Network and information security is of increasing concern as intruders utilize
more advanced technologies, and attacks are occurring much more frequently.
A simple intrusion can cause an enterprise financial disaster, a threat to national
safety, or loss of human life. Network-based and computer-based intrusion detection
systems (IDS's) started appearing some twenty years ago. Now, there are
various synchronous and asynchronous tools for external and internal network
and host intrusion detection using models ranging from signature scanning and
pattern matching, to statistical anomaly detection. Although modern IDS systems
are much more advanced, they still have many limitations, shortcomings, and
open issues. This includes a) inability of some to handle high speed network
traffic, b) poor ability to detect new or first-time intrusions, c) high false
alarm rate, d) deception -- such systems may have problems detecting "below
noise" level intrusions, e) overload -- IDS, like any other system,
may be vulnerable to the same attacks it is trying to detect, including Denial
of Service (DoS) attacks, f) customization and end-user integration - unless
the system is open-source, customization and integrations options may be limited
– including how to properly augment and integrate human anomaly detection
experiences and tool detection capabilities, g) automation of the processes,
and h) privacy issues.
This work is concerned with exploration of items b) and f) above, specifically
on development of a prototype module for assisting human intrusion detection
personnel in recognition of new threats. The work builds on system called Resource
Usage Monitor (RUM) developed at NC State by developing its IDS assistance module.
The intrusion detection module utilizes RUM as its statistical packet capturing
and basic analysis engine, utilizes it to cross check its problem detection
abilities, and adds to its resource risk assessment ability a facility for intrusion
risk assessment using a suite of behavior description measures and intrusion
threshold indicators.
The RUM IDS module is an exploratory engine designed to set the tableaux for
a more complete investigation of a) pro-active anomaly detection, and b) smoother
integration of human intrusion detection experiences and a real-time IDS tool.
The approach involves analysis of end-host databases for anomalies based on
a suite of statistical change metrics. There are two principal "views"
of a host and two groups of associated metrics. How it behaves with respect
to a set of peers, i.e., network-relative behavior, and how it behaves with
respect to itself, i.e., how its behavior changes from sample to sample. According
to the behavior during the analyses, each host accumulates an anomaly index
value, where a higher number represents a higher potential for misbehavior.
Currently, the prototype anomaly index is based on a linear additive model.
This may change as the research continues. The idea is that this index, once
properly tuned, would correlate better with intuitive problem detection processes
of network administrators, than does plain display of, for example, "high
talkers". The primary goal of this work is to develop and test a RUM IDS
module and its initial set of metrics. , While full investigation of the assistant
index idea is beyond the scope of this project, formative results indicate that
a subset of the metrics under investigation does indeed provide better high-speed
problem detection, when combined with a human analyst, than do some other readily
available tools.
