|
"Anomaly-based IDS assume that a
breach in computer or network security can be detected by observing a
behavior deviation."
|
|
|
Computer
and network anomaly
detection Intrusion Detection Systems models operate by building a
model of
“normal”
system behavior. Normal system behavior is determined by observing the
standard operation of the system or network. Anomaly detection then
takes the normal observation model and uses statistical variance, or as
we shall see later, Data Mining techniques with artificial
intelligence, to determine if the system or network environment
behavior is running normally or abnormally.
The assumption in anomaly
detection is that an intrusion can be detected by observing a deviation
from the normal or expected behavior of the system or network.
There are several
methods (or techniques) in which the anomaly detection engine can
employ to determine if the observed behavior (computer system or
network event
log information) is anomalous. Typically, these methods fall
into one of the following 2 categories:
#1) Threshold detection is the process in which certain attributes of
user and computer system behavior are expressed in terms of counts,
with some
level established as permissible.
For example, such behavior attributes
can include the number of files accessed by a given user over a certain
period of time, the number of failed attempts to login to the system,
the amount of CPU utilized by a process, etc.
#2) Statistical measures. These measures can be parametric or
non-parametric. Parametric measures are used when a distribution of the
profiled attributes is assumed to fit a particular pattern.
Non-parametric measures are used when the distribution of the profiled
attribute is gathered from a set of historical values observed over
time.
The approach of using anomalous network security Intrusion Detection
Systems, that is, labeling abnormal network
traffic
as a possible intrusive event has the following advantages over misuse
detection:
- It can detect attempts to exploit new and unforeseen vulnerabilities.
An IDS based on the detection of anomalies can detect unusual behavior
and thus have the ability to detect symptoms of attacks without
specific knowledge of details. This is a very powerful
advantage. It is for this reason alone that a majority of the
research of future IDS models includes some sort of anomaly detection.
- It can also be used to detect
‘abuse-of-privilege’ types of attacks, which
generally do not involve exploiting any security vulnerabilities.
- It can recognize unusual network traffic based on network packet
characteristics (payload, source IP, time, etc).
- It can produce information from the intrusive attack that can be used
to define signatures for misuse detectors.
|
|
|
|
