Intrusion Detection Systems (II).ppt

Intrusion Detection Systems (II) CS 6262 Spring 02 - Lecture #6 (Thursday, 1/24/2002) STAT/USTAT State transition analysis: a rule-based intrusion detection approach USTAT: for Unix real-time intrusion detection Misuse detection Modeling intrusion signature Initial state: the state of the system prior to execution of the attack Compromised state: the state of the system resulting from the completion of the attack Intermediate states and transitions: attack steps An Example A Sense of Self - Immunology Approach Prof. Forrest at University of New Mexico Anomaly detection Simple and short sequences of events to distinguish “self” from not Currently looking at system calls (strace) Apply to detection of lpr and sendmail Some Details Anomaly detection for Unix processes “Short sequences” of system calls as normal profile (Forrest et al. UNM) Evaluation of IDS Type I error: (false negative) Intrusive but not being detected Type II error: (false positive) Not intrusive but being detected as intrusive Evaluation: How to measure? ROC - receiver operating characteristics curve analysis - detection rate vs. False alarm rate What else? Efficiency? “Cost?” Example ROC Curve Ideal system should have 100% detection rate with 0% false alarm Problems with Current IDSs Knowledge and signature-based: “We have the largest knowledge/signature base” Ineffective against new attacks Individual attack-based: “Intrusion A detected; Intrusion B detected …” No long-term proactive detection/prediction Statistical accuracy-based: “x% detection rate and y% false alarm rate” Are the most damaging intrusions detected? Statically configured. Next Generation IDSs Adaptive Detect new intrusions Scenario-based Correlate (multiple sources of) audit data and attack information Cost-sensitive Model cost factors related to intrusion detection Dynamically configure IDS components for best protection/cost performance Semi-automatic Generation of ID Models The Feature Construction Problem Feature Construct