Improving Intrusion Detection System

Taminee Shinasharkey

CS689

11/2/00

IntroductionIntrusion is when the user takes an

action that the user was not legally allowed to

take.

Intrusion attempt (Anderson,1980) is defined to be potential possibility of an unauthorized attempt to

- Access information

- Manipulate information, or

- Render a system unreliable or unusable.

Introduction (cont)

Intruder detection involves determining that an intruder has tried to gain or has gained unauthorized access to the system.

Most intrusion detection systems attempt to detect a presumed intrusion and alert a system administrator. System administrators take action to prevent intrusion.

Audit record is a record of activities on a system that are logged to a file in sorted order.

From Lincoln LaboratoryMassachusetts Institute of Technology

Intrusion ClassificationThe COAST group at Purdue University defined an intruder as any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.

There are two techniques of intrusion detection1. Anomaly Detection – based on

observations of deviations from normal system usage patterns.

2. Misuse Detection – attacks on weak point of a system.

Anomaly Detection• Try to detect the complement of bad

behavior.

• This system could verify a normal activity profile for a system and flag all states altering from the verified profile.

• Must be able to distinguish between anomalous and normal behavior.

Anomaly Detection

A block diagram of a typical anomaly detection system

Misuse Detection

• Try to recognize known bad behavior.

• This system detects by using the form of pattern or a signature , so that variations of the same attack can be detected.

• Concerned with catching intruders who are attempt to break into a system by exploiting some known vulnerability.

Misuse Detection

A block diagram of a typical misuse detection system

Intruder ClassificationIntruders are classified into two groups.1. External intruders – who are unauthorized users

of the systems they attacks.2. Internal intruders – who have some authority

- Masqueraders – external intruders who have succeeded in the gaining access to the system.(credit card defrauder) - Legitimates – intruders who have access to sensitive data, but misuse this access.- Clandestine – intruders who have the power to control the system and have power to turn off audit control for themselves.

Problem Description

An Application Intrusion Detection System will be concerned with anomaly detection more than misuse detection. Since OS Intrusion Detection and Application Intrusion Detection have many relations on the same basic observation entity, there should be some correlation between events at the operating system and application levels. Is it possible to have these two systems cooperate in order to improve the effectiveness of Intrusion Detection System.

Research Objectives

The goal of this research is to try to improve the effectiveness of Intruder Detection and to see the possibilities of how the OS Intrusion Detection System might cooperate with Application Intrusion Detection System to achieve this goal.

OS Intrusion Detection System• Detects external intruders• Organizes in such a way that the process the user

that started the process or whoever the process was executed is associated with each event.

• Lower resolution• Views the file as a container whose contents

cannot be deciphered except for changes in size.• Can only define a relation on a file as a whole,

such as whether or not it was changed in the last period of time.

The different between an OS and an Application

Application Intrusion Detection System

• Only detects internal intruders after they either penetrated the operating system to get access to the application ,or they were given some legitimate access to the application.

• May not be set up to perform mapping between the event and the event causing entity.

• Higher resolution• Can define a relation on the different

records of fields of the file.

Similarities

• Attempts to detect intrusion by evaluating relations to differentiate between anomalous and normal behavior.

• The database file are the same size.• Could build event records containing

listings of all events and associated event causing entities of the application using whatever form of identification available.

• Structure.

Literature review The COAST laboratory at Purdue University

characterized a good Intrusion Detection System as having the following qualities

- Run continually- The system must be reliable enough to allow it to

run in the background of the system being observed.

- Fault tolerant- The system must survive a system crash and not

have its knowledge-base rebuilt at start.

- Resist subversion- The system can monitor itself to ensure that it has

not been subverted

Literature Review (cont)- Minimal overhead

- The system that slows a computer to a creep will not be used.

- Observe deviations (from normal behavior.)- Easily tailored

- Every system has a different usage pattern, and the defense mechanism should be easily adapt to the patterns.

- Changing system behavior- The system profile will change over time, and the

Intrusion Detection System must be able to adapt.

- Difficult to fool

Literature Review (cont)

• The Information Systems Technology Group of MIT Lincoln Laboratory, under Defense Advanced Research Projects Agency (DARPA) Information Technology Office and Air Force Research Laboratory (AFRL/SNHS) sponsorship, has collected and evaluated computer network intrusion detection systems since 1998 - 1999.

Benefits of this Research

We will know the ability of application intrusion detection system cooperate with OS Intrusion Detection System and improve ability of Intrusion Detection Systems to defend against intruders.

Research Design

• Case study of Application Intrusion Detection System

• Study the differences and cooperation between the Application Intrusion Detection System and the OS Intrusion Detection System

• Research the possibility of the two systems working cooperatively.

ConclusionThe Application Intrusion Detection System

can be more effective in detecting intruders than the OS Intrusion Detection System because Application Intrusion Detection operates with a higher resolution. Since the Application Intrusion Detection System depends on OS Intrusion Detection System and only OS Intrusion Detection System can detect the external intruders, we need both an OS Intrusion Detection System and an Application Intrusion Detection System to cooperate for increased potential in detecting intruders.

Thank you.