SlideShare a Scribd company logo

Ids 013 detection approaches

Download as DOCX, PDF
J
jyoti_lakhani

Intrusion Detection System

Technology
1 of 14
Detection Approaches: Misuse Detection The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable. Anomaly based intrusion detection approaches Establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures Misuse detection approaches Aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures Specification based detection approaches Security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks Detection Approaches Misuse Detection Anomaly Detection Specification-based Detection
Misuse Detection Intrusions are detected by matching actual behavior recorded in audit trails with known suspicious patterns. Misuse detection is fully effective in uncovering known attacks Limitations It is useless when faced with unknown or novel forms of attacks for which the signatures are not yet available. For known attacks, defining a signature that encompasses all possible variations of the attack is difficult. Any mistakes in the definition of these signatures will increase the false alarm rate and decrease the effectiveness of the detection technique. A typical misuse detection model The model consists of four components: 1. Data collection 2. Systemprofile 3. Misuse detectionand 4. Response
Data are collected from one or many data sources including audit trails, network traffic, system call trace, etc. Collected data are transferred into a format is used to characterize normal and abnormal behaviors. The profiles characterize what a normal subject behavior should be and what operations the subjects typically would perform or do not perform on the objects. The profiles are matched with actual system activities and reported as intrusions in case of deviations. Techniques commonly used to implement Misuse Detection Pattern Matching  Commonly used in the network based intrusion detection systems  Attack patterns are modeled, matched and identified based on the packet head, packet content or both  In host-based intrusion detection systems, the system calls in a system audit trail is used for misuse detection Misuse Detection Techniques Pattern Matching Rule-based Techniques Techniques based on Data Mining State-based Techniques
 With the continual emerging of new types and varied forms of attacks the number of signatures is constantly growing, thus making the pattern matching more expensive in terms of the computational cost.  In order to address this limitation, Abbes et al (2004) propose a method combining a novel protocol analysis approach with traditional pattern matching to improve the performance of pattern matching  The protocol analysis checks patterns in specific parts of the packet rather than in the entire payload and it is implemented based on the construction of a decision tree.  Adv: The biggest advantage of this approach is that it can reduce the search space for patterns that results in a fast search.  Adv: The approach has the potential to reduce the number of false positives since patterns are matched only in the extracted protocol fields.  Kreibich and Crowcroft (2004) studied the performance evaluation of pattern matching based intrusion detection approaches  A workload model is proposed to provide reasonably accurate estimates compared to real workloads  The model attempts to emulate a traffic mix of different applications, reflecting the characteristics of each application and the way these applications interact with the system.  The model has been implemented as part of a traffic generator Rule-based Techniques  Rule-based expert system is one of the earliest techniques used
 Expert systems encode intrusive scenarios as a set of rules, which are matched against audit or network traffic data  Any deviation in the rule matching process is reported as an intrusion. MIDAS (Multics Intrusion Detectionand Alerting System)  Developed by the National Computer Security Center (NCSC) to monitor intrusions for NCSC’s networked mainframe  It uses and analyzes audit log data by combining the expert system technology with statistical analysis  MIDAS uses the Production Based Expert System Toolset (PBEST) in discriminating and implementing the rule base, which is written in LISP language  The structure of the rules in the P-BEST rule base includes two layers. Rule-based Techniques MIDAS IDES NIDES
 The first(lower) layer is used to match certain types of events such as number of user logins, and then fires new events by setting up a particular threshold of suspicion.  Rules in the second (higher) layer process these suspicions and decide whether the system should raise an alert or not.  Figure 2.2 illustrates an example of MIDAS rule. The rule defines an intrusion scenario involving some unusual login time. It determines whether the time when the user logins is outside normal hours or not. The rule also illustrates that an unusual behavior does not necessarily stands for an intrusion. (Lower Layer): Check Events ( (Higher Layer): Process Events Alarm Generator Event Listener Rules
IDES (Intrusion DetectionExpert System)  The IDES model based on the assumption that normal interactions between subjects (e.g. users) and objects (e.g. files, programs, or devices) can be characterized  users always behave in a consistent manner when they perform operations on the computer system  These usages can be characterized by computing various statistics and correlated with established profiles of normal behaviors  New audit records are verified by matching known profiles for both subjects and their correspondinggroups.  Deviations are then flagged as intrusions  To improve the detection rate, IDES monitors the subject depending on whether the activity happens on an on or off day since user activities on different day types are usually different.  For example, activities for normal users on a working day may be abnormal on an off-working day.  IDES uses P-BEST to describe its rule base
 IDES consisting of two types of rules: generic rules and specific rules.  Generic rules can be used for different target systems  Specific rules are strictly dependent on the operating system and the corresponding implementation.  IDES architecture consists of three main components, namely audit database, profiles database and the system security officer (SSO) user interface. Audit Database User Profile Database User 1 User 2 User 3 System Security Officer (SSO) User Interface Administrator
