Data Mining - Intrusion detection systems (IDS)

1 - About

Classical security mechanisms, i.e. authentication and encryption, and infrastructure components like firewalls cannot provide perfect security. Therefore, intrusion detection systems (IDS) have been introduced as a third line of defense.

The techniques classically applied within IDS can be subdivided into two main categories:

3 - Detection

3.1 - Misuse

Misuse detection is a supervised algorithm that tries to detect patterns of known attacks within the audit stream of a system, i.e. it identifies attacks directly.

The main disadvantage of this approach is that the underlying database of attack patterns must be kept up-to-date and consistent.

Because misuse detection techniques depend on the knowledge of recognized attack patterns, they cannot detect new attacks.

3.2 - Anomaly

The opposite approach would be the specification of the desired or positive behavior of users and processes. Based on this normative specification of positive behavior attacks are identified by observing derivations from the norm. Therefore, this technique is called Anomaly Detection.

The main problem with anomaly detection techniques is to determine the positive behavior. Two general approaches exist:

  • Learning user and process behavior, and
  • Specification of user and process behavior

The former approach is often based on statistical methods like the calculation of means, variations and multivariate statistics. Other methods use learning algorithms like e.g. neural networks or Bayesian classifiers. This approach is particular popular for the profiling of users.

Although intelligent techniques can improve the security of a system, they rarely give a clear picture of the level of security they can guarantee. In contrast non-intelligent techniques like e.g. specification-based approaches extend the general security policy, and clearly define their guaranteed level of security.

data_mining/ids.txt · Last modified: 2017/09/07 16:45 by gerardnico