© 2008 A.W. KringsDealing with PatternsIf we want to find something unusual about a system, we need to know something about–expected behavior of the system–behavior of functionalities–whether there are additional, unwanted, functionalities introduced 1© 2008 A.W. KringsIntrusion Detection TermsJust a few words to commonly used terms–Misuse detection / Signature detection–Anomaly detection–False positives–False negatives–Data overload2© 2008 A.W. KringsData Mining Restated from SANS Intrusion Detection FAQ –http://www.sans.org/resources/idfaq/data_mining.php–What is data-mining?»According to R.L. Grossman in "Data Mining: Challenges and Opportunities for Data Mining During the Next Decade", he defines data mining as being "concerned with uncovering patterns, associations, changes, anomalies, and statistically significant structures and events in data." »Simply put it is the ability to take data and pull from it patterns or deviations which may not be seen easily to the naked eye. »Another term sometimes used is knowledge discovery.Restated from http://www.sas.com/technologies/data_mining/»Data mining is the process of selecting, exploring and modeling large amounts of data to uncover previously unknown patterns for business advantage. 3© 2008 A.W. KringsIntrusion detection and survivability“Recognition is the first step to Recovery”–basis for this brief overview of intrusion detection are the “Intrusion Detection Pages” at»http://www.cerias.purdue.edu/coast/»the material below is partially restated from this articleIntrusion–someone attempting to break or misuse the systemIntrusion Detection System (IDS) –attempts to detect an intruder breaking into your system or –attempts to detect a legitimate user misusing system resources–IDS runs on your system at all time4© 2008 A.W. KringsIntrusion detection and survivabilityOutside Intruders–what most people are afraid ofInside Intruders–FBI studies have revealed that vast majority of intrusions and attacks come from within organizations.–an insider knows »layout of your system»where the valuable data is »what security precautions are in place–survivability methods must face the same issues for both types of intruders5© 2008 A.W. KringsIntrusion detection and survivabilitySecurity Policy–defines what is permitted and what is denied on a system–Prohibitive »where everything that is not expressly permitted is denied. –Permissive »where everything that is not expressly denied is permitted.–Trying to use full potential of computers assumes certain freedoms of behavior»does not work well for detecting malicious behavior»unless: there is a notion of trust between the users»however: what if the population of trusted users has been invaded?–enforced set of rules would maintain every user's privacy and integrity–rules must be enforced (and be seen to be enforced)6© 2008 A.W. KringsIntrusion detection and survivability–Elements of System’s Security»Availabilitysystem must be available for use when the users need it. critical data must be available at all times. »Utilitysystem, and data on the system, must be useful for a purpose»Integritysystem and its data must be complete, whole, and in a readable condition7© 2008 A.W. KringsIntrusion detection and survivability–Elements of System’s Security cont.»Authenticity able to verify the identity of users users should be able to verify the identity of the system»Confidentiality private data should be known only to the owner or a chosen few »Possession owners of the system must be able to control it losing control of system to malicious user affects security of system for all other users.8© 2008 A.W. KringsIntrusion detection and survivabilityIntrusion Classification–Intrusion definition»any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource. –Two main classes»Misuseintrusions are well defined attacks on known weak points of a system. can be detected by watching for certain actions being performed on certain objects.»Anomalyintrusions are based on observations of deviations from normal system usage patterns. they are detected by building up a profile of the system being monitored, and detecting significant deviations from this profile. 9© 2008 A.W. KringsIntrusion detection and survivability–Misuse Intrusions follow well-defined patterns»can be detected by pattern matching on audit-trail information–Anomalous Intrusions»detected by observing significant deviations from normal behavior»classic model: a model is built which contains metrics that are derived from system operationmetric is defined as a random variable x representing a quantitative measure accumulated over a periodmetrics are computed from available system parameters such as –average CPU load, –number of network connections per minute, –number of processes per user, etc.10© 2008 A.W. KringsIntrusion detection and survivability–Anomalous Intrusions (cont.)»Anomaly may be a symptom of a possible intrusionexploitation of a system's vulnerabilities involves abnormal use of the system; therefore, security violations could be detected from abnormal patterns of system usage –[Denning, IEEE Trans on Software Engineering, 13(2):222-232, February 1987]»Anomaly detection has also been performed through other mechanisms, such as neural networksmachine learning classification techniquesmimicking of the biological immune systems» Anomalous intrusions are harder to detect11© 2008 A.W. KringsIntrusion detection and survivabilityIntrusion Detection Characteristics–must run continually, »should be examinable from outside.–must be fault tolerant »in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart–must resist subversion »use self diagnosis to determine if intrusion detection systems has been compromised12© 2008 A.W. KringsIntrusion detection and survivabilityIntrusion Detection Characteristics cont.– minimal overhead on the system– must observe deviations from normal behavior– must be easily tailored to the system»every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns– must cope with changing system behavior over time– must be difficult to fool13©