INTRUSION DETECTION

JITHIN-C

INTRUSION DETECTION

The best intrusion prevention technique may even fail so its better to detect the intrusion at a earlier stage and prevent it. Effective intrusion detection system can serve as a deterrent ,so acting to prevent intrusions and also helps to improve the quality of the intrusion detection.

Intrusion detection is based on the assumption that the behaviour of the intruder differs from that of a legitimate (authorized) user. Pattern of legitimate users behavior can be established by observing past history and significant deviation from such patterns can be detected. A loose interpretation or tight interpretation of intrusion detection may cause problems.

AUDIT RECORDS

A fundamental tool for intrusion detection is the audit record.some records of ongoing activity of users must be maintained as input to intrusion detection system. Two plans are used under this Native audit records Detection specific audit records

Native audit records :All multiuser operating systems have some accounting softwares in it. It collects information about the activities but sometimes it may not conatin the needed information or may not contain it in a convenient form.

Detection specific audit records :A collection facility can be implemented that generates audit records containing only that information required by the intrusion detection system.

Dorothy Denning [DENN87]

An example of an detection specific audit record

subject action

object

Exception condition

Resource usage

Time stamp

Approaches

There are two approaches to intrusion detection Statistically Anomaly Detection Rule Based Detection

Statistically Anomaly Detection

involves the collection of data relating to the behavior of legitimate users over a period of time.then statistical tests are applied to observed behavior to determine the intrusion in the system Threshold detection Profile based

Threshold detection

Counting the number of occurrences of a specific event type over an interval of time . If the count surpasses the limit then intrusion is assumed. Ineffective for sophisticated attack. Thresholds may generate false positives or false negatives.

Profile Based Detection

It focuses on characterising the past behaviour of individual users or group of users and then detecting significant deviations. It is based on audit records .it provides input to intrusion detection. First the designer decide on the number of quantitative metrics that can be used to measure user behavior . Second ,current audit records are the input used to detect intrusion.

Metrics used for profile based intrusion

Counter Guage Interval timer Resource utilization

Rule based detection It Involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

Anomaly detection: Penetration identification

Rule based anomaly approach :historical audit records are analyzed to identify usage patterns and to generate rules .current behavior is then observed and matched with these rules. Rule based penetration identification :one based on expert system technology .collecting penetration scenarios and setting up rules based on that.Rules in the system are specific for that system or operating system only.

Honey pots

Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. Honeypots are designed to -diverting attacker from accessing critical systems -collect information about the activity -encourage the attacker to stay on the system until the system administrator responds.

THANKYOU