The following academic paper highlights the up-to-date issues and questions of Anomaly Based Intrusion Detection System. This sample provides just some ideas on how this topic can be analyzed and discussed.
Intrusion detection solved. This paper begins with a review of the most well-known anomaly- based intrusion Anomaly detection detection techniques. Then, available platforms, systems under development and research IDS systems and platforms projects in the area are presented. Finally, we outline the main challenges to be dealt with Assessment for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues.
A 2008 Elsevier Ltd. All rights reserved.
Introduction Intrusion Detection Systems (IDS) are security tools that, like other measures such as antivirus software, firewalls and access control schemes, are intended to strengthen the security Of information and communication systems. Although, as shown in Kabuki and Giordano (2005) and Sobs (2006), several IDS approaches have been proposed in the specialized literature since the origins of this technology, two highly relevant works in this direction are Dinning (1987) and Stanford-Chem.
et al. (1998).
Noteworthy work has been carried out by CDC (“Common Intrusion Detection Framework”), a working group created by DARPA in 1 998 mainly oriented towards coordinating and defining a common framework in the IDS field. Integrated thin IETF in 2000, and having adopted the new acronym IDS (“Intrusion Detection Working Group”), the group defined a general IDS architecture based on the consideration of four types of functional modules (Fig. L): – E blocks C Event-boxes”): This kind of block is composed of sensor elements that monitor the target system, thus acquiring information events to be analyzed by other blocks.
D blocks (“Database-boxes”): These are elements intended to store information from E blocks for subsequent processing by A and R boxes. – A blocks (“Analysis-boxes”): Processing modules for analyzing events and detecting potential hostile behavior, so that some kind of alarm will be generated if necessary. * Corresponding author. Department of Signal Theory, Telemetric and Communications -? Computer Science and Telecommunications Faculty, University of Granddad, C/ Periodical Daniel Sauced Rand, 18071 Granddad, Spain. Tell. : 958242305; fax: 958240831. E-mail addresses: [email protected] SE (P.
Garcia ‘ a-Terror), [email protected] SE (J. Del AZ-Overdue), [email protected] SE (G. Maniac -Fern need), [email protected] did. Mum. SE (E. Va ‘ squeeze). 0167-4048/$ -? see front matter a 2008 Elsevier Ltd. All rights reserved. Did:1 0. 016/j. cosec. 2008. 08. 003 19 A-box E-box D-box R;box Fig. 1 – General CEDE architecture for IDS systems. – R blocks Correspond-boxes”): The main function of this type of block is the execution, if any intrusion occurs, of a response to thwart the detected menace. Other key contributions in the IDS field concern the definition of protocols for data exchange between components (e. G.
IDS, “Intrusion Detection exchange Protocol”, RFC 4767), and the format considered for this (e. G. TIMED, “Intrusion Detection MEssage Format”, RFC 4765). Depending on the information source considered (E boxes in Fig. ), an IDS may be either host or network-based. A hostesses IDS analyzes events such as process identifiers and system calls, mainly related to SO information. On the other hand, a network-based IDS analyzes network related events: traffic volume, IP addresses, service ports, protocol usage, etc. This paper focuses on the latter type of IDS. Depending on the type of analysis carried out (A blocks in Fig. ), intrusion detection systems are classified as either signature-based or anomaly-based. Signature-based schemes (also denoted as misuse-based) seek defined patterns, or signatures, within the analyzed data. For this purpose, a signature database corresponding to known attacks is specified a priori. On the other hand, anomaly-based detectors attempt to estimate the “normal” behavior of the system to be protected, and generate an anomaly alarm whenever the deviation between a given observation at an instant and the normal behavior exceeds a predefined threshold.
Another possibility is to model the “abnormal” behavior of the system and to raise an alarm when the difference between the observed behavior and the expected one falls below a given limit. Signature and anomaly-based systems are similar in terms f conceptual operation and composition. The main differences between these methodologies are inherent in the concepts of “attack” and “anomaly’. An attack can be defined as “a sequence of operations that puts the security of a system at risk”. An anomaly is just “an event that is suspicious from the perspective of security”.
Based on this distinction, the main advantages and disadvantages of each IDS type can be pointed out. Signature-based schemes provide very good detection results for specified, well-known attacks. However, they are not capable of detecting new, unfamiliar intrusions, even if they are built as minimum Arians of already known attacks. On the contrary, the main benefit of anomaly-based detection techniques is their potential to detect previously unseen intrusion events. However, and despite the likely inaccuracy 2.
A-NDIS techniques Although different A-NDIS approaches exist (Est. “postoperative et al. , 2004), in general terms all of them consist of the following basic modules or stages (Fig. 2): – Parameterization: In this stage, the observed instances of the target system are represented in a pre-established form. – Training stage: The normal (or abnormal) behavior of the yester is characterized and a corresponding model is built. This can be done in very different ways, automatically or manually, depending on the type of A-NDIS considered (see classification below). Detection stage: Once the model for the system is available, it is compared with the (parameterized) observed traffic. If the deviation found exceeds (or is below, in the case of abnormality models) a given threshold an alarm will be triggered (Est. ;fez-Topiary et al. , 2004). According to the type of processing related to the “behavioral” model of the target system, anomaly Parameterization n formal signature specifications, the rate of false positives (or UP, events erroneously classified as attacks; see Section 2) in anomaly-based systems is usually higher than in signature’s ones.
