The document provides an introduction to intrusion detection systems (IDS). It defines key concepts related to information security like threats, attacks, and security goals of confidentiality, integrity and availability. It discusses different types of attacks such as passive eavesdropping and active attacks like interruption, modification and fabrication. The document then introduces IDS, explaining what it is, the need for it, types of intrusions from inside and outside, and classifications of IDS based on information source, type of information and usage frequency.

1. Intrusion Detection Systems
Lecture #2
Basic Concepts of Security &
Introduction to Intrusion Detection

2. Basic Concepts
• Security Threat: Set of circumstances that has
the potential to cause harm to systems and
organizations
• Security Attack: Action that compromises the
Information Security by exploiting the
vulnerability in a system
• Security Mechanism: Mechanisms to Prevent,
Detect and Recover from a security attack
12/8/2017 2
Hitesh Mohapatra,Ph.D
Introduction to IDS

3. Information Security
• Information security is the protection of information and
information systems from unauthorized access, disclosure,
modification, inspection, or destruction
• The goals of Information Security is protecting the
Confidentiality, Integrity , Availability (CIA) of information from
unauthorized users
• Government organizations, military, corporations, credit card
companies, financial institutions, hospitals, private businesses,
etc. deal with confidential information about their employees,
customers, products, research, financial status, etc.
• Most of this information is collected, processed and stored on
computers and transmitted across networks to other computers
12/8/2017 3
Hitesh Mohapatra,Ph.D
Introduction to IDS

4. Important Features of
Security/Security Goals
• Computer security is based on three concepts:
– Confidentiality
– Integrity
– Availability
12/8/2017 4
Hitesh Mohapatra,Ph.D
Introduction to IDS

5. Confidentiality
• Confidentiality is the term used to prevent the
disclosure of information to unauthorized individuals
• Mechanisms of protection of confidentiality in
information systems are cryptography and access
controls
• Example:
– A credit card transaction on the Internet requires the
credit card details to be transmitted from the buyer to the
merchant and from the merchant to a transaction
processing network. Confidentiality can be enforced by
encrypting the card details during transmission
12/8/2017 5
Hitesh Mohapatra,Ph.D
Introduction to IDS

6. Integrity
• Integrity is concerned with the trustworthiness,
origin, completeness and correctness of data
• It prevents the unauthorized modification of data
• Integrity includes data integrity (integrity of
information itself) and origin integrity (integrity
of the source of information – authentication)
• Authentication
– Proving the authenticity of an identity by determining
that it is indeed the person or the system that it
claims to be. Eg. passwords, digital certificates, etc.
12/8/2017 6
Hitesh Mohapatra,Ph.D
Introduction to IDS

7. Availability
• Availability refers to the ability to use the information
or resource desired
• Attacks against availability are known as Denial of
Service Attacks – DoS (Attempt to make a machine or
network resource unavailable to its intended users)
12/8/2017 7
Hitesh Mohapatra,Ph.D
Introduction to IDS

8. 12/8/2017 8
Hitesh Mohapatra,Ph.D
Introduction to IDS

9. Authorization
• After proving the identity at the authentication
stage, users are assigned a set of authorizations (also
referred to as rights, privileges, or permissions) that
define what they can do on the system
• Authorizations are most commonly defined by the
system’s security policy and are set by the system
administrator
• Authorization is the process of gives rights
depending on the identity of the user - be it a human
being or another system
12/8/2017 9
Hitesh Mohapatra,Ph.D
Introduction to IDS

10. Non-Repudiation
• Non-repudiation means that it can be verified that
the sender and the recipient were, in fact, the parties
who claimed to send or receive the message
• It implies that one party of a transaction cannot deny
having received a transaction nor can the other party
deny having sent a transaction
• Technology such as digital signatures and public key
encryption are used to establish authenticity and
non-repudiation
12/8/2017 10
Hitesh Mohapatra,Ph.D
Introduction to IDS

