Combining Anomaly Based Ids And Signature Based Information Technology Essay
Intrusion Detection Systems (IDS) are defined as tools or devices which are used to monitor a system or a machine or a group of users. They try to detect attacks before they take place or after attacks have occurred. IDS collect information from various points in the network to determine of the network is still secure. IDS can be divided into mainly two types: Network Based & Host Based. As the name suggest the respective IDS is used for either a Network or an Individual Host. They both have their advantages and dis-advantages and hence are sometimes combined together to provide extra security (Innella, 2001).
Working of an IDS
An IDS basically can work in two ways:-
1. Anomaly Based
2. Signature Based
Anomaly Based IDS (A-IDS)
A-IDS can be defined as a system which monitor the activities in a system or network and raise alarms if anything anomalous i.e. other than normal behavior is detected. In any organization profiles are created for all users, wherein each user is given some rights to access some data or hardware. These rules and rights are fed to the A-IDS. If a user is using the computer in a time other than the one allotted to him, the A-IDS raises an alert (Carter, 2002).
Carter (2002) & Garcı´a-Teodoro (2009) have also listed some advantages and dis-advantages of A-IDS.
The Advantages are as below:-
1. Inside the network attacks are easily detected by A-IDS.
2. Any user actually abusing his privileges and accessing any other information is easily caught by A-IDS.
3. Zero day attacks can be detected by A-IDS.
The Dis-Advantages are:-
1. Appropriate Training is required before it is set up in any environment.
2. It is very difficult to train the IDS in a Normal environment as a Normal Environment is very hard to get.
3. It generates false positives.
4. If the suspicious activity is similar to the normal activity it will not be detected.
Signature Based IDS (S-IDS):
This type of IDS is also referred as Misuse Detection IDS. It works on the basis of signatures. Each time an attacker attacks a system, he/she tends to leave some footprints of that attack. Footprints can be failed attack logs, failed logins, etc… These are stored as signatures for IDS. It uses a knowledge base, which is a database which stores the previous details of attacks. Whenever it encounters something it matches it with the records in the knowledge base and if a signature matches it raises an alarm (Baumrucker, 2003).
Carter(2002) has listed some advantages and dis-advantages to these signature based IDS.
Advantages.
1. It can exactly determine the type of attack.
2. It does not produce false positives.
3. It provides an interface which is also easy for a normal user to monitor.
Dis-Advantages:-
1. We need to update the knowledge with each and every possible type of attack signature.
2. It is necessary to update the database daily.
3. It cannot detect Zero Day Attacks.
4. An Attack in a database, if they are slightly modified then it is difficult to detect.
Hybrid IDS.
Goeldenitz (2002) in his paper has written Hybrid IDS seems to be a logical approach for IDS as one IDS can cover the dis-advantages of another type of IDS. It would be achieved by using various IDS together and then can be placed at various points in the networks like gateways, server links, and various junctions. He also explains that this Hybrid IDS is basically installed on a host like a HIDS, but acts like a NIDS.
Depran et al (2005) have proposed a Hybrid IDS, which is using “KDD 99 dataset”. KDD 99 Dataset is a database which is used by researchers for IDS. The model proposed by them for the IDS is below:-
This model shows it is integrated with both The Anomaly Detection Module and the Signature (Misuse) Detection Module. It also includes a Decision Support System which will receive input from both the Detection Module and then will decide what to do next.
Working Rule:
The Rule states if an Attack is detected by any one or both the Detection Systems, then it is termed as an attack. It is termed as Classified Attack if either Signature Based IDS or both have detected the Attack. It is termed as Unclassified Attack if only Anomaly Based IDS has detected the attack.
Snort is a IDS which works on Signature Detection. It works on rules, which in turn are based on the signatures usually written by Intruders. (Rehman, 2003). (Aydin et al, 2009) have explained the pre-processor architecture of Snort and the way they have modified snort to reduce the number of false positives. They have used statistical methods such as PHAD & NETAD for implementing their anomaly based IDS. The main reasons for choosing PHAD is that rather than modelling behaviour, it models protocols. Also it uses a time-based model for the rapid changes in the network. If a series of same anomaly occur then PHAD flags off only the first anomaly, thus reducing the number of false positives.
They have basically combined PHAD & NETAD with the pre-processor of Snort. A Pre-processor is an engine which has the ability to read inside the packets and alert based on the content. A Pre-processor can also modify the content of a packet. This was achieved by Aydin et al (2009) by copying just two files “spp_phad.c” & “spp_netad.cpp” to the folder where “snort.c” lies, some code written and then the project was compiled to obtain a modified Snort as a Hybrid IDS. This snort was tried in various environments and Fig 3. is one of the graph showing the number of attacks detected by Snort + PHAD + NETAD on a daily basis. DARPA data sets were used to test this Hybrid Snort. It is also clear from the graph that the number of attacks detected by snort alone is way lower than the number of attacks detected by the Hybrid Snort. Hence (Aydin et al) also conclude that combining PHAD & NETAD which are Anomaly Based IDS and Siganture Based IDS has more positive results and has contributed successfully.