|
"Future IDS will have to address
distributed data collection issues..."
|
|
|
|
The
advantages of the combination of HIDS and NIDS applied to an
enterprise network and system architecture may seem to offer sufficient
protection against intrusive behavior.
However, there are some major
problems that these HIDS and NIDS systems, even when combined,
don’t
resolve. The research presented below will illustrate these
shortcomings.
In 1998, a study was
conducted to highlight the strengths and weaknesses of current
research approaches to anomaly and misuse intrusion detection.
The study used synthesized network traffic to replicate normal traffic
as well as traffic that contained intrusive patterns. The network
traffic was generated to represent the following types of services:
FTP, HTTP, SMTP, IRC, POP3, telnet, SQL, DNS, SNMP, and time.
Attack on the test systems were divided into four categories:
- Denial-of-service attacks
- Probing/surveillance attacks
- Remote-to-local attacks
- User-to-root attacks
The denial of service attacks attempt to render a system or service
unusable to legitimate users. Probing/surveillance attacks attempt to
map out system vulnerabilities and usually serve as a launching point
for future attacks.
Remote to local attacks attempt to gain local account privilege from a
remote and unauthorized account or system. User to root attacks attempt
to elevate the privilege of a local user to root (or super user)
privilege.
The tests conducted consisted of a total of 114 attacks in 2 weeks of
testing. These attacks included 11 types of DOS attacks, 6 types of
probing/surveillance attacks, 14 types of remote to local attacks, 7
types of user to root attacks.
The results of the tests showed that the network-based misuse IDS
reliably detected old attack patterns with low false alarm rates. Given
that misuse-based IDS do very well in detecting known signatures, this
result was expected.
|
However, the performance of the top three IDS had a roughly 20%
detection rate for new denial-of-service and less than 10% detection
rate for new remote-to-local attacks. This result shows that the best
of today's IDS have a problem detecting new denial-of-service and
remote-to-local attacks -- arguably two of the most concerning types of
attacks against computer systems and networks today.
Other areas
in which common HIDS and NIDS implementations fall short are in the
amount of data that is provided the IDS. Often the data is
insufficient. The data present in the network packets or system calls
may not be complete, making it difficult to determine conclusively
whether an intrusion is taking place.
Another pitfall has to
do with throughput issues—both host-based and network-based
IDS are
required to filter or examine large quantities of data.
Today’s
networking equipment often runs at speeds of 100Mbps or greater and can
overwhelm the processing capability of IDS products, which often lack
sufficient throughput to examine all data.
The findings from the study resulted in the conclusion that a
fundamental paradigm
shift in intrusion detection research is necessary to provide
reasonable levels of detection against new attacks and even variations
of known attacks.
Central to this goal is the ability to generalize
from previously observed behavior to recognize future unseen, but
similar behavior. Future IDS will also have to address scalability and
distributed data collection issues in order to achieve the level of
effectiveness that is required.
|
|
|