NIDES (Next-generationIntrusion DetectionExpert System)  NIDES is a hybrid intrusion detection system consisting of a signature-based expert system component as well as a detection component based on statistical approaches.  The expert system improves the old IDES version by encoding more known intrusion scenarios and updating the P-BEST version used.  Detection component based on statistical approaches is based on anomaly detection.  In these approaches over 30 criteria are used to establish normal user profiles including CPU or I/O usage, command used, local network activity, system errors, etc.  The NIDES system is highly modularized with well-defined interfaces between components.  Compared with the IDES, NIDES has higher detection rate since it includes two complementary detection components: intrusions missed by one component maybe caught by the other one. Limitationsof Rule-based Techniques 1. Using rule-based techniques for misuse detection, quite often the burden of extending the rule-base. 2. Developing intrusion scenarios is not an easy task and requires a certain level of expertise and security insight and awareness. 3. Determining the relations between rules is difficult. 4. When many related rules are included in an expert system, correctness of rules is difficult to verify due to the interactions among these rules. 5. Most of the rule bases are outdated and quickly become obsolete.
State-based Techniques  State-based techniques detect known intrusions by using expressions of the system state and state transitions  In state-based techniques, activities contributing to intrusion scenarios are defined as transitions between system states, and thus intrusion scenarios are defined in the form of state transition diagrams.  The state of the system is a function of users or processes. Intrusion scenarios defined by the state transition diagram include three types of states, namely initial state, transition state and compromised state.  An initial state refers to the beginning of the attack, while a compromised state stands for the successful completion of the attack.  Transition states correspond to the successive states occurring between an initial state and a compromised state.  An intrusion occurs if and only if a compromised state is finally reached.
UNIX State Transition AnalysisTool (USTAT)  USTAT is a host-based intrusion detection based on the State Transition Analysis Technique.  USTAT) is based on the assumption that all attackers start from an initial state where they possess limited authorization to access a target system, and then after completing some operations on the target system, they acquire some previously unauthorized capabilities.  USTAT is a prototype implementation of the state transition analysis technique for intrusion detection  It monitors the system state transition from safe to unsafe by representing all known vulnerabilities or intrusion scenarios in the form of a state transition diagram.  In USTAT, over 200 audit events are represented by ten USTAT actions, such as read(file var), modify owner(file var), where the parameter file var stands for the name of certain files.  Known attacks are modeled as a sequence of state transitions that lead from an initial limited authorization state to a final compromised state.  An inference engine in USTAT maintains a state transition table and determines whether the current action will cause a state transition to its successor state by matching the next state with the state transition table. State Transition Based Techniques USTAT Colored Petri-nets
Once the next new state is matched to the final state of the transition table, the intrusion alarm is raised.  Some other members of STAT family o NetSTAT is designed for real-time state-transition analysis of network data. o WebSTAT and logSTAT are two other STAT family members that operate at the application level. o WebSTAT parses the logs produced by Apache web servers, and logSTAT uses UNIX syslog files as input. Colored Petri-nets  IDIOT, the acronym of “Intrusion Detection In Our Time”, is a state-based misuse detection system which uses pattern matching techniques based on the colored petrinets (CPN) model.  Intrusion scenarios are encoded into patterns in IDIOT, and incoming events are verified by matching them against these patterns.  In the CPN model used in the implementation of IDIOT, a guard represents an intrusive signature context and the vertices represent system states. The selected CPN model is referred to as colored petri automata (CPA). The CPA defines a strict declarative specification of intrusions and specifies what patterns need to be matched instead of how to match them.  A simple example of CPA describing the following intrusion scenario: if the number of unsuccessful login attempts exceeds four within one minute report an intrusion.  The combination of arrows and vertical bar stands for a transition between system states.  For example, the transition from states S1 to S2 occurs when there is a token in S1; this stands for an unsuccessful login attempt. The time of first unsuccessful login attempt is saved in the token variable T1. The transition
from S4 to S5 happens if there is a token in S4. The time difference between this and the first unsuccessful login attempt should be more than one minute, otherwise the system state is transferred to the final state S5, in which an alarm will be generated. Advantages 1. First, since the intrusion signatures are written in a system independent script, they can be exchanged across different operating systems and different audit logs. 2. Second, the IDIOT system achieves an excellent real-time performance; only 5-6% CPU overhead was reported when it scanned for 100 different patterns. 3. Third, multiple event sessions can be processed independently and then corresponding detection results are analyzed together to make the final decision. Limitation  It can only detect known vulnerabilities.  Translating known intrusions into patterns is not always easy.  Sophisticated attackers can easily bypass the detection system by changing their attack strategies.
Techniques based on Data Mining intrusion detection is considered as a data analysis process, in which data mining techniques are used to automatically discover and model features of user’s normal or intrusive behaviors. The three types of algorithms are particularly useful for mining audit data, namely- 1. Classification Classification algorithms such as decision tree generate classifiers by learning based on a sufficient amount of normal or abnormal audit data. New audit data are labeled as either normal or abnormal according to the classifier. 2. Link analysis Link analysis determines the relation between fields in the audit database records and normal profiles are usually derived from these relations. 3. Sequence analysis Sequence analysis is used to find sequential patterns in audit data and embed these patterns into intrusion detection models.

