A Survey of Intrusion Detection

Techniques
Teresa F. Lunt
 Discussion Layout
 Introduction
 What is Intrusion Detection?

 How does Intrusion Detection work?

 Different approaches to Intrusion Detection

 Where and when should Intrusion Detection be implemented
 Privacy issues
 The future of Intrusion Detection
 Conclusion
 What is Intrusion Detection?
 What is Intrusion Detection?
 Intrusion Detection should detect:

 External penetrators

• Persons unauthorized to use the computer

 Internal penetrators

• Persons authorized to use the computer, but

accessing an unauthorized program, data, or resource
• Masqueradors-users operating under a false password
• Clandestine users-users who evade auditing
 Misfeasors

• Authorized users who abuse their privileges

 What is Intrusion Detection?
 Detect external penetrators by keeping track of failed login
attempts
 Detect masqueradors by establishing “normal” user behavior
and flagging instances where a user has strayed from this
behavior
 Difficult to detect clandestine users because they may have
privileges that allow them to work outside or monitored areas on
the system
 A solution to this is to monitor certain system-wide

parameters
 Difficult to detect normal users who abuse their privileges
 How does Intrusion Detection
work?
 How does Intrusion Detection Work?
 Access controls

 Not a complete defense against insider attack or outside

penetration
 No protection from privilege abuse

 Auditing

 Audit trials collect information on use of the computer

and normal user activity

 Audit data must be interpreted correctly, and the

collected information must be relevant

 The rest of this talk will focus on tools developed to interpret
audited information
 Auditing
 Audit data interpretation for security purposes can be:
 In-depth offline – this is after the fact analysis of audit data

 Real-time – this is immediate testing of audit data allowing

for a timely response

 Damage Assessment

This talk will focus on the first two types of audit interpretation
Approaches to interpreting audit
data for security analysis
 Determining user norms
 Using expert systems
 Model-based reasoning
 The IDES resolver
 Other approaches
 User norms-IDES
 IDES (Intrusion Detection Expert System)-used for auditing and
interpreting data
 This was developed by SRI

 Flags departures from established user “norms” in order to

detect system penetration

 Maintains a dynamic user profile that determines regular use
 User norms-IDES
 How the audit information in the IDES can be stored:
 Ordinal measure

 Count of numerically quantifiable behavior-e.g., the amount of

CPU time used

 Categorical measure

 Function of observed behavior over a finite set of categories-

each value is determined in relation to other categories

 Binary categorical measure

 Has a finite number of categories, and assigns each a 1 or 0

depending on whether or not they are invoked

 Linear categorical measure

 This has a score function that counts the number of times each

category occurs
 User norms-IDES
 Disadvantages to establishing normal user behavior:
 Depends greatly on the consistency of the user

 An insider may know that behavior is monitored and

intentionally change it over time

 A user’s behavior is subject to change without notice

 Alternatives to auditing normal behavior in the IDES

 Profiling the normal behavior of programs

 Use keystroke dynamics to continuously verify user identity

 User norms-Neural Networks
 SRI has looked into Neural Networks (NN) to counter the
following IDES problems:
 The need for accurate statistical distributions

 NNs do not require assumptions about normal user behavior

 Difficulty in evaluating detection measures

 NNs can evaluate the effectiveness of detection measures

 High cost of algorithm development

 NN simulators are easier to modify for new user

communities
 Difficulty in scaling

 NNs could be used to classify users depending on their

observed behavior as opposed to manual groupings

 User norms-Neural Networks
 So, what IS a Neural Network?
 In principle, NNs can compute any computable function, i.e.,

they can do everything a normal digital computer can do.

 In practice, NNs are especially useful for classification and

function approximation/mapping problems which are

tolerant of some imprecision, which have lots of training
data available, but to which hard and fast rules (such as those
that might be used in an expert system) cannot easily be
applied.
Source: http://www.rdt.monash.edu.au/~app/CSC437nn/Lnts/L01.html#CITEnnFAQ
 In general, NNs are capable of “learning” and can be used for
such purposes as pattern recognition
 Expert Systems
 The Expert System approach simply monitors audit data for
suspicious activity
 This approach is likened to a security officer’s duties
 The Expert System uses a set of defined activities to look for
 This set of rules cannot possibly be comprehensive

