Information Technology Reference
In-Depth Information
based models search for deviations from usual computer system behavior based on
the observations of the system during a known normal state. Such deviations are
considered as computer attacks.
2.1 Signature-Based Intrusion Detection Models
One of the most popular signature-based intrusion detection models is an expression
matching model [7]. This model provides searching the source data (e.g. log entries,
network traffic, etc.) for occurrence of specific patterns. These patterns are usually
specified by means of regular expression syntax. For example, the pattern like
“.*[Cc][Mm][Dd]\.[Ee][Xx][Ee].*” specifies the signature of an attack, aimed at the
unauthorized execution of file “cmd.exe”. Sometimes signatures are built on the basis
of expression matching models, complemented by specialized programming
languages like C/C++, Java, Perl, etc. In this case signatures are presented as a set of
language operators. The example of attack “Land” signature, which is written in a
specialized scripting language is cited below [3].
The example of attack “Land” signature, written in N-code programming language
filter pptp ip ()
{
# If sender address is equal to receiver address then
# the information about attack is written to log
if (ip.src == ip.dest)
{
system.time,eth.src,ip.src,sth.dst to land_recrdr;
}
}
Specialized languages like N-code allow to define more complex signatures, which
can't be created by means of simple expression matching models. At present
specialized languages is the most popular method for attack signature development.
Another type of signature-based intrusion detection model is a state-transition
analysis model. This type of model presents attack as a finite state machine, which
describes the transition of computer system from one state to another. The initial state
of computer system in such machine corresponds to pre-attack state, the final state is
associated with the last stage of the attack, which leads to the violation of
confidentiality, integrity or availability of the system. The transition of computer
system from one state to another is related to certain events like application execution,
TCP connection establishment, shell-code transmission, etc. State-transition analysis
model can be visualized by means of graphs or more complex mathematical structures
like Petri-nets. The main disadvantage of described model is that it can represent only
those attacks that are related to some visible changes in computer system.
Intrusion detection models, based on expert systems, allow to describe attack
signatures on natural language with high level of abstraction. The expert system,
which underlies this type of model, consists of a set of rules that describe attacks.