Recommended

Ids 014 anomaly detection
Ids 014 anomaly detectionIds 014 anomaly detection
Ids 014 anomaly detection
jyoti_lakhani
 
A Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection SystemA Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection System
IJARIIE JOURNAL
 
Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...
IOSR Journals
 
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
IOSRjournaljce
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
Editor IJARCET
 
A sense of self for unix processes
A sense of self for unix processesA sense of self for unix processes
A sense of self for unix processes
UltraUploader
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
IJERA Editor
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
IJCSEA Journal
 

Recommended

Ids 014 anomaly detection
Ids 014 anomaly detectionIds 014 anomaly detection
Ids 014 anomaly detection
jyoti_lakhani
 
A Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection SystemA Survey On Genetic Algorithm For Intrusion Detection System
A Survey On Genetic Algorithm For Intrusion Detection System
IJARIIE JOURNAL
 
Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...Critical analysis of genetic algorithm based IDS and an approach for detecti...
Critical analysis of genetic algorithm based IDS and an approach for detecti...
IOSR Journals
 
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
Computer Worms Based on Monitoring Replication and Damage: Experiment and Eva...
IOSRjournaljce
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
Editor IJARCET
 
A sense of self for unix processes
A sense of self for unix processesA sense of self for unix processes
A sense of self for unix processes
UltraUploader
 