11. Vulnerability
• Vulnerability is weakness in a system that could be
exploited to compromise the confidentiality, integrity
or availability of data or resources
• The security attack can be of two types:
– Passive Attack attempts to learn or make use of
information from the system but does not affect system
resources: so it compromises confidentiality
Eg. Eavesdropping/Message Interception
– Active Attack attempts to alter system resources or affect
their operation: so it compromises integrity or availability
Eg. Interruption, Modification, Fabrication, Denial-of-Service
(DoS) attack
12/8/2017 11
Hitesh Mohapatra,Ph.D
Introduction to IDS

12. Security Attacks
• Information Transfer: Normal Flow
12/8/2017 12
Hitesh Mohapatra,Ph.D
Introduction to IDS

13. Passive Attack: Eavesdropping – Message Interception
(Confidentiality Attack)
• Eavesdropping or sniffing is unauthorized access to information in
search of sensitive information like passwords or any kind of
confidential information. When an attacker is eavesdropping on the
communications, it is referred to as sniffing or snooping
12/8/2017 13
Hitesh Mohapatra,Ph.D
Introduction to IDS

14. Interception Attack
• In an interception attack, an unauthorized
individual gains access to confidential or
private information
• Interception attacks are attacks against
confidentiality
• These attacks can take the form of:
– Eavesdropping on communication
– Wiretapping telecommunications networks
– Illicit copying of files or programs
– Obtaining copies of messages for later replay
12/8/2017 14
Hitesh Mohapatra,Ph.D
Introduction to IDS

15. Active Attack: Interruption
(Availability Attack – DoS Attack)
• Attacker disrupts the flow of the message from sender to the
receiver
• In an interruption attack, a network service is made degraded
or unavailable for legitimate use
12/8/2017 15
Hitesh Mohapatra,Ph.D
Introduction to IDS

16. Interruption Attack
• Interruption attacks are attacks against the
availability of the network
• These attacks can take the form of:
– Overloading a server host so that it cannot respond
– Blocking access to a service by overloading an
intermediate network or network device
– Redirecting requests to invalid destinations
– Malicious destruction software or hardware involved
– Theft of software or hardware involved
12/8/2017 16
Hitesh Mohapatra,Ph.D
Introduction to IDS

17. Active Attack: Modification
(Integrity Attack)
• An attacker can modify the data in the packet without the
knowledge of the sender or receiver
12/8/2017 17
Hitesh Mohapatra,Ph.D
Introduction to IDS

18. Modification Attack
• In a modification attack, an unauthorized
individual not only gains access to, but tampers
with information, resources or services
• Modification attacks are attacks against the
integrity of the network
• These attacks can take the form of:
– Modifying the contents of messages in the network
– Changing information stored in data files
– Altering programs so they perform differently
– Reconfiguring system hardware or network topologies
• Also called “man in the middle” attacks
12/8/2017 18
Hitesh Mohapatra,Ph.D
Introduction to IDS

19. Active Attack: Fabrication
(Authenticity Attack)
• Unauthorized assumption of other’s identity and
perform malicious activities
12/8/2017 19
Hitesh Mohapatra,Ph.D
Introduction to IDS

20. Fabrication Attack
• In a fabrication attack, an individual inserts counterfeit
information, resources, or services into the network
• Fabrication attacks are attacks against the
authentication, access control, and authorization
capabilities of the network
• These attacks can take the form of:
– Taking the address of another host or service, essentially
becoming that host or service
– Inserting messages into the network using the identity of
another individual
– Replaying previously intercepted messages
– Spoofing a web site or other network service
• Also called “masquerading” attacks
12/8/2017 20
Hitesh Mohapatra,Ph.D
Introduction to IDS

21. What an Attacker can Do?
• A computer interacts with the outside world
by:
– Physical means
• Mouse, keyboard, CD/DVD, etc.
– Networking
• Ethernet, wireless network, Internet, Social network, etc.
• The attacker is able to reach many components
of the system through networking technologies
(most of the attacks comes from the networks)
12/8/2017 21
Hitesh Mohapatra,Ph.D
Introduction to IDS

