Documente Academic
Documente Profesional
Documente Cultură
1
databases, routers and application generate Implementation: As mentioned earlier, tra-
audit trails but no one had time to read all ditional Intrusion Detection has been to per-
audit logs data. Also, as the number of users, form of post-event audit trail analysis. Based
systems, applications and databases grow, it on, there are two key advantages of using post
means the audit logs as well develop so large event audit trail analysis. First, it addresses
that may actually cause denial of services the tremendous difficulties that organizations
problems from using up too mush disk space. experience examining and managing audit
Some production company routinely turn off trails and Investigators/administrators can
audit trails to avoid disruptions to produc- go back in time and do historical analysis of
tion systems[?]. Audit logs are too large to events that have occurred in the past. But
be analyzed and must be reduced and filtered from network -based security perspective, the
before the data can be analyzed or stored. disadvantages with a pure after the fact” is
The audit facilities of contemporary operat- that by the time it detects the security prob-
ing system (Windows NT and Solaris) do not lem. Too late to responds and protect the
suit the needs of intrusion detection system as data which resulting consequences of the at-
well. In general, Intrusion detection system tack go far deeper in the network without re-
want to characterize at the level of users, ses- sistance. In this case, some company used
sions and application transaction while audit Real-Time Activity Monitoring which is effec-
logs present activity at the system calls, pro- tive method for Intrusion Detection for Audit
cess and network packet level of abstraction. Logs.
The large size of audit logs is not an obsta- Real-Time Activity Monitoring:
cle to long term storage and analysis given It is effective method for real-time intru-
effective data compression algorithms. Sam- sion detection in sense of monitor security re-
ple of this algorithm is LempelZiv compres- lated activity occurring on the various sys-
sion algorithms which used Solaris BSM and tems and devices that make up network.
Windows NT that are highly compressible, While most activity monitors watch the oper-
resulting in 80-95 percent reduction of size. ating system audit trails, more sophisticated
The audit log must also preserve supporting tools also track audit logs from applications
data that enable us to understand the mean- and databases. Real -time activity monitors
ing of logged data [7]. can detect attacks such as attempts to access
unauthorized sensitive files or to replace log-
in program with new version. It also deploy
close to the mission-critical data and applica-
tions for security of audit logs [6].
An ideal application in intrusion detection
will be gather in sufficient (normal and ab-
normal) audit data for a user or program,
I suggest to apply a classification algorithm
to learn a classifier that can label or pre-
dict new unseen data as belonging to nor-
mal/abnormal class.
B. CALL STACK
2
sion detection by analysing return addresses. that are used for stack unwinding in extract-
There is no prior work on dynamically ex- ing return addresses. It also may be useful
tracting information from call stack and effec- for intrusion detection. Therefore, call stack
tively using it to detect exploits. In observe, can be good information sources of intrusion
plenty of research has focused on anomaly de- detection.
tection by learning program behavior sample Implementation: Giffin et. al. proposed an
of this is Feng et. al[2] proposed anomaly de- approach on precision and efficiency in too
tection. Most of the methods proposed were low many programs by indicates ”inserting
based on modelling system call traces. How- null calls” that will largely decrease of non-
ever, there has not been much improvement determinism and help solve the impossible
on system call based methods recently in part path problem. It will rewrite of the executa-
because system calls themselves only provide bles and the changes of call name space in call
limited amount of information. Invoking sys- stack. But, I consider this approach may be
tem calls is only one aspect of program be- used only for host based anomaly detection
havior. I consider such as the information that intrusion. As follow, the network delays
contained in the call stack, for intrusion de- thousands of null calls which may delay for
tection purposes. one real system call. In this case, Feng et al.
proposed VtPath Model that uses call stack
history as the current PC information which
helps detect more intrusion. It will use virtual
path that will integrate signal handling. In
Figure 3 shows the virtual path for the system
call. The definition of virtual path abstracts
the execution of system calls. The program
sequentially returns some functions and grad-
ually enters some other functions. This will
reflect the idea of call history.
