Browse the glossary using this index

Special | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ALL

I

Picture of Yee Wei Law

Intrusion detection: an introduction

by Yee Wei Law - Wednesday, 14 June 2023, 3:57 PM
 

NIST defines intrusion detection to be:

Definition 1: Intrusion detection [SM07, Appendix A]

The process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents.

Intrusion prevention goes beyond intrusion detection, although “prevention” is strictly speaking an exaggeration:

Definition 2: Intrusion prevention [SM07, Appendix A]

The process of monitoring the events occurring in a computer system or network, analysing them for signs of possible incidents, and attempting to stop detected possible incidents.

In Definition 2, an “attempt” can be sending an alarm to the administrator(s), resetting a network connection, reconfiguring a firewall to block traffic from the source address, etc.

Thus, “intrusion detection and prevention system” (IDPS) is synonymous with “intrusion prevention system” (IPS) [SM07, Appendix A], and is a bit of a redundant term.

Fig. 1 shows an example of a high-end IPS appliance from Cisco.

Fig. 1: A sample IPS appliance from the Cisco Firepower 9300 Series.

In the 1970s and the early 1980s, administrators had to print out system logs on papers and manually audit the printout [KV02]. The process was clearly 1️⃣ reliant on the auditors’ expertise, 2️⃣ time-consuming, and 3️⃣ too slow to detect attacks in progress.

In the 1980s, storage became cheaper, and intrusion detection programs became available for analysing audit logs online, but the programs could only be run at night when the system’s user load was low [KV02]. Thus, detecting attacks in time remained a challenge.

In the early 1990s, real-time intrusion detection systems (IDSs) that analysed audit logs as the logs were produced became available [KV02].

Since the inception of IDSs, the quality and quantity of audit logs have always been a challenge [KV02]:

Quality

The accuracy (how often the data are correct) and precision (how close the reported values are to the true values) of the data collected are crucial.

Inaccurate or imprecise data could lead to false negatives (illegitimate events misdiagnosed as legitimate) or false positives (legitimate events misdiagnosed as illegitimate).

Quantity

On one hand, not collecting enough data ⇒ an attack could evade detection. For example, network-related data alone cannot help with detecting a malware that does not access any network.

On the other, collecting too much data (from too many sources and/or too frequently) ⇒ storage could run out and processing could take too long.

Effective detection of attacks depends on capturing all relevant data at sufficiently fine time scales.

An IDS is meant to detect [KV02]:

Misuses

These are abuses and attacks of known patterns that can be encoded in computer-interpretable rules or signatures.

An abuse is an intentional or unintentional violation of organisational policies.

Anomalies

An anomaly, also called outlier, is a “significant” deviation from some model of normalcy, where “significance” is contextual and can be fluid.

A model of normalcy is called a baseline model and is often challenging to build for a dynamic environment.

Accordingly, intrusion detection algorithms can be classified as [SM07; YT11, p. 2; BK14, p. 4; Led22; Pal22]:

Rule-based / signature-based

A rule specifies the conditions of legitimacy of an event, typically with the help of signatures.

Signatures can be

  • exploit-facing, e.g., malicious byte sequences, email subject headings associated with phishing, email attachments containing executable binaries, traffic going to known malicious domains, scanning of file hashes; or
  • vulnerability-facing, e.g., SSH requests specifying a vulnerable version number, system log entries indicating disablement of auditing.

Signatures can encode violations of organisational policies, e.g., remote login attempts as “root”.

Stateful protocol analysis or deep packet inspection analyses protocols at the application layer to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations [SH09, Jun16]. This is an example of rule-based detection, contrary to the classification in [LRLT13].

As threats grow, the dictionary of signatures necessarily grows, demanding more computational and storage resources accordingly.

Rule-based detection is effective against known threats that can be expressed using a set of rules and signatures.

Rule-based detection is ineffective against known threats that are hard to capture using a finite set of rules and signatures, e.g., multi-stage attacks; as well as previously unknown threats.

Snort is an industry-standard open-source rule-based intrusion prevention software (hence, also an intrusion detection software). It can for example be found in the appliance in Fig. 1.

Anomaly-based / behaviour-based

This is the application of machine learning techniques to determining whether a user or component behaviour is anomalous.

Depends on the prior establishment of a baseline behavioural model.

Can detect previously unknown attacks as long as the attacks manifest as anomalies relative to the baseline model.

Effective at detection but tends to produce excessive false positives.

Behaviour-based detection, when applied to network behaviour, falls into the area of network behaviour analysis.

Definition 3: Network behaviour analysis [SM07, Xu22]

End-to-end process of collecting, extracting, analysing, modelling, and interpreting network behaviour (e.g., distributed denial of service, worm, backdoor, policy violation) of end systems and network applications from a large volume of network traffic data such as TCP/IP data packets and network flows.

A network behaviour analysis pipeline typically consists of these steps [Xu22, Fig. 2.1]: 1️⃣ network traffic data collection, 2️⃣ data storage and preprocessing, 3️⃣ behavioural feature selection and exploration, 4️⃣ analysis and modeling, 5️⃣ behavioural insights and applications.

