomaly-Based Intrusion Detection in MANET

INTEGRATING DATA MINING TECHNIQUES WITH INTRUSION DETECTION METHODS

Internet Threat Detection System Using Bayesian Estimation

[15] T. F. Lunt. Using statistics to track intruders. In Proceedings of the Joint Statistical

Multi-part functionality in PINES

A REAL-TIME INTRUSION-DETECTION EXPERT SYSTEM (IDES)

Security Gateway System Team

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

INTRUSION RESPONSE SYSTEM TO AVOID ANOMALOUS REQUEST IN RDBMS

A Pattern Matching Model for Misuse Intrusion Detection

A Knowledge-based Alert Evaluation and Security Decision Support Framework 1

ISSN: [Preet* et al., 6(5): May, 2017] Impact Factor: 4.116

Statistical Analysis in Log Files of Electronic-Mail Server and Domain Name System Server. SPAM Mail Generates Many DNS Query Packets

A Survey on MANET Intrusion Detection

IJRIM Volume 1, Issue 4 (August, 2011) (ISSN ) A SURVEY ON BEHAVIOUR OF BLACKHOLE IN MANETS ABSTRACT

Development of Best Practices & Identification of Breakthrough Technologies in Automotive Engineering Simulation

Secure, High Privacy & Low Power consuming Data Aggregation Method for Intrusion Detection in MANET

A Firewall Architecture to Enhance Performance of Enterprise Network

APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS.

A Verifier for Temporal Properties

Intrusion Detection - Snort

UK EPR GDA PROJECT. Name/Initials Date 30/06/2011 Name/Initials Date 30/06/2011. Resolution Plan Revision History

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

CE Advanced Network Security

Goals of IDS. Goals of IDS

Analysis of Security Techniques for Detecting Suspicious Activities and Intrusion Detection in Network Traffic

A STUDY OF ANOMALY INTRUSION DETECTION USING MACHINE LEARNING TECHNIQUES

Online Intrusion Alert Based on Aggregation and Correlation

The Application of Artificial Neural Networks to Misuse Detection: Initial Results

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Intrusion Detection Systems (IDS)

AN ANALYSIS FOR RECOGNITION AND CONFISCATION OF BLACK HOLE IN MANETS

Intrusion Monitoring in Process Control Systems

Approach Using Genetic Algorithm for Intrusion Detection System

NetSTAT: A Network-based Intrusion Detection Approach

Building Secure Systems

Stack effect calculus with typed wildcards, polymorphism and inheritance. Abstract

Hitachi-GE Nuclear Energy, Ltd. UK ABWR GENERIC DESIGN ASSESSMENT Resolution Plan for RO-ABWR-0028 Safety System Logic & Control (SSLC) Class 1 HMI

Formulation of a Heuristic Rule for Misuse and Anomaly Detection for U2R Attacks in Solaris TM Operating System Environment

Performance of data mining algorithms in unauthorized intrusion detection systems in computer networks

Social Behavior Prediction Through Reality Mining

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert

An advanced data leakage detection system analyzing relations between data leak activity

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

An Intrusion Detection Tool foraodv-basedadhocwirelessnetworks

Secure Programming for Fun and Profit

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

Statistical Anomaly Intrusion Detection System

Introduction to Network Security Missouri S&T University CPE 5420 Anomaly Detection

Detection Techniques in MANET

Smart Cameras with onboard Signcryption for securing IoT Applications

Transcription:

Technical Aspects of Intrusion Detection Techniques Final Year Project 2003-04 Project Plan Version 0.2 28th, November 2003 By Cheung Lee Man 2001572141 Computer Science and Information Systems Supervisor Dr. H.W. Chan

Document Revisions Revision Date Author Description 0.1 22/10/2003 Cheung Lee Man Initial draft 0.2 28/11/2003 Cheung Lee Man Outline of contents revised Table of Contents Introduction...3-4 Plan overview...3 Plan Statement...3 Scope...3 Revision Process...4 Project...5-10 Project title...5 Background... 5-6 Basic concepts... 6-7 Aims...7 Outline of contents... 8-10 Project milestones and schedule... 11 Overall Schedule and milestone...11 References...12-14