3
In almost all Unix - like systems, most of Figure 4. Behavioral Path for various types
the user activities are performed by typing of User
commands on a terminal. These activities
include opening of new applications, closing Implementation: Garg et. al proposed intru-
them and manage other computer processes. sion detection in masquerade using profiling
Most of the existing Intrusion Detection Sys- users in GUI that detect as binary classifi-
tems base their detection decision on this cation problem and use Support Vector Ma-
command line based dataset. Although this chine (SVM) to learn classify these features
dataset can provide effective anomaly detec- vectors in masquerades. Furthermore, it im-
tion capabilities in these systems, they are plements to apply of behavioural path of var-
not sufficient to provide anomaly detection ious users that could provide details about
in a graphical user interface (GUI) based en- behavioural profiles and thus enable more ac-
vironments like Windows operating system curate anomaly detection as compared to uti-
and some modification of Unix (Linux, Mac lizing the command or audit data alone.
OS and etc.) which are designed to be more Summary of Contributions Proposed in In-
visual and users are expected to use mouse trusion Detection System by Garg et. al.
clicks for activating commands rather than The main contribution of the paper is in im-
typing on command terminal (Schonlau). proving the masquerade detection capabili-
On the other hand, there is inadequacy in ties based systems. The specific contribu-
user’s behavior in GUI based systems and tions:
command line based systems. In GUI based
system. Most of the user activities are per- • A logger tool for capturing the user be-
formed using either mouse movement and havior actions such as mouse movement,
clicks or a combination of mouse movement keyboard activity and system processes
and keystrokes while command line data can- in a GUI based system
not capture this GUI based behavior and fur- • A parser tool to analyze and extract the
ther efforts are required to incorporate this user behavior profile parameters from
behavior information for effectively detecting logged data
anomalies[4]. In Figure 4, shows the general
trends of various types of user which drawn • Use of Support Vector machines for
based on user’s activities and achieve task by learning and classifying unique user pro-
these users. file parameters
I found out that user behavior features
based on mouse activity or others on a GUI
based system can be used to uniquely iden-
tify users and thus provide better masquerade
detection capability in intrusion.
D.NETWORK TRAFFIC
Network Intrusion Detection systems are
placed at a strategic point/s within the net-
work to monitor traffic to and from all devices
on the network.
Advantages of Network based Intrusion De-
tection System:
4
• Lower cost of ownership: It can deploy multiobservation-window, anomaly based
for each network segment. This reduces network intrusion detection system, proto-
management overhead, as there is no typed in our laboratory for the US Army’s
need to maintain sensor software at the Tactical Internet. HIDE monitors several
host level. network traffic parameters simultaneously,
constructs a probability density function
• Easier to deploy: Network based IDs are (PDF) for each, statistically compares it
easier to deploy because it does not affect to a reference PDF of normal behavior
existing systems or infrastructure and it using a similarity metric, then combines
is operating systems independent. the results into an anomaly status vector
• Detect network based attacks: It can that is classified by a neural network clas-
detect attacks which checks for the en- sifier. Many simulation experiments have
tire packet header for any malicious at- been carried out focusing on the denial of
tack. It can quickly detect SYN attack service (DOS) class of attacks, including
by looking at the contents of the packets UDP, ICMP and TCP flooding attacks.
at the real time On the results, the detection effectiveness
of the perceptron (P), backpropagation
• Real time Detection and quick response: (BP),perceptron-backpropagation-hybrid
Network based IDS can monitors traffic (PBH), fuzzy ARTMAP, and radial-based
on a real time. It can detect malicious function (RBF) artificial neural network
activity as they occur. (ANN) classifiers[1].
5
selves rely on the registry of operating system
in order to function properly.