22. 12/8/2017 22
Hitesh Mohapatra,Ph.D
Introduction to IDS

23. Need of Intrusion Detection
• Prevention based security mechanisms such as
authentication, authorization, access control, firewall,
data encryption, etc. are often found to be inadequate
in satisfying the security needs of modern information
systems
• Prevention techniques alone are not sufficient in
securing sensitive information against novel attacks
(insider attacks) and preventing vulnerability exploits
• A dynamic monitoring entity known as Intrusion
Detection System (IDS) is therefore essential, which can
complement the static monitoring abilities of
traditional security models
12/8/2017 23
Hitesh Mohapatra,Ph.D
Introduction to IDS

24. IDS Terminology
• System: An information system being monitored by
an intrusion detection system. Eg. workstation,
server, web server, etc.
• Audit: It denotes information provided by a system
concerning its internal workings and behavior. Eg.
audit trails, accounting, event log, etc.
• Alarm: A signal suggesting that a system has been or
is being attacked
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
24

25. IDS Terminology
• True Positive: A legitimate attack which triggers an
IDS to produce an alarm
• False Positive: An event signaling an IDS to produce
an alarm when no attack has taken place
• False Negative: A failure of an IDS to detect an actual
attack
• True Negative: When no attack has taken place and
no alarm is raised
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
25

26. Intrusion and Intrusion Detection
• An intrusion is defined as: Any set of actions that
attempts to “compromise the confidentiality,
integrity, or availability of a system/resource” or
“bypass the security mechanisms of a computer or
network”
• Intrusion detection is defined as “The problem of
identifying individuals who are using a computer
system without authorization (i.e., ‘crackers’) and
those who have legitimate access to the system but
are abusing their privileges (i.e., ‘insider threat’)”
12/8/2017 26
Hitesh Mohapatra,Ph.D
Introduction to IDS

27. Intrusion Detection System (IDS)
• An Intrusion Detection System (IDS) is a hardware or
software product, which dynamically monitors the
actions taken in a given system, and decides whether
these actions constitute an attack or a legitimate use
of the system
• IDS collects data from current activities in a system,
analyzes the data and presents it to the
administrator for further action/analysis
12/8/2017 27
Hitesh Mohapatra,Ph.D
Introduction to IDS

28. Intrusion Detection System (IDS)
• An Intrusion Detection System aims at identifying
intrusions that are caused by malicious users who
attempt to gain privileges which are not authorized
to them (outside intrusion) and also by authorized
users who try to misuse the privileges assigned to
them (inside intrusion)
12/8/2017 28
Hitesh Mohapatra,Ph.D
Introduction to IDS

29. Brief History of Intrusion Detection
• In The Beginning…
– Manual Intrusion Detection in practice
• System administrator manually monitor user’s activity
• Ad hoc and non-scalable
• The Study of Intrusion Detection
– Was started by James P. Anderson [1] in 1980
“Computer Security Threat Monitoring and Surveillance”
• Anderson’s Technical Report
– Introduced the notion of audit trails
– Suggested that audit trails contain vital information that could be
valuable in tracking misuse and understanding user behavior
– Formed foundation of host-based intrusion and IDS in general
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
29

30. Brief History of Intrusion Detection
• Dr. Dorothy Denning developed an Intrusion
Detection Expert System (IDES) [2] in early 80’s
– Proposed “An Intrusion Detection Model” in 1987 which is
the first general intrusion detection model
• Heberlein et al. [3] introduced the idea of network
intrusion detection in 1990 - A Network Security
Monitor (NSM)
• Mukherjee et al. [4], proposed Network Intrusion
Detection in 1994
• … and so on
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
30

31. Types of Intrusion and Intruder
• Based on the source from where it occurs , intrusion
can be classified as:
– Outside intrusion
– Inside intrusion
12/8/2017 31
Hitesh Mohapatra,Ph.D
Introduction to IDS