Kx3419591964
Kx3419591964Kx3419591964
Kx3419591964
IJERA Editor
 
Intrusion detection system based on web usage mining
Intrusion detection system based on web usage miningIntrusion detection system based on web usage mining
Intrusion detection system based on web usage mining
IJCSEA Journal
 
A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tam
eSAT Journals
 
Abstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environmentsAbstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environments
UltraUploader
 
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET Journal
 
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
ijcsit
 
IRJET - A Secure Approach for Intruder Detection using Backtracking
IRJET - A Secure Approach for Intruder Detection using BacktrackingIRJET - A Secure Approach for Intruder Detection using Backtracking
IRJET - A Secure Approach for Intruder Detection using Backtracking
IRJET Journal
 
Network intrusion detection using supervised machine learning technique with ...
Network intrusion detection using supervised machine learning technique with ...Network intrusion detection using supervised machine learning technique with ...
Network intrusion detection using supervised machine learning technique with ...
CloudTechnologies
 
Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...
IJAAS Team
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
IJRES Journal
 
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
IJNSA Journal
 
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
IOSR Journals
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
ijcsit
 
Novel Malware Clustering System Based on Kernel Data Structure
Novel Malware Clustering System Based on Kernel Data StructureNovel Malware Clustering System Based on Kernel Data Structure
Novel Malware Clustering System Based on Kernel Data Structure
iosrjce
 
Antimalware
AntimalwareAntimalware
Antimalware
Mayank Chaudhari
 
Deep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemDeep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection system
Avinash Kumar
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
IJNSA Journal
 
1762 1765
1762 17651762 1765
1762 1765
Editor IJARCET
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application security
ijcsa
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
eSAT Journals
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
eSAT Journals
 
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
IJARIIE JOURNAL
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
amiable_indian
 

More Related Content

What's hot

A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tam
eSAT Journals
 
Abstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environmentsAbstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environments
UltraUploader
 
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
Dr. Amrita .
 
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
ijcsit
 
Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...
IJAAS Team
 
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
IJNSA Journal
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
ijcsit
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
IJNSA Journal
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application security
ijcsa
 

What's hot (18)

A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tam
 
Abstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environmentsAbstraction based intrusion detection in distributed environments
Abstraction based intrusion detection in distributed environments
 
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...
 
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
 
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...
 
IRJET - A Secure Approach for Intruder Detection using Backtracking
IRJET - A Secure Approach for Intruder Detection using BacktrackingIRJET - A Secure Approach for Intruder Detection using Backtracking
IRJET - A Secure Approach for Intruder Detection using Backtracking
 
Network intrusion detection using supervised machine learning technique with ...
Network intrusion detection using supervised machine learning technique with ...Network intrusion detection using supervised machine learning technique with ...
Network intrusion detection using supervised machine learning technique with ...
 
Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...Data Mining Techniques for Providing Network Security through Intrusion Detec...
Data Mining Techniques for Providing Network Security through Intrusion Detec...
 
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference SystemSelf Evolving Antivirus Based on Neuro-Fuzzy Inference System
Self Evolving Antivirus Based on Neuro-Fuzzy Inference System
 
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
A PROPOSED MODEL FOR DIMENSIONALITY REDUCTION TO IMPROVE THE CLASSIFICATION C...
 
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
An Approach of Automatic Data Mining Algorithm for Intrusion Detection and P...
 
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...
 
Novel Malware Clustering System Based on Kernel Data Structure
Novel Malware Clustering System Based on Kernel Data StructureNovel Malware Clustering System Based on Kernel Data Structure
Novel Malware Clustering System Based on Kernel Data Structure
 
Antimalware
AntimalwareAntimalware
Antimalware
 
Deep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection systemDeep learning approach for network intrusion detection system
Deep learning approach for network intrusion detection system
 
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...
 
