Download Signature Based and Anomaly

A Comparison Between Signature Based and Anomaly
Based Intrusion Detection Systems
By: Brandon Lokesak
For: COSC 356
Date: 12/4/2008
Outline
Introduction
Define an Intrusion

Objectives
Signature
of Intrusion Detection Systems
Based Detection
 Advantages
Anomaly
Based Detection
 Advantages
Active
and Disadvantages
and Disadvantages
Intrusion Detection Systems (IPS)
Cost
Conclusion
Introduction




Intrusion Detection System: A system which inspects all
inbound and outbound network activity and identifies
suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise
a system.
An IDS is basically a sophisticated packet scanner.
Designed and put into use on production networks between
the late 1970's and early 1980's and still in use today.
The software scans all packets on the network and attempts
to classify the traffic as intrusive or non intrusive.
What Is an Intrusion
An intrusion is “Any set of activities that attempt to compromise the
integrity, confidentiality or availability of a resource.




"Denial of Service – action or series of actions that prevent some
part of a system from performing as intended
Disclosure – unauthorized acquisition of sensitive information
Manipulation – improper modification of system information
whether being processed, stored, or transmitted
Masqueraders – attempt by an unauthorized user or process to
gain access to a system by posing as an authorized entity
Threats Continued




Replay – retransmission of valid messages under invalid
circumstances to produce unauthorized effects
Repudiation – successful denial of an action
Physical Impossibilities – violation of an object residing in two
places at the same time, moving from one place to another in less
than optimal time, or repeating a specific action in less than some
minimal time quantum
Device Malfunctions (health of the system) – partial or complete
failure of a monitored system device"
Objectives of Intrusion Detection Systems
"Confidentiality – ensuring that the data and system are
not disclosed to unauthorized individuals,
processes, or
systems

Integrity – ensuring that the data is preserved in regard to
its meaning, completeness, consistency, intended
use,
and correlation to its representation

Availability – ensuring that the data and system are
accessible and usable to authorized individuals
and/or
processes


or
Accountability – ensuring that transactions are recorded
so that events may be recreated and traced to users
processes"
Signature Based Detection
Signature based detection works in a similar fashion to a virus
scanner. This style of detection relies on rules and tries to
associate possible patterns to intrusion attempts. Viruses are
known to often attempt a series of steps to penetrate a system.
This series of steps would be compiled into such a rule. Whenever
the IDS software (an agent) collects the data it then compares what
it has observed against the rules that have been defined and then
has to decide whether it is a positive or a negative attempt.
Advantages of Signature Based Detection



Often considered to be much more accurate at
identifying an intrusion attempt.
Ease of tracking down cause of alarm due to
detailed log files
Time is saved since administrators spend less time
dealing with false positives
Disadvantages of Signature Based Detection


Signature based systems can only detect an
intrusion attempt if it matches a pattern that is in
the database, therefore causing databases to
constantly be updated
When ever a new virus or attack is identified it can
take vendors anywhere from a few hours to a few
days to update their signature databases.
Disadvantages of Signature Based Detection


Hosts that are subjected to large amounts of traffic
the IDS can have a difficult time inspecting every
single packet that it comes in contact, which then
forces some packets to be dropped leaving the
potential for hazardous packets getting by without
detection
Systems can suffer a substantial performance slow
down if not properly equipped with the necessary
hardware to keep up with the demands
Anomaly Based Detection
An anomaly is defined as something that is not not nominal or
normal. Anomaly detection is split into two separate categories:
static and dynamic.

Static
 assumes that one or more sections on the host should remain
constant



Focus only on the software side and ignore any unusual changes
in hardware
Used to monitor data integrity
Dynamic
 Depends on a baseline or profile
 Baseline established by IDS or network administrator
 Baseline tells the system what kind of traffic looks normal
 May include information about bandwidth, ports, time frames
etc...
Advantages of Anomaly Based Detection
New threats can be detected with out having to worry about
databased being up to date

Very little maintenance once system is installed it continues to
learn about network activity and continues to build its profiles.

The longer the system is in use the more accurate it can
become at identifying threats

Disadvantages of Anomaly Based Detection
The network can be in an unprotected state as the system
builds its profile.

If malicious activity looks like normal traffic to the system it will
never send an alarm.

False positives can become cumbersome with an anomaly
based setup. Normal usage such as checking e-mail after a
meeting has the potential to signal an alarm.

Active Intrusion Detection Systems
Passive systems can only send an alarm to an administrator
when there is an attempt in progress. An active system can take
control of the situation by disconnecting the assailant
Methods:
Session Disruption:
 IDS may send a TCP reset packet if the attacker has opened a
TCP connection to the victim
 IDS may send various UDP packets to disrupt a UDP connection
 Will not permanently remedy the situation only disconnect the
current connection
Rule Modification
 IDS is linked to a firewall via an administrative link
 IDS communicates with the firewall telling it to drop all packets
from the attackers IP Address
Costs
"CSO magazine’s 2006 E-Crime Watch survey revealed that the
damage done by enterprise security events is getting worse.
Sixty-three percent of respondents reported operational losses
as a result of e-crime, 23 percent reported harm done to their
organization’s reputation and 40 percent reported financial
losses, which averaged $740,000 in 2005 compared to an
average of $507,000 in 2004."



Intrusion Detection Systems range in price anywhere from
$4,000 - $60,000 depending on the features that a company
may need
The price may appear high to some but when compared to
the cost of the damage that may be done its a well spent
investment to a company
Remember that data is very hard to put a price tag on if lost
Questions?