Intrusion Detection System

See: Intrusion Detection Task, Detection System, IDS.

References

2009

• http://en.wikipedia.org/wiki/Intrusion_detection_system
  • An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
  • An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
  • An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.
  • IDS Terminology
    • Alert/Alarm - A signal suggesting a system has been or is being attacked.
    • True attack stimulus - An event that triggers an IDS to produce an alarm and react as though a real attack were in progress.
    • False attack stimulus - The event signaling an IDS to produce an alarm when no attack has taken place.
    • False (False Positive) - An alert or alarm that is triggered when no actual attack has taken place.
    • False negative - A failure of an IDS to detect an actual attack.
    • Noise - Data or interference that can trigger a false positive.
    • Site policy - Guidelines within an organization that control the rules and configurations of an IDS.
    • Site policy awareness - The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.
    • Confidence value - A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
    • Alarm filtering '- The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.

1996

• (Staniford-Chen et al., 1996) ⇒ S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. (1996). “GrIDS - A Graph-based Intrusion Detection System for Large Networks.” In: Proceedings of the 19th National Information Systems Security Conference.
  • ABSTRACT: There is widespread concern that large-scale malicious attacks on computer networks could cause serious disruption to network services. We present the design of GrIDS (Graph-based Intrusion Detection System). GrIDS collects data about activity on computers and network traffic between them. It aggregates this information into activity graphs which reveal the causal structure of network activity. This allows large-scale automated or co-ordinated attacks to be detected in near real-time. In addition, GrIDS allows network administrators to state policies specifying which users may use particular services of individual hosts or groups of hosts. By analyzing the characteristics of the activity graphs, GrIDS detects and reports violations of the stated policy. GrIDS uses a hierarchical reduction scheme for the graph construction, which allows it to scale to large networks. An early prototype of GrIDS has successfully detected a worm attack. Keywords: Intrusion detection, networks, informatio …