1762 1765
1762 17651762 1765
1762 1765
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application security
 

Similar to Ids 013 detection approaches

Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
eSAT Journals
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
eSAT Journals
 
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
IJARIIE JOURNAL
 
The Practical Data Mining Model for Efficient IDS through Relational Databases
The Practical Data Mining Model for Efficient IDS through Relational DatabasesThe Practical Data Mining Model for Efficient IDS through Relational Databases
The Practical Data Mining Model for Efficient IDS through Relational Databases
IJRES Journal
 
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHMCOMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
cscpconf
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
Editor IJARCET
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSAN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSAN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal1
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
IOSR Journals
 

Similar to Ids 013 detection approaches (20)

Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
 
Intrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern mining
 
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
Synthesis of Polyurethane Solution (Castor oil based polyol for polyurethane)
 
Data Mining and Intrusion Detection
Data Mining and Intrusion Detection Data Mining and Intrusion Detection
Data Mining and Intrusion Detection
 
A Survey On Intrusion Detection Systems
A Survey On Intrusion Detection SystemsA Survey On Intrusion Detection Systems
A Survey On Intrusion Detection Systems
 
Kb2417221726
Kb2417221726Kb2417221726
Kb2417221726
 
The Practical Data Mining Model for Efficient IDS through Relational Databases
The Practical Data Mining Model for Efficient IDS through Relational DatabasesThe Practical Data Mining Model for Efficient IDS through Relational Databases
The Practical Data Mining Model for Efficient IDS through Relational Databases
 
5
55
5
 
DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1DB-OLS: An Approach for IDS1
DB-OLS: An Approach for IDS1
 
Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection A...
Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection A...Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection A...
Intrusion Detection System (IDS): Anomaly Detection using Outlier Detection A...
 
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHMCOMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
COMPUTER INTRUSION DETECTION BY TWOOBJECTIVE FUZZY GENETIC ALGORITHM
 
Understanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptxUnderstanding Intrusion Detection & Prevention Systems (1).pptx
Understanding Intrusion Detection & Prevention Systems (1).pptx
 
Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194Volume 2-issue-6-2190-2194
Volume 2-issue-6-2190-2194
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSAN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMSAN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
 
Idps
IdpsIdps
Idps
 
A Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And TechniquesA Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And Techniques
 
C3602021025
C3602021025C3602021025
C3602021025
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian Network
 

More from jyoti_lakhani

Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
jyoti_lakhani
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
jyoti_lakhani
 

More from jyoti_lakhani (20)

CG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsxCG02 Computer Graphic Systems.ppsx
CG02 Computer Graphic Systems.ppsx
 
Projections.pptx
Projections.pptxProjections.pptx
Projections.pptx
 
CG04 Color Models.ppsx
CG04 Color Models.ppsxCG04 Color Models.ppsx
CG04 Color Models.ppsx
 
CG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsxCG03 Random Raster Scan displays and Color CRTs.ppsx
CG03 Random Raster Scan displays and Color CRTs.ppsx
 
CG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptxCG02 Computer Graphic Systems.pptx
CG02 Computer Graphic Systems.pptx
 
CG01 introduction.ppsx
CG01 introduction.ppsxCG01 introduction.ppsx
CG01 introduction.ppsx
 
Doubly linked list
Doubly linked listDoubly linked list
Doubly linked list
 
Double ended queue
Double ended queueDouble ended queue
Double ended queue
 
Tree terminology and introduction to binary tree
Tree terminology and introduction to binary treeTree terminology and introduction to binary tree
Tree terminology and introduction to binary tree
 
Priority queue
Priority queuePriority queue
Priority queue
 
Ds006 linked list- delete from front
Ds006 linked list- delete from frontDs006 linked list- delete from front
Ds006 linked list- delete from front
 
Ds06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given nodeDs06 linked list- insert a node after a given node
Ds06 linked list- insert a node after a given node
 
Ds06 linked list- insert a node at end
Ds06 linked list- insert a node at endDs06 linked list- insert a node at end
Ds06 linked list- insert a node at end
 
