Explain various intrusion detection techniques?

Inevitably will have security failures:

  1. so need also to detect intrusions so can
    • block if detected quickly
    • act as deterrent
    • collect info to improve security
  2. assume intruder will behave differently to a legitimate user
    • but will have imperfect distinction between

Untitled
Approaches to Intrusion Detection: statistical anomaly detection

    • attempts to define normal/expected behavior
    • threshold
    • profile based
  1. rule-based detection
    • attempts to define proper behavior
    • anomaly
    • penetration identification

Audit Records: fundamental tool for intrusion detection

  1. native audit records
    • part of all common multi-user O/S
    • already present for use
    • may not have info wanted in desired form
  2. detection-specific audit records
    • created specifically to collect wanted info
    • at cost of additional overhead on system

Statistical Anomaly Detection:

  1. threshold detection
    • count occurrences of specific event over time
    • if exceed reasonable value assume intrusion
    • alone is a crude & ineffective detector
  2. profile based
    • characterize past behavior of users
    • detect significant deviations from this
    • profile usually multi-parameter

Audit Record Analysis: foundation of statistical approaches

  1. analyze records to get metrics over time
    • counter, gauge, interval timer, resource use
  2. use various tests on these to determine if current behavior is acceptable
    • mean & standard deviation, multivariate, markov process, time series, operational
  3. key advantage is no prior knowledge used

Rule-Based Intrusion Detection: observe events on system & apply rules to decide if activity is suspicious or not

  1. rule-based anomaly detection
    • analyze historical audit records to identify usage patterns & auto-generate rules for them
    • then observe current behavior & match against rules to see if conforms
    • like statistical anomaly detection does not require prior knowledge of security flaws

Leave a Reply

Your email address will not be published. Required fields are marked *