32. Outside Intrusion/Outsider
Attack/External Penetration
• Malicious transactions are executed by unauthorized
users from outside the organization, who may gain
access to the system by exploiting system vulnerabilities
• The person who intrudes the system in such a manner is
called an outside intruder (external perpetrator)
• An outside intruder normally attacks systems through the
Internet
• They mostly exploit the vulnerabilities in firewalls,
routers, web services and the services running on the
operating system for performing intrusive activities
12/8/2017 32
Hitesh Mohapatra,Ph.D
Introduction to IDS

33. Inside Intrusion/Insider Attack/Internal
Penetration
• Unauthorized transactions are carried out by
authorized users, within the organization
• A person who intrudes from within an organization in
such a manner is called an inside intruder
• These attacks bring the most challenging threats to
the systems and are difficult to defend against as:
– Inside intruders may have certain access rights to data and
resources
– They could also be familiar with a part of the database
schema and security setup of the organization
12/8/2017 33
Hitesh Mohapatra,Ph.D
Introduction to IDS

34. Internal Intruders
• Anderson [1] divided internal intruders into three
subgroups, in increasing order of difficulty of
detection - masquerader, legitimate and
clandestine
• Masqueraders
– Assume identity of a legitimate user and penetrates
into a computer system
– Either an external penetrator who has succeded in
penetrating the access controls
– An employee with access to the computer system who
tries to exploit another legitimate user’s account
whose user id and password he may have obtained
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
34

35. Masquerader
• Instances of misuse by the Masquerader can be
detected by analysis of audit trail records to
determine “extra” use of a system by the
unauthorized user like:
– Use of system outside of normal time
– Abnormal frequency of use
– Abnormal volume of data reference
– Abnormal pattern of reference to programs or data
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
35

36. Legitimate User
• Legitimate users are commonly internal users and can be of
two types:
– Authorized user with limited permissions, who is trying to gain
privileges that he is not authorized to
– User with full permissions who is misusing his privileges
• Degree of difficulty in detecting “abnormal” usage by a
legitimate user is more compared to masquerader
• Small amounts of misuse by legitimate user is usually not
detected
• A misuse by legitimate user may be of the following form:
– Gain access to information that is normally not authorized in the
conduct of his job
– Misuses his access to gain large amount of information exceeding
previously established norms or “excessive” use of computer time
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
36

37. Clandestine User
• Most difficult to detect by normal audit trail analysis
• Clandestine user seizes the supervisory control of the
system and hence can evade the audit trail being
recorded and access control mechanism
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
37

38. Classification/Taxonomy of Intrusion
Detection Systems
• The classification can be based on any of the following:
• Classification based on Source of Information (Audit
Source Location):
– Host-based IDS (HIDS)
– Network-based IDS (NIDS)
– Application-Specific and Database IDS (DIDS)
• Classification based on the Type of Information:
– Anomaly IDS
– Misuse IDS
– Hybrid IDS
• Classification based on the Usage Frequency:
– Continuous Monitoring
– Periodic Analysis
12/8/2017 38
Hitesh Mohapatra,Ph.D
Introduction to IDS

39. Classification/Taxonomy of Intrusion
Detection Systems
• Classification based on the Analysis Technique
– Neural Networks
– Data Mining
– Artificial Neural Networks
– Machine Learning
– Statistical Approaches
– Soft Computing Techniques
– Expert Systems
– Petri Nets
– State Transition Analysis
– … and many more
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
39

40. Classification based on Source of
Information
• The audit source location discriminates IDSs based
on the kind of input information they analyze
• This input information can be:
– Audit trails (system logs) on a host
(Audit trial is a record showing who has accessed a
computer system and what operations are performed
during a given period of time by a user)
– Network packets
– Application logs
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
40