Ds06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginningDs06 linked list- insert a node at beginning
Ds06 linked list- insert a node at beginning
 
Ds06 linked list- intro and create a node
Ds06 linked list- intro and create a nodeDs06 linked list- intro and create a node
Ds06 linked list- intro and create a node
 
Ds04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhaniDs04 abstract data types (adt) jyoti lakhani
Ds04 abstract data types (adt) jyoti lakhani
 
Ds03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhaniDs03 part i algorithms by jyoti lakhani
Ds03 part i algorithms by jyoti lakhani
 
Ds03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhaniDs03 algorithms jyoti lakhani
Ds03 algorithms jyoti lakhani
 
Ds02 flow chart and pseudo code
Ds02 flow chart and pseudo codeDs02 flow chart and pseudo code
Ds02 flow chart and pseudo code
 
Ds01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhaniDs01 data structure introduction - by jyoti lakhani
Ds01 data structure introduction - by jyoti lakhani
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 

Recently uploaded (20)

Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Ids 013 detection approaches

  • 1. Detection Approaches: Misuse Detection The basic principle of intrusion detection is based on the assumption that intrusive activities are noticeably different from normal ones and thus are detectable. Anomaly based intrusion detection approaches Establishing a model of the data flow that is monitored under normal conditions without the presence of any intrusive procedures Misuse detection approaches Aim to encode knowledge about patterns in the data flow that are known to correspond to intrusive procedures in form of specific signatures Specification based detection approaches Security experts predefine the allowed system behaviors and thus events that do not match the specifications are labeled as attacks Detection Approaches Misuse Detection Anomaly Detection Specification-based Detection
  • 2. Misuse Detection Intrusions are detected by matching actual behavior recorded in audit trails with known suspicious patterns. Misuse detection is fully effective in uncovering known attacks Limitations It is useless when faced with unknown or novel forms of attacks for which the signatures are not yet available. For known attacks, defining a signature that encompasses all possible variations of the attack is difficult. Any mistakes in the definition of these signatures will increase the false alarm rate and decrease the effectiveness of the detection technique. A typical misuse detection model The model consists of four components: 1. Data collection 2. Systemprofile 3. Misuse detectionand 4. Response
  • 3. Data are collected from one or many data sources including audit trails, network traffic, system call trace, etc. Collected data are transferred into a format is used to characterize normal and abnormal behaviors. The profiles characterize what a normal subject behavior should be and what operations the subjects typically would perform or do not perform on the objects. The profiles are matched with actual system activities and reported as intrusions in case of deviations. Techniques commonly used to implement Misuse Detection Pattern Matching  Commonly used in the network based intrusion detection systems  Attack patterns are modeled, matched and identified based on the packet head, packet content or both  In host-based intrusion detection systems, the system calls in a system audit trail is used for misuse detection Misuse Detection Techniques Pattern Matching Rule-based Techniques Techniques based on Data Mining State-based Techniques
  • 4.  With the continual emerging of new types and varied forms of attacks the number of signatures is constantly growing, thus making the pattern matching more expensive in terms of the computational cost.  In order to address this limitation, Abbes et al (2004) propose a method combining a novel protocol analysis approach with traditional pattern matching to improve the performance of pattern matching  The protocol analysis checks patterns in specific parts of the packet rather than in the entire payload and it is implemented based on the construction of a decision tree.  Adv: The biggest advantage of this approach is that it can reduce the search space for patterns that results in a fast search.  Adv: The approach has the potential to reduce the number of false positives since patterns are matched only in the extracted protocol fields.  Kreibich and Crowcroft (2004) studied the performance evaluation of pattern matching based intrusion detection approaches  A workload model is proposed to provide reasonably accurate estimates compared to real workloads  The model attempts to emulate a traffic mix of different applications, reflecting the characteristics of each application and the way these applications interact with the system.  The model has been implemented as part of a traffic generator Rule-based Techniques  Rule-based expert system is one of the earliest techniques used