 The set of rules is fixed-it does not depend on previous activity

 There may be a way to combine this approach with the
statistical approach
 Compare rule violation with normal user behavior and try to

detect a correspondence
 Model-based reasoning
 This type of Intrusion Detection relies on the fact that there are
usually known procedures to breach system security
 Known password attacks

 Known system vulnerabilities

 Model-based reasoning would monitor known user attacks via a

specific model or proscribed activities
 Gather “evidence” of an intrusive procedure by looking for
intrusion scenarios
 Top-down models allow the system to predict the action an
intruder would take if following such a scenario and determine
specifically which audit data to examine next
 Model-based reasoning
 Data is systematically examined until enough “evidence” is
gathered to support the suspicion of an attack
 Good candidates for model-based reasoning are
 Attacks which are easily recognizable

 Attacks which contain sets of instructions unique to that

specific attack
 Attacks which contain sets of instructions that are not

associated with normal behavior

 Model-based reasoning
 Benefits:
 Narrow down the information that needs to be processed

 Intuitive explanations of detected attacks

 Be able to take preventative actions before an attack is

completed
 Drawbacks:
 Can only detect known attacks

 An intruder may be able to vary the scenario and avoid

detection
 The IDES resolver
 This will combine statistical and expert system components
 Can make more complex deductions about suspicious behavior
 Reduce the number of false positive rates
 Be able to detect with more accuracy the gravity of a situation
 Correlate audit data with other available data
 Information about changes in user status (new users, user

locations…)
 Information about files, directories, devices,

authorizations…
 Other approaches
 Define acceptable, as opposed to suspicious, behavior
 Use trap doors (bait malicious users)
 Bogus passwords

 “tripwire” files

 Good Intrusion Detection systems will incorporate a number of

methods for system security
 More thoughts on auditing
 In addition to normal security audit data, the following
information should be maintained:
 Facts about user status, new users, terminated users, users on

vacations, changed job assignments, etc.

 Facts about files, directories, devices, and authorizations

 Profiles of expected or socially acceptable user behavior

 Users, even privileged ones, should not be able to tamper with

the audit mechanisms
 What is the appropriate level of
auditing?
 Auditing should be implemented at the lowest level possible so
that those users with direct programming access cannot bypass
the security checks
 This will detect clandestine users

 It is also useful to audit at the command line and application

level
 This allows for expert systems and model-based security.
 Where should auditing take
place?
 Auditing ideally takes place on a separate system devoted to
monitoring user behavior
 An advantage to this is that performance is not affected on

the monitored system

 Another advantage is that a higher level of security could be

implemented on the Intrusion Detection system

 Data should be preprocessed on the monitored system to reduce
storage and performance requirements on the Intrusion
Detection system
 Intrusion Detection systems could be generalized to monitor
more than one machine at one time
 Privacy issues?
 Maintaining a large database of user activity could be a major
violation of privacy
 Employee monitoring may take place

 The audit files may fall in to the wrong hands

 Future
 So, what’s going on with IDES now?
 Visit the Intrusion Detection Homepage at:

 http://www.sdl.sri.com/intrusion/index.html

 What happened to the IDES?

 It was revised and became if NIDES at some point after

1993
 According to SRI:

 These efforts did, however, have some inherent

limitations in scalability, applicability to network

environments by their focus on users as the analysis
targets, and lack of features to support interoperability
 Future
 Now SRI is working on EMERALD, the successor system to
NIDES
 This system will “considerably extend the NIDES concept to
accommodate network-based analyses and dramatically increase
interoperability and ease of integration into distributed computing
environments. This effort will include extending components for
profile-based analysis, signature-based analysis, and localized
results fusion with automated response capability. In addition, we
are considerably extending our results analysis capability to
facilitate hierarchical interpretations of our distributed monitoring
units, which will enable cross-platform analysis at various layers
of abstraction, and successive refinement of the resulting analyses
within increasingly broader scopes” (Intrusion Detection
Homepage).
 Conclusion
 There is no perfect Intrusion Detection system
 Only through a combination of systems can the best possible
security monitoring be implemented
 Probably the best approach is to maintain a profile of normal
user activity and check this profile against a set of known
suspicious behaviors
 Although privacy may be an issue, it is possible to implement
regulations on auditing to protect the users and maintain security