In the last decade the topic Intrusion Detection has been subject to increased interest which is not surprising when the dramatic increase of incidents and vulnerabilities is taken into consideration. There has been an increase of a factor of 32 in vulnerabilities in the past ten years. Therefore ways have to be found to analyze, detect and anticipate dangers and attacks. Finally the reaction to an attack also has to be specified. (Intrusion Response).
The technique of detecting intruders is based on the fact that when an intruder gets into a third party system he either leaves traces behind or behaves differently than a normal user. This means that if methods or mechanisms can be found to carefully analyze the data produced, there is a greater chance of detecting a violation of the system policy and thus the intruders. Depending on how the data is collected and analyzed we speak of either Host-based Intrusion Systems (HIDS), where the IDS software is installed on a single host or of Network based Intrusion Detection System (NIDS), where the IDS Software monitors a complete network.
Two approaches can be distinguished which detect attacks on information systems: Anomaly Detection (Statistical Approaches, Bayesian Networks, Neural Networks, etc.) and Misuse Detection (Pattern Matching, State Transition Analysis, Keystroke Monitoring, etc.).
An Anomaly Detection makes a profile of the variable to be analyzed e.g. the use of resources (CPU) or user typical behavior (Login Behavior), this is also called the long term profile and is compared with the actual realization of the variable (short term profile). Should the difference between long term and short term behavior exceed an a priori defined threshold, the event can then be seen as an anomaly.
A different approach is followed in the detection of misuse; here attack specific signatures are stored in the signature database. The data stream is then systematically analyzed, by searching for this attack signature in the data stream.
At the Department of Communication Systems in Hagen different approaches, univariate analysis and multivariate analysis methods (Chi-Square Test, Hotelling Test) are being systematically analyzed with regard to their ability to detect anomalies. Furthermore, new approaches are being carefully studied and applied. We will concentrate on the use of robust statistical methods and multivariate analysis methods to detect anomalies.
|Prof. Firoz Kaderali|