  • 5.  Expert systems encode intrusive scenarios as a set of rules, which are matched against audit or network traffic data  Any deviation in the rule matching process is reported as an intrusion. MIDAS (Multics Intrusion Detectionand Alerting System)  Developed by the National Computer Security Center (NCSC) to monitor intrusions for NCSC’s networked mainframe  It uses and analyzes audit log data by combining the expert system technology with statistical analysis  MIDAS uses the Production Based Expert System Toolset (PBEST) in discriminating and implementing the rule base, which is written in LISP language  The structure of the rules in the P-BEST rule base includes two layers. Rule-based Techniques MIDAS IDES NIDES
  • 6.  The first(lower) layer is used to match certain types of events such as number of user logins, and then fires new events by setting up a particular threshold of suspicion.  Rules in the second (higher) layer process these suspicions and decide whether the system should raise an alert or not.  Figure 2.2 illustrates an example of MIDAS rule. The rule defines an intrusion scenario involving some unusual login time. It determines whether the time when the user logins is outside normal hours or not. The rule also illustrates that an unusual behavior does not necessarily stands for an intrusion. (Lower Layer): Check Events ( (Higher Layer): Process Events Alarm Generator Event Listener Rules
  • 7. IDES (Intrusion DetectionExpert System)  The IDES model based on the assumption that normal interactions between subjects (e.g. users) and objects (e.g. files, programs, or devices) can be characterized  users always behave in a consistent manner when they perform operations on the computer system  These usages can be characterized by computing various statistics and correlated with established profiles of normal behaviors  New audit records are verified by matching known profiles for both subjects and their correspondinggroups.  Deviations are then flagged as intrusions  To improve the detection rate, IDES monitors the subject depending on whether the activity happens on an on or off day since user activities on different day types are usually different.  For example, activities for normal users on a working day may be abnormal on an off-working day.  IDES uses P-BEST to describe its rule base
  • 8.  IDES consisting of two types of rules: generic rules and specific rules.  Generic rules can be used for different target systems  Specific rules are strictly dependent on the operating system and the corresponding implementation.  IDES architecture consists of three main components, namely audit database, profiles database and the system security officer (SSO) user interface. Audit Database User Profile Database User 1 User 2 User 3 System Security Officer (SSO) User Interface Administrator
  • 9. NIDES (Next-generationIntrusion DetectionExpert System)  NIDES is a hybrid intrusion detection system consisting of a signature-based expert system component as well as a detection component based on statistical approaches.  The expert system improves the old IDES version by encoding more known intrusion scenarios and updating the P-BEST version used.  Detection component based on statistical approaches is based on anomaly detection.  In these approaches over 30 criteria are used to establish normal user profiles including CPU or I/O usage, command used, local network activity, system errors, etc.  The NIDES system is highly modularized with well-defined interfaces between components.  Compared with the IDES, NIDES has higher detection rate since it includes two complementary detection components: intrusions missed by one component maybe caught by the other one. Limitationsof Rule-based Techniques 1. Using rule-based techniques for misuse detection, quite often the burden of extending the rule-base. 2. Developing intrusion scenarios is not an easy task and requires a certain level of expertise and security insight and awareness. 3. Determining the relations between rules is difficult. 4. When many related rules are included in an expert system, correctness of rules is difficult to verify due to the interactions among these rules. 5. Most of the rule bases are outdated and quickly become obsolete.
  • 10. State-based Techniques  State-based techniques detect known intrusions by using expressions of the system state and state transitions  In state-based techniques, activities contributing to intrusion scenarios are defined as transitions between system states, and thus intrusion scenarios are defined in the form of state transition diagrams.  The state of the system is a function of users or processes. Intrusion scenarios defined by the state transition diagram include three types of states, namely initial state, transition state and compromised state.  An initial state refers to the beginning of the attack, while a compromised state stands for the successful completion of the attack.  Transition states correspond to the successive states occurring between an initial state and a compromised state.  An intrusion occurs if and only if a compromised state is finally reached.
