Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006
Outline Introduction: Intrusion Detection Concepts IDS Components IDS Deployment Steps IDS Categories IDS Performance Evaluation Conclusion 2
Introduction 1/9 The rates of exploiting systems vulnerabilities are rapidly increasing These trials have basically two objectives: Penetrating the attacked system, or Rendering it unavailable (DoS) As e-commerce sites become attractive targets, the emphasis of many attacks was slightly shifted from breaks-ins into denials of service Current attacks also tend to have financial, political, and militarily objectives 3
Introduction 2/9 Yesterday intruders used to be very skillful experts while most of today s ones tend to have much less skills Many of current attacks use readily available intrusion tools that can be easily automated At the same time, today s attacks are much more complicated and organized The relation between the sophistication of attacks and attackers skills is shown in the following slide 4
Introduction 3/9 Attack Sophistication vs. Intruder Technical Knowledge (adopted from CMU SEI/CERT publications) 5
Introduction 4/9 A successful Denial of Service (DoS) attack can put an e-commerce organization out of business Therefore, securing computer systems is currently a major concern of both the governmental and the industrial sectors The need for automated security monitoring solutions proved to be a necessity A Firewall is a helpful solution to several security problems 6
Introduction 5/9 It is basically a packet filtering device that provides a protective layer at the boundary of your network 7
Introduction 6/9 Several firewalls can also be used to create a more open and at the same time secure architecture 8
Introduction 7/9 Although firewalls are an effective solution to some of the security issues, many attacks can go undetected even with their use The need for proactive tools that can provide continuous monitoring of a computer system in order to detect attacks and prevent their manifestations is inevitable Therefore, Intrusion Detection Systems (IDSs) were introduced to monitor network traffic, detect unauthorized access, and take appropriate countermeasures 9
Introduction 8/9 A network intrusion is an attempt to gain unauthorized access to network resources These intrusions/attacks are generally launched with the intension of compromising the integrity, confidentiality, and availability of the targeted systems An intrusion detection system consists of more that one application or hardware device The following slide depict a typical position for an IDS in a generic network configuration 10
Introduction 9/9 IDS Outline 11
IDS Components 1/6 The basic components of an Intrusion Detection System are as follow: Network sensors that detect suspicious packets Alert systems that notifies you of the occurrence of an intrusion The command console that display alerts The response system that can automatically take countermeasures The database of attack signatures or behaviors Each of these will be discussed 12
IDS Components 2/6 Network sensors In a network IDS, a network sensor is hardware or software that monitors traffic passing into and out of the network in real time These sensors are placed in strategic locations such as gateways, LAN boundaries, remote access servers, VPN devices, the DMZ, etc. In a host-based IDS, the sensor itself is built in the IDS software If a sensor is placed outside the firewall it could become the subject of an attack 13
IDS Components 3/6 Alert Systems In case of detecting a suspicious behavior, the alert system send an alert message These messages can be a pop-up window, an email, a sound, or a message to a pager The trigger, the set of circumstances that caused the alert, can be categorized into two main types: Detection of an anomaly signal-based detection Detection of misuse signature-based detection 14
IDS Components 4/6 Anomaly Detection These systems build a profile for each authenticated user A profile is a set of characteristics that describes the services and resources a user usually accesses The accuracy of the profile is a deterministic factor, otherwise the system will experience high false positives and false negatives rates FPs: Alarms generated by legitimate network activity FNs: Genuine attacks that go undetected 15
IDS Components 5/6 Misuse Detection In misuse detection, alarms are triggered based on characteristic signatures of known attacks These attack signatures are stored in a database that comes with the IDS They need to keep state information (history of the connection). This can be large amount of information which raises storage issues. They usually produces less FPs compared to anomaly-based ones but they can not detect novel attacks 16
Remaining Components A command console is a software that provide front-end interface to enable monitoring of alerts A response system in some advanced IDS can be adjusted to take countermeasures. For instance, resetting the connection of the suspicious stream Both IDS types require a Database It holds known attack signatures in case of a signaturebased IDS (normally a passive behavior) It holds user profiles. IDS Components 6/6 Outline 17
IDS Deployment Steps 1/2 Several steps are performed in order to properly deploy IDSs First, installing the database. This is straight forward in signature-base but it might take a while in anomaly-based Then, installed sensors start collecting data. The location of a sensor is crucial Third, sensors send alert messages if an intrusion is detected Fourth, the response system might take an immediate countermeasure like dropping packets 18
IDS Deployment Steps 2/2 Fifth, once the administrator receives the alert, s/he assess the validity of the alert The administrator might then determine that further actions should be conducted These actions should be clearly stated in the organization security policy Seventh, attacks are logged and reviewed The review process enables the administrator to discover gradual attacks Outline 19
IDSs can be categorized based on their position on the network into: Network-based Host-based Hybrid IDS Categories 1/3 A Network-based IDS has sensors distributed in various strategic locations on the network Their management software is stored in a dedicated machine They should keep up with large traffic volume 20
Host-based IDS These systems are deployed on various hosts in a networking environment They monitor and evaluate packets generated by the host They depend upon data from the operating system and application logs They are highly effective in tracking misuse of resources by insiders They are costly IDS Categories 2/3 21
Host-based IDS (Cont.) They can have two configurations: Centralized: A center for data collection & analysis Distributed: Data processing is performed locally One of their major advantages is they can detect attacks that bypassed firewalls and NIDSs. For instance encrypted traffic Their main disadvantages are management difficulties and performance impact on hosts Some combine the features of HIDSs & NIDSs Outline IDS Categories 3/3 22
IDS Performance Evaluation 1/5 Currently, there are rising concerns of the research community with respect to the importance of evaluating IDSs performance Evaluating the performance of an IDS is crucial in determining the level of security it provides and in making adoption decisions The need for a set of general performance criteria is obvious Hence, several factors are proposed to evaluate current systems 23
IDS Performance Evaluation 2/5 Detection rates False alarm rates Performance Criteria The behavior of the receiver operating characteristic (ROC) curve: A plot of the probability of false alarm versus probability of detection The area under the ROC curve is adopted by some researchers 24
IDS Performance Evaluation 3/5 25
IDS Performance Evaluation 4/5 Performance Criteria (Cont.) The costs of various factors such as FAs or detection failures were proposed recently by some researchers as better criteria Other factors that are involved in the evaluation: The number of network nodes Probability of attack failure (system security level) The limit of the number of attack attempts The spread factor (number of captured nodes) Traceability factor (# of links an IDS has to trace from a node under attack to the intrusion origin 26
Proposal This is a work that still under development We propose the adoption of an optimization technique in order to find the best combination of criteria that can be applied to evaluate the performance of IDSs under various circumstances This is a practical solution to tackle the problem of performance assessment Proposed candidates include GA and simulated annealing Outline IDS Performance Evaluation 5/5 27
Conclusion 1/1 The basic concepts of intrusion and intrusion detection is presented The roles of IDSs are highlighted with emphasis on their various components, how they function, and their categorizations The essential need for reliable methods of evaluating IDSs was also expounded Finally, a proposed framework for evaluating IDS performance is introduced Outline 28