SurveyofIntrusionDetectionSystems：入侵检测系统研究.pptVIP

Survey of Intrusion DetectionSystems Motivation The worldwide impact of malicious code attacks is estimated to be over $10 Billion annually. The CERT center at CMU reported 73,359 security incidents between 1/1/02 and 9/31/02, equal to all of the security incidents reported in 2000-2001 combined. Novice attackers can easily acquire and use automated denial-of-service attack software. Human security analysts cant keep up with it all Intrusion Detection Attempts to detect unauthorized or malicious activities in a network or on a host system Signature-based - looks for patterns that are known to be intrusive in packets or audit logs Anomaly-based - looks for abnormal activity, usually requires a template of normal activity Determining who is much harder than just detecting that an intrusion occurred. Early Work on Security Saltzer and Schroeder (1974) - established security design principals and mechanisms Orange Book (1985) - DoD specifications Formal Models Bell -LaPadula (1976) - supported formal proofs of conformance to security policies Denning (1987) - described the requirements for designing an intrusion detection system Early Systems IDES - statistical anomaly detection Haystack - also added signature detection Wisdom Sense - automatically created a profile of normal behavior from past user and host activities ISOA - uses both real-time monitoring and post-session analysis to detect suspicious behavior, developed profiles at both levels Recent Research in ID NIDES - distributed collection of host data, centralized analysis (extension of IDES) NSM - network traffic monitoring for anomalous packets DIDS - combines host-based (Haystack) and network monitoring (NSM) CSM - peer-to-peer distributed analysis Recent Research (continued) Bro - analyzes packet contents GrIDS - builds graphs of network activity and looks for anomalies STAT and NetSTAT - model attack with state machine. if accepted, attack occurred EMERALD - framework for building an ID system with