  • 11. UNIX State Transition AnalysisTool (USTAT)  USTAT is a host-based intrusion detection based on the State Transition Analysis Technique.  USTAT) is based on the assumption that all attackers start from an initial state where they possess limited authorization to access a target system, and then after completing some operations on the target system, they acquire some previously unauthorized capabilities.  USTAT is a prototype implementation of the state transition analysis technique for intrusion detection  It monitors the system state transition from safe to unsafe by representing all known vulnerabilities or intrusion scenarios in the form of a state transition diagram.  In USTAT, over 200 audit events are represented by ten USTAT actions, such as read(file var), modify owner(file var), where the parameter file var stands for the name of certain files.  Known attacks are modeled as a sequence of state transitions that lead from an initial limited authorization state to a final compromised state.  An inference engine in USTAT maintains a state transition table and determines whether the current action will cause a state transition to its successor state by matching the next state with the state transition table. State Transition Based Techniques USTAT Colored Petri-nets
  • 12. Once the next new state is matched to the final state of the transition table, the intrusion alarm is raised.  Some other members of STAT family o NetSTAT is designed for real-time state-transition analysis of network data. o WebSTAT and logSTAT are two other STAT family members that operate at the application level. o WebSTAT parses the logs produced by Apache web servers, and logSTAT uses UNIX syslog files as input. Colored Petri-nets  IDIOT, the acronym of “Intrusion Detection In Our Time”, is a state-based misuse detection system which uses pattern matching techniques based on the colored petrinets (CPN) model.  Intrusion scenarios are encoded into patterns in IDIOT, and incoming events are verified by matching them against these patterns.  In the CPN model used in the implementation of IDIOT, a guard represents an intrusive signature context and the vertices represent system states. The selected CPN model is referred to as colored petri automata (CPA). The CPA defines a strict declarative specification of intrusions and specifies what patterns need to be matched instead of how to match them.  A simple example of CPA describing the following intrusion scenario: if the number of unsuccessful login attempts exceeds four within one minute report an intrusion.  The combination of arrows and vertical bar stands for a transition between system states.  For example, the transition from states S1 to S2 occurs when there is a token in S1; this stands for an unsuccessful login attempt. The time of first unsuccessful login attempt is saved in the token variable T1. The transition
  • 13. from S4 to S5 happens if there is a token in S4. The time difference between this and the first unsuccessful login attempt should be more than one minute, otherwise the system state is transferred to the final state S5, in which an alarm will be generated. Advantages 1. First, since the intrusion signatures are written in a system independent script, they can be exchanged across different operating systems and different audit logs. 2. Second, the IDIOT system achieves an excellent real-time performance; only 5-6% CPU overhead was reported when it scanned for 100 different patterns. 3. Third, multiple event sessions can be processed independently and then corresponding detection results are analyzed together to make the final decision. Limitation  It can only detect known vulnerabilities.  Translating known intrusions into patterns is not always easy.  Sophisticated attackers can easily bypass the detection system by changing their attack strategies.
  • 14. Techniques based on Data Mining intrusion detection is considered as a data analysis process, in which data mining techniques are used to automatically discover and model features of user’s normal or intrusive behaviors. The three types of algorithms are particularly useful for mining audit data, namely- 1. Classification Classification algorithms such as decision tree generate classifiers by learning based on a sufficient amount of normal or abnormal audit data. New audit data are labeled as either normal or abnormal according to the classifier. 2. Link analysis Link analysis determines the relation between fields in the audit database records and normal profiles are usually derived from these relations. 3. Sequence analysis Sequence analysis is used to find sequential patterns in audit data and embed these patterns into intrusion detection models.