Anomaly-based IDS

Anomaly-based intrusion detection systems (IDS) detect anomalies. This is different from signature detection, which matches patterns. While you read, try to explain how an anomaly is different from a signature. An anomaly-based IDS can be either host or network based. When reading this article, note the explanation of the host based and the network-based anomalies. What are some of the network anomalies? How would you define a static and a dynamic anomaly? What is the advantage and disadvantage of an anomaly-based IDS as compared to a signature-based IDS?

Anomaly Based Intrusion Detection And Prevention System


ABSTRACT

Automatic discovery of intrusions into computer systems is a central issue to stop unauthorized activity. Implementing intrusion detection systems on networks and hosts requires a broad perspective of computer security. Most of the IDS and IPS are based on two fundamental mechanisms; Misuse detection or signature based detection. It defines a set of "unacceptable" behaviors and raises alerts when system behavior matches this set. The common attempts can be easily detected by Signature based IDS and the defense can be provided against such type of attack by either matching string pattern or signature. But in the prevailing scenario where there are new intrusions/ attempts reported almost every day, the existing signature-based detection proves futile. Many IDPS have been proposed but all of them lacks on some points and are not accurate as desired, they use to the signature to detect the attacks and these signature based methods are fast and simple but it fails to detect unknown attacks. To fill the gap we require an efficient fast and real-time Intrusion Detection and Prevention system to provide defense against intrusions/attacks. This paper presents Anomaly-based intrusion detection and prevention system which makes it more efficient and dynamic as it is able to detect novel (unknown) attacks without generating a low positive false rate.


Keywords

Anomaly, Anomaly Detection, Intrusion, IDS, IPS, IDPS.

  1. INTRODUCTION

    The increasing popularity of the Internet is exposed to an increasing number of security threats [1]. Implementing intrusion detection systems on networks and hosts requires a broad perspective of computer security. The complexity of information technology infrastructures is growing rapidly beyond any one person's ability to understand them, let alone administer them in a way that is operationally secure. The term Network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.

    According to the report of CERT [2], the quantity of attacks, their complexity, and the extent of damage, caused by criminal attacks in the internet rapidly increase every year [3]. The development of the fast speed internet services created an environment in which millions of users across the globe (World Wide Web) are all connected to each other. Furthermore, the cost of accessing the network is so cheap, allows criminal (Hackers, Crackers, and Thieves) to target your system, regardless of their physical location. Personal computers are also cheap. Attackers can easily set up computers with different operating systems and they search for a vulnerable system to launch an attack. In addition, the international and distributed nature of the Internet makes it very difficult to regulate and control attacks against computer systems.


    Automatic discovery of intrusions into computer systems is a central issue to stop unauthorized activity. While firewalls are is a key point to restrict access to computers inside a sheltered network, but their defense is not perfect nor do they provide protection against malicious activities. Manual intrusion detection is painstaking through supervising of access logs or monitoring of users' activities. As well as they have much delay (a long reaction time).

    Most of the IDS and IPS are based on two fundamental mechanisms; Misuse detection or signature based detection. It defines a set of "unacceptable" behaviors and raises alerts when system behavior matches this set. Such systems are simple to create and efficient to operate but are only effective against known types of attack that has fixed pattern. SNORT [5] is well-known IDS based on misuse concept. Moreover, it is difficult to maintain an up-to-date knowledge base of acceptable behaviors and thus this mechanism is ineffective against unknown or unusual attack patterns. Anomaly detection mechanisms, on the other hand, create a profile of typical behavior for a user and raise an alert when a user attempts an activity that does not fit his/her profile. This approach tends to be highly complete in that it can detect a previously unknown attack pattern, but it requires significant effort to develop algorithms that can create accurate user profiles.

    The common attempts can be easily detected by Signature based IDS and the defense can be provided against such type of attack by either matching string pattern or signature. But in the prevailing scenario where there are new intrusions/ attempts reported almost every day, the existing signature-based detection proves futile. Many IDPS have been proposed but all of them lacks on some points and are not accurate as desired, they use the signature to detect the attacks and these signature based methods are fast and simple but it fails to detect unknown attacks. To fill the gap we require an efficient fast and real-time Intrusion Detection and Prevention system to provide defense against intrusions/attacks. In this paper, we present Anomaly-based intrusion detection and prevention system which makes it more efficient and dynamic to detect and prevent suspicious activity in the network.

    The rest of the paper is organized as follows, section 2 gives brief details about the types of anomalies and their methods of detection used in IDPS, section 3 insights the previous work on anomaly based intrusion detection, section 4 explains our proposed approach, section 5 outlines the conclusion.

  2. TYPES OF ANOMALIES

    Generally, there are two types of anomalous behavior have been studied Host and Network based Anomaly.

    1. Host Based Anomalies Host based anomalies calculation dealt with operating system call traces. The intrusions are in the form of anomalous subsequences (collective anomalies) of the traces. The anomalous subsequences translate to malicious programs, unauthorized behavior, and policy abuse. The data is sequential in nature and the alphabet consists of individual system calls like open, close, create, etc.