Introduction Plan overview Plan statement The project plan briefly describes the project with title Evaluation of Intrusion Detection Techniques: State-transition Analysis and Statistical Analysis. It states the background of intrusion detection and why we need intrusion detection. Then, we briefly introduce two approaches of intrusion detection systems: misuse detection and anomaly detection. After that, we will describe the state-transition analysis and statistical analysis shortly. The project plan also states the outline of contents and what will be achieved in the project and how they can be done. Overall schedule and milestone will be provided in the project plan. Scope The scope of the project includes the evaluation of the two techniques. It studies the underlying assumption, principle and characteristics of each technique. After the analysis of the basic principles, statistical component of Next-Generation Intrusion Detection Expert System (NIDES) and UNIX state transition analysis tool (USTAT) will be presented in order to show the design and implementation of the techniques. Survey and technical reports will be used to evaluate the performance of the techniques and analyze the pros and cons of the techniques. After all, suggestions of improvement will be studied.

Revision Process The project plan will be reviewed at the end of the semester to evaluate the achievement in the first semester and how the actual work deviated from the project plan. It checks whether the schedule is followed. Hence, estimation should be done in order to ensure the project will be finished on time in the second semester.

Project Project Title Evaluation of Intrusion Detection Techniques: State-transition Analysis and Statistical Analysis. Background As computer systems increasingly perform critical operations and deal with important data, the lack of computer security can lead to loss of money, loss of manpower, reputation destructed, etc. The goal of computer security is to protect the resources of the computer systems. The requirements include confidentiality, integrity and availability. Confidentiality ensures authorized access, integrity ensures the consistency of data and availability ensures the information would not under the denial of service. Before using intrusion detection system, three areas are used to deal the first line of defense of the computer systems. They are 1. Access control to control the access between subjects, objects and subsystems, 2. Identification and authentication (I&A) to identify subjects and objects, 3. Network security includes packet-filtering firewall, cryptography, etc. However, there are still vulnerable attacks such as bugs in I&A, wrong configuration of access control, weak key in cryptography. The general goal of intrusion detection systems is to analyze the activities in the system to see if there is any violation of the computer security. It is a security approach that enables to detect the attacks (by monitoring the system s activities) after it occurred, so that it is capable to deal with the security problems mentioned above (as if the first line of defense was bypassed, there is no defense for the computer system). Basically, there are generally two approaches of intrusion detection. They are misuse detection and

anomaly detection. Misuse detection is the detection of suspicious activities that directly violates security policy. The goal is to identify these suspicious actions and check for the occurrences of the actions in audit trail. Anomaly detection establishes normal behavior of subjects by observing audit trail over duration of time. An audit trail that deviates from the normal behavior is an indicator of intrusion occurs. Basic concept State transition analysis State transition analysis models penetrations as a series of state transitions that lead from an initial secure state to a target compromised state in terms of signature actions and state assertions. State transition diagram is a graphical representation of penetrations. It identifies precisely the requirements for the compromise of penetrations and presents only the critical events that must occur for the successful completion of the penetrations. It is written to represent to the states of the actual computer system. The diagrams form the basis of rule-based expert system for detecting penetrations, called STAT. State transition analysis differs to common rule-based system that it focuses on the effects that the individual steps of a penetration has on the state of the computer system so that audit records can be independent of rule-base. The design and implementation of a UNIX-specific prototype of this expert system, called USTAT is also presented.