Some examples of malicious programs and
how they produce anomalous in registry ac-
tivity:
There a new proposed Intrusion Detection • Aimrecover: It steals the passwords from
system using the Windows Registry by Apap AOL users. Its accessing a key that usu-
et al. Registry is important part of the op- ally is accessed by a different program
erating system and is very heavily used mak- that created that key.
ing it a good source of audit data. By build-
ing a sensor on the registry and applying the • Disable Norton: Exploitation of registry
information gathered to an anomaly detec- that disables Norton Antivirus. It access
tor, it can detect activity that corresponds to to key that was created by different pro-
malicious software ( ).I considered that the gram.
main advantages of monitoring the registry
• LophtCrack: Password cracking pro-
is that activity is regular by nature can be
gram for Windows machine. It flaws
monitored with low computational overhead
the Windows encryption scheme which
and almost all system activities interact with
allows the program to discover some of
the registry. The important of registry that it
the characters of the passwords.
has characteristics to tends to be regular over
time. It makes registry an excellent place to
F. STORAGE ACTIVITY
look for irregular, anomalous activity since a
malicious program may substantially depart The storage system is another interesting
from normal activity and can be detected. vantage point for intrusion system. Several
Implementation: Detecting malicious Soft- intruders’ actions are quite visible at the stor-
ware by Monitoring Anomalous Windows age interface. Examples include manipulat-
Registry Accesses by Apap et al. used an ing system utilities, tampering with audit log
anomaly detection algorithm for use in IDS contents and resetting attributes. By design,
System and evaluates the performance. The a storage server sees all changes to persistent
Registry is an effective data source to mon- data allowing it to transparently watch sus-
itor attacks because many attacks show up picious changes and issues alerts about the
as anomalous registry behavior. Many at- corresponding client systems [3].
tacks take advantage of operating system reg- Storage-based Intrusion Detection enables
istry. Indeed, many intrusion attacks them- storage devices to examine the request the
6
service for suspicious client behavior. I sug- • Content Integrity: It includes of changes
gest that storage IDS must be compromise in- that violate internal consistency rules of
dependent of the host OS, meaning it cannot specific files.
be disabled by an intruder who only success-
fully gets past a hosts OS -level protection. • Suspicious Content: Example of this is
It can be embedded in many kinds of storage virus or rootkit, detectable via signa-
systems and allows watching for data modifi- tures. Other is hidden files and empty
cation characteristics of systems intrusions. files.
7
tem calls is how a program requests a ser- cal patterns in its traces, and deviations from
vice from an operating system’s kernel that these patterns could be used to identify secu-
it does not normally have permission to rity violations of an executing process. There
run. It provides the interface between pro- are two important characteristics of the ap-
cess and the operating system. In sequence proach introduced in. First, it identifies a
calls, there is anomaly signals are generated. simple observable (short sequences of system
The sequence-based methods tend to produce calls) that distinguishes between normal and
multiple mismatches even for a single mis- intrusive behavior. Second, the method used
placed system call, because that system call to analyze, or model, the sequences is also
affects multiple sequences [5]. much simpler than other proposals. It records
There are many ways in which system call only the presence or absence of sequences;
data could be used to characterize normal be- it does not compute frequencies or distribu-
havior of programs, each of which involves tions, or identify which sequences are most
building or training a model using traces important. In addition, they proposed ”The
of normal processes. Some of methods dis- Evolution of System-call Monitoring” illus-
cussed by Forrest et al. are Enumerating Se- trate how system call monitoring was used
quences, Frequency-based Methods, Hidden in anomaly intrusion detection and response.
Markov Model and Finite State Machines. This system was sufficiently lightweight that
They compared four methods for characteriz- it could monitor all running programs in real-
ing normal behavior and detecting intrusions time, and even respond to prevent attacks be-
based on system calls in privileged processes. fore they caused harm by using the normal
Each method was tested on the same suite profile using short sequences of system calls
of data sets, consisting of different types of but it remains a fundamental technique un-
programs and different intrusion techniques. derlying many current projects and research.
On this test suite, three of the four meth-
ods performed adequately. Hidden Markov
models, generally recognized as one of the
most powerful data modeling methods in ex-
istence [8]. However, I assume no one method
consistently gave the best results on all pro-
grams, and results between programs varied
more than results between methods. Vari-
ations in false positives were due more to
the complexity of the traced programs and
their environments than to differences in the
analysis methods. Implementation: Forrest
8
References
[1] Apap, F. Detecting malicious software
by monitoring anomalous windows reg-
istry accesses. IEEE Security abd Privacy
(2002).