41. Host-based IDS (HIDS)
• The earliest proposals for intrusion detection were based on
the use of audit data from the host being monitored
• Host based intrusion detection is performed at the operating
system level by comparing expected and observed system
resource usage
• Audit data is provided by the operating system or other
application programs running in the host
• HIDS resides on the system being monitored and tracks
changes made to important files and directories
• HIDS analyzes several types of log files (kernel, system, server,
network, firewall, etc.) to examine events like what files
were accessed and what applications were executed
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
41

42. Network-based IDS (NIDSs)
• Network based intrusion detection is performed at the
network level which observes the network traffic that
goes to and from the systems being monitored
• Systems that scrutinize packets of information exchange
between computers (network traffic) are called Network-
based IDSs
• A sensor is used to “sniff” packets in the network where
they are fed into a detection engine which will set an
alarm if any misuse is detected
• This approach has the advantage that a single properly
placed sensor can monitor a number of hosts
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
42

43. Hybrid IDS
• Intrusion detection systems nowadays require event
log analysis for insider threat detection and
network traffic analysis for outside threat detection
• Current intrusion detection requires properties of
both network and host-based intrusion detection
systems. These systems are known as hybrid systems
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
43

44. Application-Specific (AppIDS) and
Database IDS (DIDS)
• Organizations use database systems (DBMS) as the main data
management technology for storing and accessing
information
• Ability to access information from anywhere using the
Internet and web-based applications increases the chances of
attacks on information systems
• Data, therefore, need to be protected not only from external
threats but also from insider threats
• Existing security mechanisms often fail to protect data stored
in a database system from syntactically correct but
semantically damaging transactions
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
44

45. Application-Specific (AppIDS) and
Database IDS (DIDS)
• Database intrusion detection mostly use transactional
features like accessed table name, accessed attribute name,
query type, transaction gap, transaction amount, etc., to
identify intrusive activities
• Application specific database IDS (AppIDS) provides security
for applications like credit card payment system, railways and
flight ticket reservation system, internet banking system, etc.
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
45

46. Application-Specific (AppIDS) and Database
IDS (DIDS)
• The concept of application-level intrusion detection was
introduced by Sielken [5] and has become an interesting field
of research very recently
• At the level of database, a file has an inherent structure which
is subdivided into tables, rows and columns
• HIDSs cannot detect changes to the structure or rows of the
tables whereas any AppIDS can identify these changes easily
• AppIDS use the semantics of the application to detect more
subtle attacks such as those carried out by internal intruders
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
46

47. Classification based on the Type of
Information/Detection Technique
• IDSs can be also categorized according to the type of
information they use for detecting intrusions:
– Anomaly Detection
– Misuse Detection
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
47

48. Anomaly Detection
• Anomaly detection models “normal behavior” and
tries to detect attacks by detecting deviations from
the stored patterns
• Assumption: Intrusive activities are necessarily
different from non-intrusive activities at some level
of observation
• Anomaly detection, also referred to as outlier
detection as it involves detecting patterns in a given
data set that do not conform to an established
normal behavior
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
48

49. Anomaly Detection
• An anomaly based IDS first creates a profile of
normal activities and then monitors the new
activities on the system by computing deviation from
the normal profile
• If the current activity deviates significantly from the
normal behavior reflected in the stored profile, an
anomaly is indicated
• Preset threshold value(s) are used by the IDS to
classify an incoming transaction as genuine or
intrusive or suspicious
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
49

50. Anomaly Detection
• Advantage:
– Could potentially detect new types intrusions or novel attacks
• Disadvantages:
– Genuine behavior deviating from the normal profile may be
flagged as intrusive, resulting in False Positives (FPs)
– One other main issue is the selection of threshold levels so that
neither FPs nor False Negatives (FNs) is unreasonably magnified.
Setting a threshold too low results in FPs and setting it too high
results in FNs
– Computationally expensive because of the overhead of
analyzing large amounts of data to model normal behavioral
profiles and updating those profiles
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
50

