Information Technology Reference
In-Depth Information
Behavior-Based Model of Detection and Prevention
of Intrusions in Computer Networks
Victor Serdiouk
Department of Information Technologies,
“MATI” - Russian State Technological University, 121552, Orshanskaya 3, Moscow, Russia
vicsmati@online.ru
Abstract.
The paper describes a new intrusion detection and prevention model,
which is based on state machine-based formal grammar. This behavior-based
model allows to detect computer attacks by means of normal network traffic
modeling. The parameters of such normal network traffic are presented in a
formal grammar. Each data packet that violates these parameters is considered
as a part of intrusion and blocked by network filters. The described model was
implemented in Intrusion Detection and Prevention System “Forpost” and
successfully tested in a complex network environment.
1 Introduction
During last decade the number of successful network attacks has increased in many
times [9]. The damage caused by these attacks is estimated in hundreds millions of
dollars. At the same time current intrusion detection models seem incapable of
dealing with many types of modern attacks. These factors lead to the necessity of
development of new methods for the intrusion detection and prevention.
This paper describes a new approach for intrusion detection and prevention
modeling, which uses state machine-based formal grammars. The rest of the paper is
structured as follows. Section 2 describes the advantages and disadvantages of
existing intrusion detection models. Section 3 presents new behavior-based intrusion
detection model developed by the author. Section 4 describes practical
implementation of developed model, which was integrated in Intrusion Detection and
Prevention System “Forpost”. Section 5 summarizes the main results of the paper.
2 Overview of Existing Intrusion Detection Models
Intrusion detection models formally describe the process of computer attacks
detection. At present there are two complementary types of intrusion detection
models — signature-based models and behavior-based models. The first type of
models provides the search for evidence of intrusions based on knowledge
accumulated from known attacks [2, 4]. Signature-based models present an attack in a
form of so-called signature, which can be presented as a regular expression, semantic
expression of specialized language, formal mathematical structure, etc. Behavior-
