What are Intrusions?

 Intrusions are actions that attempt to bypass security

mechanisms of computer systems. They are usually caused
by:
 Attackers accessing the system from Internet
 Insider attackers - authorized users attempting to gain and misuse
non-authorized privileges
 Typical intrusion scenario

Scanning Computer
activity Network

Compromised
Machine with
Attacker Machine
vulnerability

1
 Intrusion Detection System(IDS)

 An intrusion detection system (IDS) is a device or

software application that monitors a network for
malicious activity or policy violations.

 Any malicious activity or violation is typically

reported or collected centrally using a security
information and event management system.

2
 IDS Detection Types

 Network intrusion detection systems (NIDS): A

system that analyzes incoming network traffic.

 Host-based intrusion detection systems (HIDS): A

system that monitors important operating system
files.

3
 Subset of IDS types

 Signature-based IDS detects possible threats by

looking for specific patterns, such as byte
sequences in network traffic, or known malicious
instruction sequences used by malware.

 Although signature-based IDS can easily detect

known attacks, it is impossible to detect new
attacks, for which no pattern is available.

4
 Subset of IDS types
 Anomaly-based: a newer technology designed to
detect and adapt to unknown attacks, primarily
due to the explosion of malware.
 This detection method uses machine learning to
create a defined model of trustworthy activity,
and then compare new behavior against this trust
model.
 While this approach enables the detection of
previously unknown attacks, it can suffer from
false positives: previously unknown legitimate
activity can accidentally be classified as
malicious..

5
 Anomalies
 Anomaly detection refers to the problem of
finding patterns in data that do not conform to
expected behavior.
 Also referred to as outliers, exceptions,
peculiarities, surprise, etc.
 Anomaly detection techniques are applied in a
variety of domains, including credit card fraud
prevention, financial turbulence detection, virus or
system intrusion discovery, and network
monitoring, to name a few.

6
 Real World Anomalies

 Credit Card Fraud

 An abnormally high purchase

made on a credit card

 Cyber Intrusions
 A web server involved in ftp

traffic

7
 Simple Example
Y

 N1 and N2 are regions N1 o1

O3
of normal behavior
 Points o1 and o2 are
anomalies
 Points in region O3 o2

are anomalies N2

8
 Point Anomalies
 An individual data instance is anomalous w.r.t.
the data
Y

N1 o1
O3

o2

N2

9
 Contextual Anomalies
 An individual data instance is anomalous within a context
 Requires a notion of context
 Also referred to as conditional anomalies*

Anomal
Normal y

* Xiuyao Song, Mingxi Wu, Christopher Jermaine, Sanjay Ranka, Conditional Anomaly Detection, IEEE
Transactions on Data and Knowledge Engineering, 2006.

10
 Collective Anomalies
 A collection of related data instances is anomalous
 Requires a relationship among data instances
 Sequential Data
 Spatial Data
 Graph Data
 The individual instances within a collective anomaly are
not anomalous by themselves

Anomalous Subsequence

11
Misuse Detection

 LAND Attack is a Layer 4 Denial of Service (DoS) attack in which,

the attacker sets the source and destination information of a TCP segment to be
the same.
 A vulnerable machine will crash or freeze due to the packet being repeatedly
processed by the TCP stack.

12
Problem: Anomaly Detection
 Anomaly Detection

13
 Intrusion Detection

 Intrusion Detection System

– combination of software
and hardware that attempts
to perform intrusion detection
– raises the alarm when possible
intrusion happens

 Traditional intrusion detection system IDS tools (e.g. SNORT) are based
on signatures of known attacks www.snort.org
 Limitations
– Signature database has to be manually revised for each
new type of discovered intrusion
– They cannot detect emerging cyber threats
– Substantial latency in deployment of newly created
signatures across the computer system
• Data Mining can alleviate these limitations

14
 Snort
 NIDS: A network intrusion detection system (NIDS) is an intrusion
detection system that tries to detect malicious activity such as denial of
service attacks, port scans or even attempts to crack into computers by
monitoring network traffic.

 Snort: an open source network intrusion prevention and detection system.

It uses a rule-based language combining signature, protocol and anomaly
inspection methods

 Snort: the most widely deployed intrusion detection and prevention

technology and it has become the de facto standard technology worldwide in
the industry.

15
 Snort architecture

From: Nalneesh Gaur, Snort: Planning IDS for your enterprise,

http://www.linuxjournal.com/article/4668, 2001.

16
Rules
 In a single line
 Rules are created by known intrusion signatures.
 Usually place in snort.conf configuration file.

rule header rule options

17
 Rule examples

destination ip address
Apply to all ip packets

Source ip address Destination port

Source port #
Rule options

Alert will be generated if criteria met

Rule header

18
Originally, the Simple Mail Transfer Protocol (SMTP) used port
25. Today, SMTP should instead use port 587 —

 Port used by any private mail system. 24

https://www.youtube.com/watch?v=R1mF7Mxfynk
19

19