Information Technology Reference
In-Depth Information
Real-Time Intrusion Detection
with Emphasis on Insider Attacks
Shambhu Upadhyaya
University at Buffalo, Buffalo, New York, 14260, USA
shambhu@cse.Buffalo.EDU
1
Introduction
Securing the cyberspace from attacks is critical to the economy and well being of any
country. During the past few years, threats to cyberspace have risen dramatically. It is
impossible to close all security loopholes in a computer system by building firewalls
or using cryptographic techniques. As a result, intrusion detection has emerged as a
key technique for cyber security. Currently there are more than 100 commercial tools
and research prototypes for intrusion detection. These can be largely classified as
either misuse or anomaly detection systems. While misuse detection looks for specific
signs by comparing the current activity against a database of known activity, anomaly
detection works by generating a reference line based on the system model and signal-
ing significant deviations from it as intrusions. Both approaches rely on audit trails,
which can be very huge. Moreover, conventionally they are off-line and offer little in
terms of strong deterrence in the face of attacks.
In this talk, we will examine the intrusion detection tools and techniques from a
taxonomical point of view and study the real-time properties and applicability to real
systems and their shortcomings. Following the overview, we will present our own
cost analysis-based framework, which quantifies and handles both misuse and anoma-
lies in a unified way. Decisions regarding intrusions are seldom binary and we have
developed a reasoning framework that makes decisions on a more informed basis. The
overall reference graph is based on the user's profile and the intent obtained at the
beginning of sessions. The uniqueness of each user's activity helps identify and arrest
attempts by intruders to masquerade as genuine users, which is typically the case in
insider attacks. We will examine this work and present some results.
2
Brief History
The goal of intrusion detection system (IDS) is to monitor network assets to detect
misuse or anomalous behavior. Research on intrusion detection started in 1980 as a
government project and under the leadership of Dorothy Denning at SRI Interna-
tional, the first model for intrusion detection was developed in 1983 [3]. Earlier ver-
sions of intrusion detection systems were largely host-based and the work of the
“Haystack project” led to network level intrusion detection systems. Commercial
intrusion detection systems were introduced in the 90's and today there are more than
100 tools and prototypes that can be purchased or experimented with. Most of these
tools work on audit trail data or data packets obtained across the network.
