Seminar 3 : Talk by Mr. Dahliyusmanto on security seminar class (24 Feb 2011)

On this date, Prof. Dr. Abdul Hanan Bin Abdullah was invited the other his PhD student's which is Mr. Dahliyusmanto. He delivering talk regarding the Intrusion Detection System. First of all he introduce him self then he start with giving the definition of Intrusion Detection System (IDS) the definition of IDS are as follow:

• Intrusion: any set of activities that attempt to compromise the integrity,confidentiality and availability of a resource.
• Example: 
• DoS: attempt to starve a host of resources needed to function correctly.
• Compromises: obtain privilege access to a host by known vulnerabilities.
• Intrusion Detection: the process of identifying and responding to intrusion activities.

 

After that he telling focus more deeper in IDS which is Elements of IDS, component of IDS and the IDS classification 

Element of IDS

• Primary Assumptions:
• system activities are observable
• normal and intrusive activities have distinct evidence

Components of IDS

• From an algorithmic perspective :
• features - capture intrusion evidences
• models - piece evidences together
• From a system architecture perspective:
• various components - audit data processor, knowledge base, decision engine, alarm generation and responses.

IDS Classification

• Source
• Host-based : detect and examine malicious activity, optimize for monitoring individual hosts, monitor system network activity (e.g. file systems, log files, user actions), integrate the finding several host-based intrusion detection provide unified view of multiple.
• Network-based : deploying sensors at strategic locations (e.g. packet sniffing via tcpdump at routers), inspecting network traffic (watch for violations of protocols and unusual connection patterns), monitoring user activities (look into the data portions of the packets for malicious command sequences).

Next, he jump into the detection mechanism, challenge of IDS and the other potential solution in adding to the IDS to make it more protected.

Detection Mechanisms

• Misuse Detection : it looks for attack signatures in the user's behavior, accuracy is more higher - normal @ intrusive, can't detect new attack.
• Anomaly Detection : it statically analysis user's current sessions, compares then to the profile describing user's normal behavior and report significant deviation to security officer, can detect new attacks.

Challenges of IDS's

• runtime limitations
• specification of detection signatures
• dependency on environment

Potential Solutions

• Data mining : example sequential mining and episode rules
• Machine Learning Techniques : supervised learning and unsupervised learning
• Co-simulation mechanism : integrating the misuse & anomaly techniques, applying a co-simulation mechanism