Intrusion Detection Systems


The area of network intrusion detection has been a very hot topic for many years and probably for many years as hot topic will it also stay. Although this statement is applicable on many security related fields, the failures in which usually have significant impact on lives, properties, privacy, etc., the areas dealing with threats spreading through networks will always be on the front pages, due to the fact it could theoretically impact every user in the world. With the rise of Internet of Things in the coming years, there is no doubt the number of possible attacks will rise, as it already does in recent years. Keeping the successful attacks to the lowest number as possible is a goal of large number of security products and mechanisms, like antiviruses, firewalls, intrusion detection systems, intrusion prevention systems, hardware modules, etc.

The security of the whole system is as secure as its weakest point, thus we must fight the threats on many fronts and it’s important that the study and development of each of security areas is done equally. For our interest, we picked the area of intrusion detection systems that deals with attacks on a daily basis. Many approaches for the detection of malicious activities were introduced up to this date, yet many of them stayed in experimental phase, most of which were proposed in academical papers, and only a few of them are commonly used. There is also a number of private detection methods integrated in enterprise solutions the closeness of which might be double-edged sword. The aim of this thesis is to analyze a novel approach of intrusion detection based on statistical protocol identification. This approach was designed for classification of regular protocols, but we see the potential for its utilization in the field of intrusion detection. To prove it, we propose a prototype of the classifier based on this method and evaluate its performance with other approaches. Second chapter of this thesis explains and discusses the theory behind the used approaches, technologies, algorithms and attack scenarios. In the third chapter, we introduce our own intrusion detection system and provide the detection results in comparison with other methods. Fourth chapter is a place for a summary of what we achieved, brief discussion of problems we still face and ideas for improvements.

2 Theoretical Background

2.1 Intrusion Detection Systems

In general, intrusion detection system (IDS) is a detector that processes information coming from the system that is to be protected. It is designed to dynamically monitor the actions taken in a given environment and decides whether these actions are symptomatic of an attack or constitute a legitimate use of the environment. Many approaches and conceptions of IDS systems were proposed up to these days, often making the categorization of such systems difficult to properly describe.

2.1.1 Conceptual Categorization

With little simplification, there can be seen two complementary trends in intrusion detection—Knowledge-based IDS and Behavior-based IDS. Knowledge-based IDS Knowledge-based detection is also referred as misuse detection, or signature detection. Knowledge-based intrusion-detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities. The intrusion detection systems contain information about these vulnerabilities and looks for attempts to exploit them. In this kind of detection, we can define what constitutes legal or illegal behavior and compare the observed behavior accordingly. These systems are usually programmed with an explicit decision rule containing usually a straightforward coding of what can be expected to be observed in the event of intrusion. Intrusions can be encoded as a number of different states, each of which has to be present for the intrusion to take place. For state-modeling, time series models are often used. The simplest knowledge-based systems are based on string matching, where the presence of actual attacks are determined by the match of certain substring in the transmitted payload. This method requires deep packet inspection, which is time-consuming and has power and flexibility drawbacks, but gives accurate results. Another common type of knowledge-based systems are expert systems, where the attacks are described as a set of.

2. Theoretical Background

During detection, audit events are translated into facts and the conclusion is based on comparison of these facts with rules. Behavior-based IDS Behavior-based detection are the opposite of knowledge-based detection in the sense of modeling the events of interest. Anomaly detection systems attempt to model normal behavior, where any event that is abnormal is considered suspicious and should be thoroughly examined. We assume that intrusion can be detected by observing a deviation from normal behavior, that will show up when comparing the current activity with the learned model of normal traffic. The advantage of this detection method is the ability of detecting the novel attacks, which is hardly possible with the knowledge-based detection. However, this approach also generates non-negligible rate of false positives. In the area of behavior-based systems, we distinguish between selflearning systems and programmed systems. The method of learning in self-learning systems is typically “learn by example”, where systems observes traffic for an extended period of time and builds models of behavior. Further analyzed traffic is classified based on the built models during training phases. Different approach are programmed systems, which requires a “teacher” who programs it to detect certain anomalous events. The teacher forms an opinion on what is considered abnormal enough for the system to signal a security violation.

Compound Systems

In complement to these two kinds of intrusion detections, there are also compound systems, that mix both described techniques performed by one detector. The detector operates by detecting the intrusion against the background of the normal traffic of the system. These systems give better chance of correctly detecting intrusive behavior, since they possess the patterns of intrusions and can relate them to the normal behavior of the system. These systems are usually self-learning, which means they are able to automatically learn what constitutes intrusive and normal behavior for a system by being presented with examples of normal behavior interspersed with intrusive behavior. The examples of intrusive behavior must be flagged as such during the training phase.

2. Theoretical Background

They sometimes offer automatic feature selection, when systems operate by automatically determining what observable features are interesting when forming the intrusion detection decision.

2.1.2 Categorization based on Subject of Inspection
Based on the subject of inspection, we further classify intrusion detection systems into host-based and network-based intrusion detection systems.

Host-based IDS
Host-based IDS deal with operating system call traces. The intrusions are in the form of anomalous subsequences of the traces. The anomalous subsequences translate to malicious programs, unauthorized behavior and policy violations. The co-occurrence of events are the key factor in differentiating between normal and anomalous behavior. Events belong to the predefined alphabet, consisting of individual system calls, e.g. “open”, “read”, “mmap”, etc. Although easily-accessible and nonintrusive source of information is provided, recreating context of the interleaved events can be difficult, and the validity of log events after the compromise takes place is questionable.

Network-based IDS
Network IDS deal with detecting intrusions in network data. The main source of events becomes the traffic between hosts. IDS can observe all communication between a network attacker and the victim system, which has benefits over the host-based IDS, mainly in making no impact of processing on the hosts themselves, isolating the stations from attackers influence and the ability to observe network-level events. Main drawbacks are the performance issues, as the network data dramatically increases, and the difficulty to tell whether the data streams are reconstructed identically on monitored hosts and inside the monitor. To override the drawbacks from both types of detections, host network monitoring approach that combines both techniques was adopted by some IDS systems and personal firewalls. Data are observed at all levels of the host’s network protocol stack and the events streams observed by the probe are those observed by the systems itself. However, the impact on each monitored system is noticeable.

2.1.3 Response-based Categorization

Based on the steps taken by IDS after detection of intrusion, we define passive and active IDS. Most IDS generate an alarm when the intrusion is detected, but no further countermeasures are usually made to stop the attack. The main reason for such approach is the fact that currently these systems generate non-negligible false alarms, which would cause denial of service for a number of legitimate users.

2.1.4 SNORT

SNORT is an open-source IDS used for protocol analysis and deep packet inspection against intrusion signature. SNORT system processes the traffic of packets on multiple stages, using method called analyzenormalized matching. SNORT uses many efficient string matching algorithms for searching for intrusion patterns in packet headers and payloads. Signatures are defined as rules that may contain header and content fields. Header part checks the protocol, source IP and destination IP addresses and port. Content part scans packet payload for one or more patterns. Rules can also contain negation patterns. Matching patterns are usually in ASCII or HEX format.



TOPlist TOPlist VIPLOG database valid