Statistics analysis It observes the audit trail in order to draw conclusion about the normal behavior of subjects (which can be users, groups, remote hosts, entire system). Multivariate method (frequency tables, means, and covariance) is used for profiling normal behavior and identifying deviations. It maintains statistical knowledge base of subjects and audited activity which are used to compare the incoming audit trail with the profiles. When audit record comes, the relevant profiles are retrieved from the knowledge base. Then, a comparison will be made between the vector of intrusion detecting variables and the vectors in profiles. If the vector of intrusion detecting variables are sufficiently far from the vectors in profiles, then the activity is identifies anomalous. Aims The aim of the project is to evaluate the 2 techniques by studying the principles, assumptions and characteristics of them. For each technique, we will also study their design and implementation (The statistical component of NIDES for statistical analysis and USTAT for state-transition analysis) in order to have a deeper understanding and get the performance results from their technical reports and surveys. Through the study of the techniques and applications, pros and cons will be analyzed, and limitations of the corresponding technique and approach will be revealed. Lastly, it will study suggestions of improvement towards the tools and techniques.

Outlines of contents Summary Introduction [16, 19, 20] - What is intrusion detection? - Why do we need intrusion detection? Taxonomy of intrusion detection approaches - Misuse detection Expert system [1] Signature analysis [2, 3] Pattern matching [4] Model-based reasoning [5] Petri-nets [6] State-transition analysis [7, 8] STAT Host-based: USTAT Network-based: NSTAT - Anomaly detection Statistics [9, 10, 11] Simple model Complex model Haystack, DIDS, Emerald, NSM, Secure Net, IDES, NIDES Expert system [12] Neural networks [13] User intention identification [14] Computer immunology [15]

Introduction to state transition analysis - Limitations of the existing approaches - Premise of the technique - State transition diagram - How the representations applied to the state of an actual computer USTAT design of STAT [17] STAT applying the state transition analysis to intrusion detection [21] STAT design - STAT audit record preprocessor - STAT knowledge base - STAT inference engine - STAT decision engine USTAT The audit record preprocessor The knowledge base Inference engine Decision engine Functional and performance evaluation STATL extensible state-based attack description language [18] (Developed to support STAT) Weakness/limitations - Functional - Performance Suggestions of improvement - A STAT knowledge acquisition subsystem - STAT Decision engine - Network audit support

Introduction to statistical analysis - Simple Model Detection objectives Limitations of the simple model Effectiveness Imperfect information Incomplete information - Introduction of complex model NIDES Next-generation Intrusion Detection System [22] - Overview of NIDES - Overview of statistical component NIDES: statistical component [24, 25] - The NIDES score value - Algorithm for computing S from Q - Frequency distribution for Q - Computing Q Performance evaluation - Concept experiment - Verification experiment - Refinement Experiment - False-positive result - True-positive result - Cross-profiling - Group-profiling Discussion Weakness/limitations of state-transition analysis and statistical analysis Suggestions of improvement Conclusion

Project milestone and schedule Overall schedule Schedule Progress 2003 Oct Project homepage Nov Finalized project plan Principles and characteristics of statistical analysis and the statistical Dec Jan component of NIDES Evaluation of statistical component of NIDES and the statistical analysis 12 th 16 th Jan First presentation 19 th Jan Detailed intermediate project report 2004 Jan -Feb Principles and characteristics of state-transition analysis and USTAT Evaluation of USTAT and state-transition analysis Mar - Apr Suggestions for improvement 13 th Apr Detailed project report 15 th Apr Project exhibition 19-24 th Apr Final presentation

