A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems By: Brandon Lokesak For: COSC 356 Date: 12/4/2008

Outline  Introduction  Define an Intrusion  Objectives of Intrusion Detection Systems  Signature Based Detection  Advantages and Disadvantages  Anomaly Based Detection  Advantages and Disadvantages  Active Intrusion Detection Systems (IPS)‏  Cost  Conclusion

Introduction Intrusion Detection System: A system which inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. An IDS is basically a sophisticated packet scanner. Designed and put into use on production networks between the late 1970's and early 1980's and still in use today. The software scans all packets on the network and attempts to classify the traffic as intrusive or non intrusive.

An intrusion is “Any set of activities that attempt to compromise the integrity, confidentiality or availability of a resource. What Is an Intrusion "Denial of Service – action or series of actions that prevent some part of a system from performing as intended Disclosure – unauthorized acquisition of sensitive information Manipulation – improper modification of system information whether being processed, stored, or transmitted Masqueraders – attempt by an unauthorized user or process to gain access to a system by posing as an authorized entity

Threats Continued Replay – retransmission of valid messages under invalid circumstances to produce unauthorized effects Repudiation – successful denial of an action Physical Impossibilities – violation of an object residing in two places at the same time, moving from one place to another in less than optimal time, or repeating a specific action in less than some minimal time quantum Device Malfunctions (health of the system) – partial or complete failure of a monitored system device"

Objectives of Intrusion Detection Systems "Confidentiality – ensuring that the data and system are not disclosed to unauthorized individuals, processes, or systems Integrity – ensuring that the data is preserved in regard to its meaning, completeness, consistency, intended use, and correlation to its representation Availability – ensuring that the data and system are accessible and usable to authorized individuals and/or processes Accountability – ensuring that transactions are recorded so that events may be recreated and traced to users or processes"

Signature Based Detection Signature based detection works in a similar fashion to a virus scanner. This style of detection relies on rules and tries to associate possible patterns to intrusion attempts. Viruses are known to often attempt a series of steps to penetrate a system. This series of steps would be compiled into such a rule. Whenever the IDS software (an agent) collects the data it then compares what it has observed against the rules that have been defined and then has to decide whether it is a positive or a negative attempt.

Advantages of Signature Based Detection Often considered to be much more accurate at identifying an intrusion attempt. Ease of tracking down cause of alarm due to detailed log files Time is saved since administrators spend less time dealing with false positives

Disadvantages of Signature Based Detection Signature based systems can only detect an intrusion attempt if it matches a pattern that is in the database, therefore causing databases to constantly be updated When ever a new virus or attack is identified it can take vendors anywhere from a few hours to a few days to update their signature databases.

Disadvantages of Signature Based Detection Hosts that are subjected to large amounts of traffic the IDS can have a difficult time inspecting every single packet that it comes in contact, which then forces some packets to be dropped leaving the potential for hazardous packets getting by without detection Systems can suffer a substantial performance slow down if not properly equipped with the necessary hardware to keep up with the demands

Anomaly Based Detection An anomaly is defined as something that is not not nominal or normal. Anomaly detection is split into two separate categories: static and dynamic. Static assumes that one or more sections on the host should remain constant Focus only on the software side and ignore any unusual changes in hardware Used to monitor data integrity Dynamic Depends on a baseline or profile Baseline established by IDS or network administrator Baseline tells the system what kind of traffic looks normal May include information about bandwidth, ports, time frames etc...

Advantages of Anomaly Based Detection New threats can be detected with out having to worry about databased being up to date Very little maintenance once system is installed it continues to learn about network activity and continues to build its profiles. The longer the system is in use the more accurate it can become at identifying threats

Disadvantages of Anomaly Based Detection The network can be in an unprotected state as the system builds its profile. If malicious activity looks like normal traffic to the system it will never send an alarm. False positives can become cumbersome with an anomaly based setup. Normal usage such as checking after a meeting has the potential to signal an alarm.

Active Intrusion Detection Systems Passive systems can only send an alarm to an administrator when there is an attempt in progress. An active system can take control of the situation by disconnecting the assailant Methods: Session Disruption: IDS may send a TCP reset packet if the attacker has opened a TCP connection to the victim IDS may send various UDP packets to disrupt a UDP connection Will not permanently remedy the situation only disconnect the current connection Rule Modification IDS is linked to a firewall via an administrative link IDS communicates with the firewall telling it to drop all packets from the attackers IP Address

Costs "CSO magazine’s 2006 E-Crime Watch survey revealed that the damage done by enterprise security events is getting worse. Sixty-three percent of respondents reported operational losses as a result of e-crime, 23 percent reported harm done to their organization’s reputation and 40 percent reported financial losses, which averaged $740,000 in 2005 compared to an average of $507,000 in 2004." Intrusion Detection Systems range in price anywhere from $4,000 - $60,000 depending on the features that a company may need The price may appear high to some but when compared to the cost of the damage that may be done its a well spent investment to a company Remember that data is very hard to put a price tag on if lost

Questions?