Wednesday, January 11, 2006

How far have we progressed in IDS ?

I am taking this course on Intrusion detection this term and we are discussing some popular papers in this topic a its a seminar course. So I thought i'll share some of the dicussion with the world as well...

Intrustion Detection is a very young research area. Early traces of research point to interesting research done by Anderson (1980), Computer Security Threat Monitoring and Surveillance and Denning (1986), An Intrusion Detection Model

It's important for us to note that eventhough the technology was old and the model that was proposed is not so much suitable for present day situation the questions that they have tried to address still remains open.

These two papers discuss pretty much the same security requirements for an IDS. Primarily they are concerned about both external and internal attacks. However they both rely on audit trails or audit records for any intrusion detection. The models discussed in the papers rely on the fact that any abnormal behavior exhibited in the system access or resource usage will manifest in audit data and the source of the threats will also be able to be identified, even though this is not always true. Both authors were aware of possible attacks that may arise from internal and external users of the system and believes that running through the audit trails or records searching for abnormal system behavior or usage pattern would reveal any attempt for intrusion. When it comes to analyzing the audit records, both papers discuss models that are based on statistical metrics and measures. The approach taken to understand the audit records is by characterizing the computer usage by means of user ids, file access and program execution.

The computing infrastructure that has been considered in these intrusion detection models is primarily for batch and time sharing systems. The models discussed will suit the need for centralized systems that have a limited number of system users and resources. The scalability of those systems has not been considered in this IDS architecture. Present day systems are typically distributed in nature and has great potential to grow rapidly in terms of users and resources. The growth in they PC technology has made to look for intrusion detection systems that are simple and deployable on almost all the present day PCs. The goals that are discussed in these two papers does not really cater to present day needs. However the approach taken towards intrusion detection is can be very well applied to present requirements with little modifications. When we look are the current server based technologies and the proliferation of internet based software systems the assumption that are made in these two papers become invalid. The open and ever growing Internet architecture imposes increasing requirements on to any system in terms of security and intrusion detection. Even though the technology has improved a lot and techniques for intrusion detection has been improved significantly implementing profile based or signature based systems are less efficient as they become obsolete soon. Building profile templates to monitor new users or resource is no more trivial with the internet based user base for applications. Further, defining rules for anomaly detection is even harder as the systems become more heterogeneous their interoperability is mandatory. Feature interaction among different types of systems is hard to trace when they differ in platform and implementations.

The models that were proposed are good generalizations in to some level and they have tried to answer " Could this be a solution to IDS ? " . However the lesson to be taken out from these papers is that some of the questions like ..

* Soundness of Approach -- Does the approach actually detect intrusions? Is it possible to distinguish anomalies related to intrusions from those related to other factors?

* Completeness of Approach -- Does the approach detect most, if not all, intrusions, or is a significant proportion of intrusions undetectable by this method?

* Timeliness of Approach -- Can we detectmost intrusions before significant damage is done?

* Choice of Metrics, Statistical Models, and Profiles -- What metrics, models, and profiles provide the best discriminating power? Which are cost-effective? What are the relationships between certain types of anomalies and different methods of intrusion?

* System Design -- How should a system based on the model be designed and implemented?

* Feedback -- What effect should detection of an intrusion have on the target system? Should IDES automatically direct the system to take certain actions?

* Social Implications -- How will an intrusion detection system affect the user community it monitors? Will it deter intrusions? Will the users feel their data are better protected? Will it be regarded as a step towards ‘big brother’? Will its capabilities be misused to that end?

remain open to present day IDS. So since 1980 how far have we progressed in terms of Intrusion Detection?


Post a Comment

<< Home