References [1] T.Lunt, R. Jagannathan, A prototype real-time intrusion detection expert system, Proc. Symp. On Security and Privacy, Oakland, CA, April 1988, pp. 59-66 [2] Giovanni Vigna, Fredrik Valeur, Richard A. Kemmerer, Designing and implementing a family of intrusion detection systems, Proceedings of the 9th European software engineering conference held jointly with 10th ACM SIGSOFT international symposium on Foundations of software engineering, Vol. 28, 5, 2003 [3] M.Roesch.Snort Lightweight Intrusion Detection for Networks. In Proceedings of the USENIS LISA 99 Conference, Nov. 99 [4] Sandeep Kumar. Classification and Detection of Computer Intrusions. Ph.D. Dissertation, August 1995 [5] T D Garvey and Teresa Lunt. Model based intrusion detection. In Proceedings of the 14 th National Computer Security Conference, pages 372-385, October 1991 [6] S. Kumar, E.Spafford, A pattern matching model for misuse intrusion detection, Proc. 17 th National Computer Security Conf. October 1994, pp. 11-21 [7] P. Porras, R. Kemmerer, Penetration state transition analysis a rule-based intrusion detection approach, Proc. 8 th Annual Computer Security Applications November 1992, pp. 220-229 Conf., [8] Koral Ilgun, Richard A. Kemmerer, Fellow, IEEE, and Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions of software engineering, Vol. 21, no. 3, march 1995 [9] Paul Helman and Gunar Liepins, Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse, IEEE transaction of software engineering, vol. 19, no. 9, September 1993 [10] P.Helman, G.Lipins, W. Richards, Foundations of intrusion detection, Proc. 5 th Computer Security Foundations Workshop Franconic, NH, June 1992, pp. 114-120

[11] Detecting Unusual Program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), D. Anderson, Teresa F. Lunt, Harold Javitz, Ann Tamaru, Alfonso Valdes, Computer Science Laboratory, SRI-CSL-95-06, May 1995 [12] H.S. Vaccaro, G.E. Leipins, Detection of anomalous computer session activity, Proc. IEEE Symp. On Research in Security and Privacy, 1989, pp.280-289 [13] H. Debar, M. Becker, D.Siboni, A neural network component for an intrusion detection system, Proc. 1992 IEEE Computer Society Symp. On Research in Security and Privacy Oakland, CA, May 1992, pp.240-250 [14] T.Spyrou, J.Darzentas, Intention modeling: approximating computer user intentions for detection and prediction of intrusions, in: S.K. Katsikas, D. Gritzalis (Eds.), Information Systems Security, Samos, Greece, May 1996, pp.319-335 [15] S. Forrest, S.A. Hofmeyr, A. Somayaji, Computer immunology, Communications of the ACM 40 (10) (October 1997) 88-96 [16] N.J. McAuliffe et al., Is your computer being misused? A survey of current intrusion detection system technology, in Proc. Sixth Comput. Security Applicat. Conf., Dec 1990, pp. 260-272 [17] USTAT: A Real-Time Intrusion Detection System for UNIX. SRI Technical report, 1993 [18] STATL definition: Technical report, 2000-19. University of California, Santa Barbara (UCSB) [19] Research in intrusion detection systems: A Survey. Department of computer engineering, Chalmers University of Technology, Aug 19, 1999 [20] Herve Debar, Marc Dacier, Andreas Wespi: Towards a taxonomy of intrusion-detection systems, Computer Networks 31 (1999) 805-822 [21] Phillip Andrew Porras, STAT: A State Transition Analysis Tool for Intrusion Detection, master thesis, University of California, Santa Barbara [22] Software Design, Product Specification, and Version Description Document, Next Generation Intrusion Detection Expert System (NIDES), SRI Technical report 1992

[23] Safeguard Final Report: Detecting Unusual Program Behavior Using the NIDES statistical Component, SRI Final Report, Dec 2, 1993 [24] The NIDES Statistical Component: Description and Justification, SRI report, March, 1993 [25] Detecting Unusual Program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), SRI technical report 1995 Web site The SANS institute: intrusion detection FAQ. Version 1.80 - Updated June 12, 2003 www.san.org/resource/idfaq ACM Digital Library http://portal.acm.org/dl.cfm IEEE journals, transactions, magazines and conference proceedings http://ieeexplore.ieee.org/xplore/dynwel.jsp Book Terry Escamilla. Intrusion detection: network security beyond the firewall Paul E. Proctor; forword by Dorothy Denning; technical editor, Ira Winkler. Practical intrusion detection handbook Edward G. Amoroso. Intrusion detection: an introduction to Internet surveillance, correlation, traps, trace back, and response

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback