Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 IDSIC: A Modeling of Intrusion Detection System with Identification Capability Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih Cryptology & Network Security.

Published byMyra Dorsey Modified over 9 years ago

Similar presentations

Presentation on theme: "1 IDSIC: A Modeling of Intrusion Detection System with Identification Capability Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih Cryptology & Network Security."— Presentation transcript:

1 1 IDSIC: A Modeling of Intrusion Detection System with Identification Capability Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih Cryptology & Network Security Lab. Electrical Engineering Department National Cheng Kung University

2 Cryptology & Network Security Lab. 2 Outline 1.Introduction 2.Traditional IDS model 3.A New model: IDSIC 4.Implementation issues of IDSIC 5.Conclusion

3 Cryptology & Network Security Lab. 3 1.Introduction Three fundamental functional components of intrusion detection system (IDS) Collection collects the different sources of information Detection analyze the information sources Response notifies the system managers when or where an intrusion happens Active measures & Passive measures

4 Cryptology & Network Security Lab. 4 1.Introduction (cont.) In some security standards, e.g., ISO 17799, it suggests that there should be an inner auditor periodically checks the security issues in the enterprise networks In order to discover the real security holes or vulnerabilities, the security tools using by the auditors are the same tools used by the outside hackers

5 Cryptology & Network Security Lab. 5 1.Introduction (cont.) These tests can be separated into two situations Rehearsal the auditors notify the system managers when the security auditing starts and how the security tests go on both the system managers and the auditors know scenarios of security tests, the testing results in this situation are very little

6 Cryptology & Network Security Lab. 6 1.Introduction (cont.) auditors imitate hackers’ behaviors when performing security test The system managers do not know when, where, and how the tests will take place in advance active response measure would enable self- protecting ability passive response measure will alert much alarms notifying the system managers to cope with

7 Cryptology & Network Security Lab. 7 1.Introduction (cont.) Lee et al. propose a cost-sensitive model for IDSs by using some major cost factors, such as damage cost, response cost, operational cost, etc, to evaluate the total cost of IDSs IDSs should minimize these costs W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.Toward Cost Sensitive Modeling for Intrusion Detection and Response

8 Cryptology & Network Security Lab. 8 Motivation The traditional IDSs (TIDSs) do not consider the behavior of the security auditors. We are motived to study whether the IDSs’ cost is minimal in the top-secret enterprise network with security auditors.

9 Cryptology & Network Security Lab. 9 2.Traditional IDS model Traditional IDSs (TIDSs) requirements Roles and costs in TIDSs

10 Cryptology & Network Security Lab. 10 TIDSs requirements Detection of known attacks should have the ability to determine the malicious attackers Real-time/near real-time analysis analyze information sources gathered by the IDS sensor as soon as possible Minimal resource use the minimal resource in the systems when monitoring High accuracy make sure the detection is correct and lower the false alarms J. Cannady. An Adaptive Neural Network Approach to Intrusion Detection and Response. Ph.D Thesis, Nova Southeastern University, 2000.

11 Cryptology & Network Security Lab. 11 The roles in TIDSs Hackers People who attempt to gain unauthorized access to a computer system. These people are often malicious and have many tools for breaking into a system. System Manager (SM) the person who takes charge to minimize the use of excess, network management, and system maintenance costs. If a system under some attacks results IDSs alarms, they have to make efforts to find out where the problem is.

12 Cryptology & Network Security Lab. 12 The roles in TIDSs (cont.) Detection System (DS) the system that monitor the events occurring in protected hosts or networks and analyze them for signs of intrusions.

13 Cryptology & Network Security Lab. 13 The roles and relationships in TIDSs

14 Cryptology & Network Security Lab. 14 The costs of TIDSs damage cost (DCost) the cost of damage caused by hackers when IDSs do not work appropriately response cost (RCost) the costs of actions when response components generate alarms operational cost (OpCost) the cost of processing and analyzing the activities of events W. Lee, W. Fan, Matt Miller, Sal Stolfo, and E. Zadok. Toward Cost Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security, Vol. 10, Numbers 1,2, 2002.

15 Cryptology & Network Security Lab. 15 The costs of TIDSs (cont.) False Negative cost is the cost of not detecting an attack, but an attack really happened. False Positive cost occurs when normal behavior is misidentified as the attack. True Positive cost means the detection cost when attacks really happen. True Negative is incurred when an IDS correctly decides there are no attacks.

16 Cryptology & Network Security Lab. 16 The costs of TIDSs (cont.)  1 : the function of the events’ progress

17 Cryptology & Network Security Lab. 17 The costs of TIDSs (cont.)

18 Cryptology & Network Security Lab. 18 3.A New model: IDSIC Roles and components in IDSIC New Requirements in IDSIC Cost analysis in IDSIC

19 Cryptology & Network Security Lab. 19 Roles in IDSIC Security Auditor (SA) A person appointed and authorized to audit whether the security equipments work regularly or not by using the vulnerability testing tools. One of security auditors’ main works is to check the security holes or vulnerabilities in the system. Note: traditional IDSs have no abilities to distinguish the security auditors and hackers.

20 Cryptology & Network Security Lab. 20 Roles in IDSIC (cont.) Detection System with Identification Capability (DSIC) One type of DS that runs the same function of DS. However, it has an extra functionality to distinguish between the roles of hackers and SAs. Fingerprint some secret information is used to let DSIC distinguish the difference between hackers and SAs

21 Cryptology & Network Security Lab. 21 Components in IDSIC In IDSIC, we include the basic components such that collection, detection, and response components in TIDSs The fingerprint adder use fingerprint generation algorithms calculating and adding the fingerprint into the packets The fingerprint checker include some validation algorithms that help DSIC to differentiate hackers’ attack and SAs’ tests from packets

22 Cryptology & Network Security Lab. 22 The roles and components in IDSIC

23 Cryptology & Network Security Lab. 23 New Requirements in IDSIC Generating fingerprint ability SAs must have the ability to calculate the fingerprint The needed power for calculating fingerprint must be as less as possible Validity ability DSIC needs to have the validity ability to determine if any fingerprint in the packets this ability of determination must be as fast as possible

24 Cryptology & Network Security Lab. 24 New Requirements in IDSIC (cont.) Security Hackers cannot generate a fingerprint without the SAs’ secret The probability of forging a fingerprint is as small as possible

25 Cryptology & Network Security Lab. 25 Cost analysis in IDSIC The damage cost (DCost) could be divided into two parts HDCost(e) means the damage cost caused by hackers that may harm to the systems SDCost(e) is the amount of security testing cost that may damage to the systems caused by SAs HDCost(e) >> SDCost(e) the response cost (RCost) will also be separated into two parts HRCost(e) and SRCost(e) HRCost(e) = SRCost(e)

26 Cryptology & Network Security Lab. 26 Cost analysis in IDSIC (cont.) False Negative (FN IC ) False Positive (FP IC ) CASE 1 CASE 2  2 : the function of the events’ progress Therefore, FN IC < FN Therefore, FP IC  FP

27 Cryptology & Network Security Lab. 27 Cost analysis in IDSIC (cont.) True Positive (TP IC ) True Negative (TN IC ) =0 CASE 1 CASE 2  3 : the function of the events’ progress Therefore, TP IC  TP

28 Cryptology & Network Security Lab. 28 CCost v.s. ICCost

29 Cryptology & Network Security Lab. 29 Cost analysis in IDSIC (cont.) OpCost(e) is similar in TIDS and IDSIC CCost(e) in TIDS is greater than ICCost(e) in IDSIC IDSIC could have smaller CumulativeCost(E) than TIDS.

30 Cryptology & Network Security Lab. 30 4.Implementation issues of IDSIC How to generate the fingerprint Where and How to put the fingerprint in the packets Where to put the fingerprint checker component in IDSIC

31 Cryptology & Network Security Lab. 31 How to generate the fingerprint packet messages (m) Information about IPs, the sequential number, the packet timestamp, and so on Three approaches to generate the needed fingerprint HMAC (Hashed Message Authentication Code) HMAC using secret value signature

32 Cryptology & Network Security Lab. 32 HMAC

33 Cryptology & Network Security Lab. 33 HMAC using secret value

34 Cryptology & Network Security Lab. 34 signature uses Public Key Infrastructure (PKI) the SAs should sign the packet messages with their private keys and the DSIC uses SAs’ public keys to check the signature No matter what approaches are used, it should satisfy the minimal resource requirement.

35 Cryptology & Network Security Lab. 35 Where to put the fingerprint in the packets We suggest using the IP identification field in IP header to store fingerprint This field is currently used to differentiate IP fragments that belong to different packets less than 0.25% of all Internet traffic is fragments Savage et al. use this field in IP marking technique

36 Cryptology & Network Security Lab. 36 IP Header

37 Cryptology & Network Security Lab. 37 How to put the fingerprint in the packets The IP identification field contains only 16 bits and the hackers’ forging probability is 2 -16 We could set a threshold k reducing the hackers’ forging probability to (2 -16 ) k

38 Cryptology & Network Security Lab. 38 Where to put the fingerprint checker in IDSIC two choices to deploy the fingerprint checker component Fingerprint checker Collection Detection Response Before Fingerprint checker Collection Detection Response After

39 Cryptology & Network Security Lab. 39 Where to put the fingerprint checker in IDSIC (cont.) before the detection component claims the fingerprint checker has to check every receiving packet may spend lots of time for checking the fingerprint checker may lost some packets under mounts of packets

40 Cryptology & Network Security Lab. 40 Where to put the fingerprint checker in IDSIC (cont.) after the detection component IDSIC would first determine whether an intrusion happens DSIC can work like DS and the fingerprint checker only has to check the doubtful intrusion packets if the SAs often perform the security tests, then the detection component may be busy dealing with these testing packets.

41 Cryptology & Network Security Lab. 41 Where to put the fingerprint checker in IDSIC (cont.) The best deployment depends on the frequency of security tests (f st )(from SAs) the frequency of attacks (f a ) (from Hackers) the fingerprint checker examining time (t fc ) the DSIC dealing time (t DSIC ) For example, in rehearsal situation, f st is greater than f a, thus it would be better to deploy the fingerprint checker before the detection component.

42 Cryptology & Network Security Lab. 42 Conclusion We propose a new model, IDSIC, based on the auditing point of view and propose the new requirements in IDSIC. We prove the CumulativeCost in TIDS does not reach to minimal cost under the roles of SA exists.

Download ppt "1 IDSIC: A Modeling of Intrusion Detection System with Identification Capability Pei-Te Chen, Benjamin Tseng, Chi-Sung Laih Cryptology & Network Security."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Report on Common Intrusion Detection Framework By Ganesh Godavari.

Report on Common Intrusion Detection Framework By Ganesh Godavari.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Jorge Hortelano, Juan Carlos Ruiz, Pietro Manzoni

Jorge Hortelano, Juan Carlos Ruiz, Pietro Manzoni
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.

STATE OF THE PRACTICE OF INTRUSION DETECTION TECHNOLOGIES Presented by Hap Huynh Based on content by SEI.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
seminar on Intrusion detection system

seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)

Similar presentations

Ads by Google