51. Misuse Detection
• Misuse detection approaches use knowledge about
known attacks and attempts to recognize attacks that
follow intrusion patterns known as attack signatures/
misuse patterns
• An attack/intrusion is recognized once the current
event’s pattern matches with any of the existing
misuse patterns in the large database of attack
signatures
• It stands against anomaly detection approach which
utilizes the reverse approach
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
51

52. Misuse Detection
• Advantage:
– Almost all the known attacks can be detected reliably and
economically because it simply requires scanning known
attack patterns
• Disadvantages:
– It works only for known attacks, and is almost unable in
detecting unknown intrusions
– Configuring a database by specifying all the known misuse
signatures and keeping it updated is a highly time-
consuming task
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
52

53. Classification based on the Monitoring
Frequency
• Based on the frequency of monitoring a system,
IDSs can be classified into two types:
• Continuous Monitoring
– Certain intrusion detection systems have real-time
continuous monitoring capabilities
• Periodic Analysis
– Some intrusion detection systems must be run
periodically instead of continuous monitoring
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
53

54. Evaluation Criteria of IDS
• Accuracy
– An IDS is accurate if it does not trigger spurious alerts
(false alarms) - TN
– Inaccuracy occurs when an intrusion-detection system
flags a legitimate action as intrusive (FP)
– Can be quantitatively measured by False Positive Rate
(FPR) or True Negative Rate (TNR)
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
54
TNFP
FP
FPR


TNFP
TN
TNR



55. Evaluation Criteria of IDS
• Completeness
– Completeness is the property of an IDS to detect all types of
attacks (TP)
– Incompleteness occurs when the intrusion-detection system
fails to detect an attack (FN)
– Can be quantitatively measured by True Positive Rate (TPR) or
False Negative Rate (FNR)
• Robustness or Fault Tolerance
– An IDS should itself be resistant to attacks, especially denial-of-
service-type attacks
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
55
FNTP
TP
TPR


FNTP
FN
FNR



56. Evaluation Criteria of IDS
• Timeliness and Performance
– The performance of an IDS is the rate at which
events/transactions are processed
– An IDS has to perform and propagate its analysis as quickly
as possible to enable the security officer/administrator to
react before much damage has been done
– Timeliness not only encompasses the intrinsic processing
speed of the IDS (performance) but also the time required
to propagate the analyzed information and react to it
• Scalability
– Whether the intrusion detection can keep up with the
growth of the network or traffic volume?
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
56

57. A Generic Intrusion Detection Model
• Dorothy Denning [2] proposed “An Intrusion-Detection
Model”
• It was published in IEEE Transactions on Software
Engineering in 1987
• The model is based on the hypothesis that security
violations can be detected by monitoring a system's audit
records for abnormal patterns of system usage
• The proposed model is independent of any particular
system, application environment, system vulnerability, or
type of intrusion, thereby providing a framework for a
general purpose intrusion detection system
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
57

58. References
1. J. P. Anderson, “Computer Security Threat Monitoring and
Surveillance”, Technical Report, J.P. Anderson Co., Fort Washington,
Pennsylvania, April 1980.
2. D. E. Denning, “An Intrusion Detection Model,” IEEE Transactions on
Software Engineering, Vol. 13, No. 2, Pages: 222-232, February
1987.
3. L. T. Heberlein, G. V. Dias, K. N. Levitt, “A Network Security
Monitor”, IEEE Computer Society Symposium on Research in
Security and Privacy, May 1990.
4. B. Mukherjee, T. L. Heberlein and K. N. Levitt, “Network Intrusion
Detection”, IEEE Network, Vol. 8, Pages: 26-41, May 1994.
5. R. S. Sielken, “Application Intrusion Detection”, Technical Report,
Department of Computer Science, University of Virginia, URL
http://www.cs.virginia.edu/jones/IDSresearch/Papers.html#Sielken,
May 1999.
12/8/2017
Hitesh Mohapatra,Ph.D
Introduction to IDS
58