Behaviour Based Intrusion Detection Systems

Behaviour based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from the normal or expected behaviour of the system or the users. The model of normal or valid behaviour is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an

Advantages of behaviour based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities, so they can even discover new attacks. [2]

The high false positive alarm rate is the main drawback of behaviour based techniques because the entire scope of the behaviour of an information system may not be covered during the learning phase. Also behaviour can change over time, so the behaviour profile should be periodically updated. Here should be considered that the behaviour profile do not include intrusive behaviour. [2]

3.3.2.1. Statistics

The most widely used to build behaviour based intrusion detection systems is statistics. The user or system behaviour is measured by a number of variables over time. Examples of these variables are the login and logout time of each session, the resource duration, and the amount of processor-memory-disk-resources consumed during the session. The original model keeps averages of all these variables and detects whether thresholds are exceeded based on the standard deviation of the variable. [2]

Example systems employing statistical methods for anomaly detection are IDES (Intrusion Detection Expert System), NIDES (Next- Generation Intrusion Detection Expert System), and Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD). [2]

3.3.2.2. Expert systems

Expert system used in behaviour based intrusion detection depends also on statistical anomaly detection. Two examples are Wisdom&Sense and AT&T‟s Computer Watch. The tool of Wisdom&Sense first builds a set of rules that statistically describe the behaviour of the users based on recordings of their activities over a given period of time. Current activity is then matched against these rules to detect inconsistent behaviour. [2]

The tool of AT&T checks the actions of users according to a set of rules that describe proper usage policy. [2]

3.3.2.3. Neural Networks

Neural networks are algorithmic techniques used to first learn the relationship between two sets of information, and then “generalize” to obtain new input-output

pairs in a reasonable way. In the intrusion detection field, neural networks have been mainly used to learn the behaviour of actors in the system (e.g users, daemons). [2]

An example is NNID (Neural Network Intrusion Detector). A host-based, backpropagation neural network intrusion detection system was tested experimentally on a system of 10 users. The system was 96% accurate in detecting unusual activity, with 7% false alarm rate.[13]

3.3.2.4. Computer Immunology

The idea of using immunological principles in computer security has been described by Stephanie Forrest in 1994. [6]

This technique attempts to build a model of normal behaviour of the UNIX network services, rather than of the behaviour of users. This model consists of short sequences of system calls made by processes. The tool first collects a set of reference audits, which represent the appropriate behaviour of the service, and extracts a reference table containing all the known “good” sequences of system calls. These patterns are then used for live monitoring to check whether the sequences generated are listed in the table; if not the intrusion detection system generates an alarm. This technique has a very low false alarm rate if the reference table is sufficiently exhaustive. [2]

3.3.2.5. Data Mining

Intrusion detection attempts to identify existing attack patterns and recognise new intrusion methods, employing methods from sciences such as mathematics, statistics and machine learning. Data mining, generally perceived to be a tool to discover unknown regularities in data, also lends itself to this task. In particular, it promises to help in the detection of previously unseen attacks by establishing sets of commonly observed regularities in network data. These sets can be compared to current traffic for deviation analysis. Data mining techniques, however, are traditionally employed on large amounts of off-line data. It therefore remains to be seen how well they are able to support ID systems commonly required to operate in real time. [33]

Applications of data mining to anomaly detection include ADAM (Audit Data Analysis and Mining) (2001), IDDM (Intrusion Detection using Data Mining) (2001), and

ADAM (developed at George Mason University Center for Secure Information Systems) uses a combination of association rules mining and classification to discover attacks in TCP dump data. The ADAM system is able to detect network intrusions in real time with a very low false alarm rate. [6]

IDDM (Intrusion Detection using Data Mining) project focuses on the use of data mining in the latter context, by producing descriptions of network data and using this information for deviation analysis. It aims to explore data mining as a supporting paradigm in extending intrusion detection capabilities. The system characterizes change between network data descriptions at different times, and produces alarms when detecting large deviations between descriptions. However, IDDM has problems achieving real-time operation. [6]

3.3.2.6. Pattern Classification

All intrusion detection systems that use pattern classification algorithms are behaviour based. Some examples of them are given in Chapter 5, after studying pattern classification algorithms in Chapter 4.