Depending on its type, an IDS can comprise several types of components, as shown in Fig. 2: sensors/agents (which monitor and analyse network activities and may also perform preventive actions), management servers, database servers, user and administrator consoles, and management networks [SM07].

There is more than one way to classify IDSs. See the attachment for different classifications of IDSs.

Fig. 2: IDS components. In this context “sensor” is synonymous with “agent”.

Watch the following LinkedIn Learning video for a quick summary of IDS:

What is an IDS? from Protecting Your Network with Open Source Software by Jungwoo Ryoo

References

[BE07] A. R. Baker and J. Esler (eds.), Snort IDS and IPS Toolkit, Syngress, 2007. https://doi.org/10.1016/B978-1-59749-099-3.X5000-9.
[BK14] D. K. Bhattacharyya and J. K. Kalita, Network Anomaly Detection: A Machine Learning Perspective, CRC Press, 2014. https://doi.org/10.1201/b15088.
[FGCMF21] M. Fuentes-García, J. Camacho, and G. Maciá-Fernández, Present and future of network security monitoring, IEEE Access 9 (2021), 112744–112760. https://doi.org/10.1109/ACCESS.2021.3067106.
[Gar22] Gartner, Unified Threat Management (UTM), Information Technology Glossary, 2022, accessed 23 Dec 2022. Available at https://www.gartner.com/en/information-technology/glossary/unified-threat-management-utm.
[HH05] S. Hansman and R. Hunt, A taxonomy of network and computer attacks, Computers & Security 24 no. 1 (2005), 31–43. https://doi.org/10.1016/j.cose.2004.06.011.
[JDR+11] A. Johnson, K. Dempsey, R. Ross, S. Gupta, and D. Bailey, Guide for security-focused configuration management of information systems, NISP Special Publication 800-128, August 2011. https://doi.org/10.6028/NIST.SP.800-128.
[Jun16] Juniper Networks, Learn about intrusion detection and prevention, 2016. Available at https://www.juniper.net/documentation/en_US/learn-about/LA_IntrusionDetectionandPrevention.pdf.
[KV02] R. Kemmerer and G. Vigna, Intrusion detection: a brief history and overview, Computer 35 no. 4 (2002), supl27–supl30. https://doi.org/10.1109/MC.2002.1012428.
[KGVK19] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, Survey of intrusion detection systems: techniques, datasets and challenges, Cybersecurity 2 no. 1 (2019), 20. https://doi.org/10.1186/s42400-019-0038-7.
[Led22] J. Ledesma, IDS vs. IPS: What Organizations Need to Know, Varonis Inside Out Security Blog, June 2022. Available at https://www.varonis.com/blog/ids-vs-ips.
[LRLT13] H.-J. Liao, C.-H. Richard Lin, Y.-C. Lin, and K.-Y. Tung, Intrusion detection system: A comprehensive review, Journal of Network and Computer Applications 36 no. 1 (2013), 16–24. https://doi.org/10.1016/j.jnca.2012.09.004.
[LDVH+18] L. Liu, O. De Vel, Q.-L. Han, J. Zhang, and Y. Xiang, Detecting and preventing cyber insider threats: A survey, IEEE Communications Surveys & Tutorials 20 no. 2 (2018), 1397–1417. https://doi.org/10.1109/COMST.2018.2800740.
[Mav20] N. Mavis, Snort 101, YouTube video by Cisco Talos Intelligence Group, February 2020. Available at https://youtu.be/W1pb9DFCXLw.
[NDP18] J. Navarro, A. Deruyver, and P. Parrend, A systematic survey on multi-step attack detection, Computers & Security 76 (2018), 214–249. https://doi.org/10.1016/j.cose.2018.03.001.
[Pal22] Palo Alto Networks, What is an intrusion prevention system?, Cyberpedia, 2022, accessed 21 Dec 2022. Available at https://www.paloaltonetworks.com/cyberpedia/what-is-an-intrusion-prevention-system-ips.
[SH09] K. Scarfone and P. Hoffman, Guidelines on firewalls and firewall policy, NIST Special Publication 800-41 Revision 1, September 2009. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf.
[SM07] K. Scarfone and P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS), NIST Special Publication 800-94, 2007. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf.
[Sno20] Snort, SNORT® Users Manual 2.9.16, 2020. Available at https://www.snort.org/documents/snort-users-manual-2-9-16-html.
[Sno23] Snort, Shared Object Rules, Snort FAQ, 2023, accessed 3 Feb 2023. Available at https://www.snort.org/faq/shared-object-rules.
[Via22] Viasat, KA-SAT Network cyber attack overview, Viasat corporate news, March 2022. Available at https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview.
[Xu22] K. Xu, Network Behavior Analysis: Measurement, Models, and Applications, Springer Singapore, 2022. https://doi.org/10.1007/978-981-16-8325-1.
[YT11] Z. Yu and J. J. Tsai, Intrusion Detection: A Machine Learning Approach, Electrical and Computer Engineering, Imperial College Press, 2011.

Picture of Yee Wei Law

Intrusion detection systems: classifications

by Yee Wei Law - Monday, 27 February 2023, 12:02 PM
 
See attachment 👇.