Mumbai university > Electronics and telecommunication Engineering > Sem 7 > Data compression and Encryption

Marks: 10

Years: Dec 2015

• Inevitably, the best intrusion prevention system will fail.

• A system’s second line of defence is intrusion detection and this has been the focus of much research in recent years.

• This interest is motivated by a number of considerations, including the following:

1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to pre-empt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved.

2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

• Intrusion detection is based on the assumption that the behaviour of the intruder differs from that of a legitimate user in ways that can be quantified.

• Of course, we cannot expect that there will be a crisp, exact distinction between an attack by an intruder and the normal use of resources by an authorized user.

• Rather, we must expect that there will be some overlap.

• Although the typical behaviour of an intruder differs from the typical behaviour of an authorized user, there is an overlap in these behaviours.

• Thus, a loose interpretation of intruder behaviour which will catch more intruders will also lead to a number of “false positives,” or authorized users identified as intruders.

• On the other hand, an attempt to limit false positives by a tight interpretation of intruder behaviour will lead to an increase in false negatives or intruders not identified as intruders.

• Thus, there is an element of compromise and art in the practice of intrusion detection.

• In Anderson’s study [ANDE80], it was postulated that one could, with reasonable confidence, distinguish between a masquerade and a legitimate user.

• Patterns of legitimate user behaviour can be established by observing past history, and significant deviation from such patterns can be detected.

• Anderson suggests that the task of detecting a misfeasor is more difficult, in that the distinction between abnormal and normal behaviour may be small.

• Anderson concluded that such violations would be undetectable solely through the search for anomalous behaviour.

• However, misfeasor behaviour might nevertheless be detectable by intelligent definition of the class of conditions that suggest unauthorized use.

• Finally, the detection of the clandestine user was felt to be beyond the scope of purely automated techniques. These observations, which were made in 1980, remain true today.

• [PORR92] identifies the following approaches to intrusion detection:

1. Statistical anomaly detection: Involves the collection of data relating to the behaviour of legitimate users over a period of time. Then statistical tests are applied to observed behaviour to determine with a high level of confidence whether that behaviour is not legitimate user behaviour.

a. Threshold detection: This approach involves defining thresholds, independent of user, for the frequency of occurrence of various events.

b. Profile based: A profile of the activity of each user is developed and used to detect changes in the behaviour of individual accounts.

1. Rule-based detection: Involves an attempt to define a set of rules that can be used to decide that a given behaviour is that of an intruder.

a. Anomaly detection: Rules are developed to detect deviation from previous usage patterns.

b. Penetration identification: An expert system approach that searches for suspicious behaviour.

• In a nutshell, statistical approaches attempt to define normal or expected behaviour whereas rule-based approaches attempt to define proper behaviour.

• Some record of ongoing activity by users must be maintained as input to an intrusion detection system.

• Basically, two plans are used:

o Native audit records: Virtually all multiuser operating systems include accounting software that collects information on user activity. The advantage of using this information is that no additional collection software is needed. The disadvantage is that the native audit records may not contain the needed information or may not contain it in a convenient form.

o Detection-specific audit records: A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system. One advantage of such an approach is that it could be made vendor independent and ported to a variety of systems. The disadvantage is the extra overhead involved in having, in effect, two accounting packages running on a machine.

• A relatively recent innovation in intrusion detection technology is the honeypot. Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to

o divert an attacker from accessing critical systems

o collect information about the attacker’s activity

o Encourage the attacker to stay on the system long enough for administrators to respond.