Given the promising capabilities of anomaly-based network intrusion detection systems (A-NDIS), this approach is currently a principal focus of research and development in the field of intrusion detection. Various systems with A-NDIS capabilities are becoming available, and many new schemes are being explored. However, the subject is far from mature and key issues remain to be solved before wide scale deployment of A-NDIS littorals can be practicable. Focusing, thus, on A-NDIS technologies, the rest of this paper is organized as follows: Section 2 presents the various algorithms proposed for anomaly detection.
Then, existing A-NDIS platforms, either currently available or under development, and which include anomaly detection functionalities, are presented in Section 3. This constitutes a valuable contribution of the present paper in comparison with other published work. The fourth section discusses open issues and challenges in this field, with special emphasis on A-NDIS assessment. Finally, Section 5 summarizes the main mints of the paper. Monitored environment Training Model Detection Intrusion report Fig. 2 – Generic A-NDIS functional architecture. 0 detection techniques can be classified into three main categories (Lacerative et al. , 2005) (see Fig. 3): statistically, knowledge- based, and machine learning-based. In the statistical-based case, the behavior of the system is represented from a random viewpoint. On the other hand, knowledge-based A-NDIS technique uses try to capture the claimed behavior from available system data (protocol specifications, network traffic instances, etc. ). Finally, aching learning A-NDIS schemes are based on the establishment of an explicit or implicit model that allows the patterns analyzed to be categorized.
Two key aspects concern the evaluation, and thus the comparison, of the performance of alternative intrusion detection approaches: these are the efficiency of the detection process, and the cost involved in the operation. Without underestimating the importance of the cost, at this point the efficiency aspect must be emphasized. Four situations exist in this context, corresponding to the relation between the result of the detection for an analyzed event (“normal” vs.. Intrusion”) and its actual nature (“innocuous” vs.. “malicious”).
These situations are: false positive (UP), if the analyzed event is innocuous (or “clean”) from the perspective of security, but it is classified as malicious; true positive (HTTP), if the analyzed event is correctly classified as intrusion/malicious; false negative (FAN), if the analyzed event is malicious but it is classified A. L) A) Statistical based Multivariate Time series model 8. 1) B) Knowledge based 8. 2) 8. 3) c. 3) C) Machine learning based inebriate c. 5) c. 6) FSML Description languages Expert systems Bayesian networks Markova models
Neural networks Fuzzy logic Genetic algorithms Clustering & outlier detection Fig. 3 – Classification of the anomaly detection techniques according to the nature of the processing involved in the “behavioral” model considered. As normal/innocuous; and true negative (TN), if the analyzed event is correctly classified as normal/innocuous. It is clear that low UP and FAN rates, together with high HTTP and TN rates, will result in good efficiency values. The fundamentals for statistical, knowledge and machine learning-based A-NDIS, as well as the principal subtypes of each, are described below.
The main features of all are unmarried in Table 1 . Above and beyond other possibilities, the question of efficiency should be a prime consideration in selecting and implementing A- NDIS methodologies. 2. 1. Statistical-based A-NDIS techniques In statistical-based techniques, the network traffic activity is captured and a profile representing its stochastic behavior is created. This profile is based on metrics such as the traffic rate, the number of packets for each protocol, the rate of connections, the number of different IP addresses, etc.
Two datasets of network traffic are considered during the anomaly detection process: one responds to the currently observed profile over time, and the other is for the previously trained statistical profile. As the network events occur, the current profile is determined and an anomaly score estimated by comparison Of the two behaviors. The score normally indicates the degree of irregularity for a specific event, such that the intrusion detection system will flag the occurrence of an anomaly when the score surpasses a certain threshold.
The earliest statistical approaches, both network oriented and host oriented IDS, corresponded to inebriate models, which modeled the parameters as independent Gaussian madman variables (Dinning and Neumann, 1985), thus defining an acceptable range of values for every variable. Later, multivariate models that consider the correlations between two or more metrics were proposed (Ye et al. , 2002). These are useful because experimental data have shown that a better level of discrimination can be obtained from combinations of related measures rather than individually.
Other studies have considered time series models (Detecting Hackers), which use an interval timer, together with an event counter or resource measure, and take into account the order and the enter-arrival times of the observations as well as their values. Thus, an observed traffic instance will be labeled as abnormal if its probability of occurrence is too low at a given time. Apart from their inherent features for use as unemployable techniques, statistical A-NDIS approaches have a number of virtues.
Firstly, they do not require prior knowledge about the normal activity of the target system; instead, they have the ability to learn the expected behavior of the system from observations. Secondly, statistical methods can provide accurate notification of malicious activities occurring over long roods of time. However, some drawbacks should also be pointed out. First, this kind of A-NDIS is susceptible to be trained by an attacker in such a way that the network traffic generated during the attack is considered as normal.
Second, setting the values of the different parameters/metrics is a difficult task, especially because the balance between false positives and false negatives is affected. Moreover, a statistical distribution per variable is assumed, but not all behaviors can be 21 Table 1 – Fundamentals of the A-NDIS techniques Technique: basics A) Statistical-based: autistic behavior B) Knowledge-based: availability of prior knowledge/data C) Mach nine learning-based: categorization of patterns Pros Cons Us Betsey Prior knowledge about normal activity not required.