Intrusion Detection Systems
The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?
Introduction
ADFA-LD and ADFA-WD
Researchers at the Australian Defence Force Academy created two datasets (ADFA-LD and ADFA-WD) as public datasets that represent the structure and methodology of the modern attacks (Creech, 2014). The datasets contain records from both Linux and
Windows operating systems; they are created from the evaluation of system-call-based HIDS. Ubuntu Linux version 11.04 was used as the host operating system to build ADFA-LD (Creech & Hu, 2014b). Some of the attack instances in ADFA-LD were
derived from new zero-day malware, making this dataset suitable for highlighting differences between SIDS and AIDS approaches to intrusion detection. It comprises three dissimilar data categories, each group of data containing raw system call traces.
Each training dataset was gathered from the host for normal activities, with user behaviors ranging from web browsing to LATEX document preparation. Table 8 shows some of the ADFA-LD features with the type and the description for each feature.
Table 8 Features of ADFA-LD dataset (Creech, 2014)
|
Name |
Type |
Description |
|
srcip |
nominal |
Source IP address |
|
sport |
integer |
Source port number |
|
dstip |
nominal |
Destination IP address |
|
dsport |
integer |
Destination port number |
|
proto |
nominal |
Transaction protocol |
|
state |
nominal |
Indicates to the state and its dependent protocol |
|
dur |
Float |
Record total duration |
|
sbytes |
Integer |
Source to destination transaction bytes |
|
dbytes |
Integer |
Destination to source transaction bytes |
|
sttl |
Integer |
Source to destination time to live value |
|
dttl |
Integer |
Destination to source time to live value |
|
sloss |
Integer |
Source packets retransmitted or dropped |
|
dloss |
Integer |
Destination packets retransmitted or dropped |
|
service |
nominal |
http, ftp, smtp, ssh, dns, ftp-data ,irc and (-) if not much used service |
|
Sload |
Float |
Source bits per second |
|
Dload |
Float |
Destination bits per second |
|
Spfcts |
integer |
Source to destination packet count |
|
Dpkts |
integer |
Destination to source packet count |
|
swin |
integer |
Source TCP window advertisement value |
|
dwin |
integer |
Destination TCP window advertisement value |
|
stcpb |
integer |
Source TCP base sequence number |
|
dtcpb |
integer |
Destination TCP base sequence number |
|
smeansz |
integer |
Mean of the how packet size transmitted by the src |
|
dmeansz |
integer |
Mean of the how packet size transmitted by the dst |
|
trans_depth |
integer |
Represents the pipelined depth into the connection of http request response transaction |
|
resbdvlen |
integer |
Actual uncompressed content size of the data transferred from the server's http service |
ADFA-LD also incorporates system call traces of different types of attacks. The ADFA Windows Dataset (ADFA-WD) provides a contemporary Windows dataset for evaluation of HIDS. Table 9 shows the number of systems calls for each category of AFDA-LD and AFDA-WD Table 10 describes details of each attack class in the ADFA-LD dataset. Table 11 lists the ADFA-WD Vectors and Effects.
Table 9 Number of system calls traces in different categories of AFDA-LD and AFDA-WD
|
ADFA- LD |
ADFA-WD |
|||
|
Dataset |
Traces |
System Calls |
Traces |
System Calls |
|
Training data |
833 |
308,077 |
355 |
13,504,419 |
|
Validation data |
4372 |
2,122,085 |
1827 |
117,918,735 |
|
Attack data |
746 |
317,388 |
5542 |
74,202,804 |
|
Total |
5951 |
2,747,550 |
7724 |
205,625,958 |
Table 10 ADFA-LD attack class
|
Attack |
Payload |
Vector |
Count |
|
Hydra-FTP |
Password brute force |
FTP by Hydra |
162 |
|
Hydra-SSH |
Password brute force |
SSH Hydra |
176 |
|
Adduser |
Add new super user |
Client-side poisoned executable |
91 |
|
Java-Meterpreter |
Java based Meterpreter |
TIkiWiki vulnerability exploit |
124 |
|
Meterpreter |
Linux Meterpreter Payload |
Client side poisoned executable |
75 |
|
Webshell |
C100 Webshell |
PHP remote file inclusion vulnerability |
118 |
Table 11 ADFA-WD Vectors and Effects
|
Vectors |
|
TCP ports - Web-based vectors; |
|
Effects |
|
Effects - Bind Shell - Reverse shell - Exploitation |