    2. Network Based Anomalies It deals with network traffic. Usually capturing through different types of tools like tcpdump, wireshark, Nmap and Netflow or ourmon.

        1. Network Protocols Anomaly

          Authors of [7] have addressed many anomalies that cause serious damage in network as well as system. Some of them are following

            1. UDP flood

              A UDP flood attack is a category of DoS attack commenced by sending a large number of UDP packets to random ports on a remote host. As a consequence, the remote system will check for the application listening on this port. After seeing that no application listens on the port, the host will respond with an ICMP Destination Unreachable packet. Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to unreachable by other clients. If enough UDP packets are delivered to the ports on the victim, the system will go down.

              In order to detect UDP flooding attack, we need to work with the traffic (flow) size and number of packets (packet count) in the incoming traffic.

              To measure this, we have defined two metrics (indicator) for UDP flood attack:

              1. TotalBytes: total volume of flows in bytes.

              2. TotalPackets: total packets in incoming traffic.


          ICMP Flood

          Also known as ping flood is the simplest type of attack in which the attacker launches a large number of ICMP Echo Request (ping) packets of different sizes to the host. ICMP flooding is a successor to the Ping-of-Death (PoD) attack. PoD tries to send an extra-large ping packet to the destination with the hope to bring down the destination system due to the system's lack of ability to handle huge ping packets. Ping flood brings the attack to a new level by simply flood the victim with huge ping traffic. The attacker hopes that the victim will too busy responding to the ICMP Echo Reply packets, thus consuming outgoing bandwidth as well as incoming server bandwidth.

          Analogous to UDP flood, ICMP attacks also generate a massive amount of data towards the destination. Thus same metrics TotalBytes and TotalPackets are enough to measure such types of attack. Certainly, using the same method creates ambiguity to distinguish ICMP from UDP flood. To resolve this issue we used another metric for monitoring the total number of ICMP or UDP traffic going into the network.

          1. TCP SYN Attack

            This method takes advantage of a flaw in how many hosts implement the TCP three-way handshake. When host B receives the SYN request from host A, it must keep track of the partially opened connections in a listening queue for at least n seconds (e.g.: 75 seconds). Many host implementations can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never reply to the sent back SYN and ACK. By doing so, the destination hosts listening queue will be quickly filled up, and it will stop accepting new connections. Figure 1 shows the typical scenario of a TCP SYN attack.

            The effect of this attack on network traffic is pretty different from the above two attacks. It has values (only SYN and ACK bit). Thus we cant rely on TotalBytes or TotalPackets determine the effect of this attack; for this, we need to define a new metric:

            • DestSocket: number of flows with similar volume (e.g. SYN) to the same destination socket.

            In other words, the detection of TCP/SYN has been carrying out with the help of the following metrics-

            1. The number of TCP flows per minute

            2. The average number of packets in each TCP flow per minute

            3. The average number of bytes in each TCP flow per minute

            4. The number of unique IP addresses seen per minute.

          2. Port scan

            A portscan attack is carried out with a port scanner, a piece of software to search a network host for open ports. A port scanner is often used by network administrators to check the security of their networks and is also used by hackers to compromise the system security. Many exploits rely upon port scans, for example, to find open ports and send large quantities of data in an attempt to trigger a condition known as buffer overflow or to send some specific port data packets with malicious purposes

            A portscan operation will result in a big number of packets sent from a remote host to a destination on the network, but with different destination ports. Flows in portscan are small flows with the size of only several bytes and a packet count of 2 or 3. This malicious activity cannot be detected with the three metrics we already have. In order to gather together all flows in a portscan attack for the detection purpose, we need to define another metric that has the capability to aggregate all these flows:

            • DPort: number of flows that have a similar volume, same source, and destination address, but to different ports.

          3. DNS Reflector Attack

      In this type of attack, the attacker sends a flood of DNS requests with a spoofed IP address (the one of the victim) to one or more DNS servers which result in a flood of DNS responses sent to the victim. If enough traffic is generated this can lead to a denial of service.

      The detection of DNS reflector attacks is either done by checking for a very high rate of DNS request flows from the same (spoofed) IP address to a DNS server inside the network or by filtering hosts which receive an unusually high number of UDP flows with source port 53, which corresponds to the port from which a DNS server is sending his responses. False positives will occur if a legitimate host (user) sends a large number of DNS requests in a short duration of time.

      Most commonly used Ports are 21, 25, 53, 110, 135, 139 and 445 these are the well-known port and offer important services for the network, for example, port 110 and 25 is used for email in which plays a vital role in today's business communication [8], while port 53 is important because it is the reference center for mapping IP address to DNS if it is attacked the whole network will be in catastrophic [9]. Moreover, these ports are the most popular target for attack activity,w especially for worm virus and port scanning.



Source: Vasima Khan, https://www.ijert.org/anomaly-based-intrusion-detection-and-prevention-system
Creative Commons License This work is licensed under a Creative Commons Attribution 4.0 License.

Last modified: Sunday, November 22, 2020, 12:34 AM