Information Technology Reference
In-Depth Information
Usually all rules of such expert system are written in the following format: “if
<certain conditions> then <certain actions>”. The model also allows to create
interdependent rules, in which the execution of one rule is possible only in the case of
second rule execution. This model can be implemented on the basis of specialized
program languages, such as Prolog. The disadvantage of intrusion detection models,
based on expert systems, is in high complexity of initial rule set development.
The current state of signature-based intrusion detection models allows to make up a
conclusion that existing models can rather effectively provide the detection of existing
type of attacks. The detection of new types of attacks is achieved by means of
behavior-based models, that are described below.
2.2 Behavior-Based Intrusion Detection Models
As was already mentioned above behavior-based models are used for the detection of
deviations from normal computer system state. One of the most widely used models
of this type are statistical models [3, 6]. According to the statistical models the
computer system behavior is measured by a number of variables sampled over time.
Examples of these variables include the user login and logout time, the amount of
processor-memory-disk resources consumed during the session, etc. If current
characteristics of the computer system deviate from the given statistical measures,
then the attack is registered. Intrusion detection models, based on statistical models,
can detect several types of attacks, that use extremely unusual commands. But in most
cases statistical models can detect only the consequences of computer attacks, which
lead to changes in statistical measures. Moreover the practical usage of these models
is characterized by large number of false positives, because in many cases the
deviations of statistical measures are caused by normal system work.
Another type of behavior-based intrusion detection models uses neural networks
for detection of attacks. A neural network is a network of computational units that
jointly implement complex mapping functions. Initially the neural network is trained
with normal computer system behavior traces. After such training the network
becomes capable of determining normal and anomalous system behavior on the basis
of observed events analysis. Each detected anomaly in system behavior is considered
as attack. At present the models, based on neural network, have a low level of
efficiency because of long duration of network training, large number of false
positives and high computational complexity.
Intrusion detection models, based on expert systems, are usually used for detection
of anomalies in network packets during protocol verification. Such verification
implies the check of data packet fields against established standards. All packets that
violate the requirements of corresponding standards are considered as potentially
dangerous. This type of models is implemented in number of commercial Intrusion
Detection Systems. One of the main disadvantages of this model is the inability of
protection against attacks, that use data packets which don't violate any standards.
Taking into consideration the disadvantages of existing behavior-based intrusion
detection models a new model was developed. The description of this model is cited
in Section 3.
