Intrusion Detection Systems

Kinds of evasions

2010-03-22T06:58:00.001-07:00

Now the next point to consider is ... do all IDS systems have common evasions?

When we read the paper on fixing the evasions through FSM, snort was the system under consideration ... there is no specific information provided regarding to what extent where the evasions present in the system were identified ... how can we confirm that if we have identified certain types of evasions we have addressed all that present in the specific IDS system.

Now concentrating on the basic evasion types as described in the case of SQL injection ... next question is ... if we use snort ... what kinds of intrusions in general it would address ...

http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques ... talks about vulnerability scanners that also incorporate IDS evasion techniques

http://www.mail-archive.com/issforum@iss.net/msg02072.html --> "ADMmutate is a shellcode mutation engine, can evade NIDS

A way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service."

thoughts on evasion identification

2010-03-17T07:38:00.000-07:00

Possible study that should be undertaken:

When we draw an FSM for a specific situation which gets translated to a ruleset , all that we can identify is that the evasive path ... what could a possible evasive path ? Is it not the state where-in the alarm trigger is expected and there is no alarm raised for an attack ... so in this scenario ... even if we are able to generate test cases from the FSM ... how far is this going to be towards our goal of identifying evasions in the IDS system from the users point of view ...

Now let us consider a situation ... where-in we are aware of the possible modes of evasion available for a kind of attack ... say sql-injection ... would it not be beneficial to identify a testing technique ... that mainly assess the IDS system if it is evasive ... and then maybe compare the systems for check which one performs better with respect to a given evasion ...

Is it not better to have a tool developed which would automatically test the IDS systems for the evasions and check what all evasions it is vulnerable to ? Coz for a developer before he/ she uses the IDS system they want to understand if it is prone to known evasions ... this could also be done from the IDS system developer point of view ... they need a tool to identify ... now the next question is how is this different from the AGENT tool developed ... as we understand the tool is mainly used to generate automated test data which can be run on the IDS system there-by identifying possible evasions by going through the code ... now what we want to avoid is reading through the code to understand the evasions ...

first point we need to be clear is who we are targetting this application ... if it for the IDS system developers ... then there is a possibility that there might be new evasions ... if we are targetting for the developers who are going to use the IDS system then ... we can assume that the evasions that needs to be checked are mostly known ... hence the tool should directly test the IDS system for those evasions ... ?

FSM for SQL injection

2010-03-17T07:05:00.000-07:00

SQL Injection attack is found to be one of the most vulnerable in the case of websites. Identity thefts seem to be happening often due to the support of the attack.
Hence the white paper "The SQL Injection and Signature Evasion" discusses the possible evasion techniques that are prevalent and also quotes how the products of Impervia may suit protection against them.

Our focus here is mainly to understand the various evasion techniques available. This is done by using the SQL injection example quoted by them, drawing FSM for the situation and deriving test cases and checking if the specific evasion flow could be identified from the list of test cases drawn for the situation.

The example used in the paper is a SQL injection attack on a healthcare website
--> one of the module lists the SSN of all the family members based on the gender
If the query is genuine, then the web address looks like
http://www.superhealth.com/show_members.asp?gender=m

and the query looks like
selet SSN, Name from PATIENTS where FAMILY = XXX and gender='m'

This indicates that the query is done at particular family level and that the person trying to retrieve the information should have permission to perform the query. So based on this initial understanding we can try to come up with rule sets that the IDS system should be have been built upon to prevent a basic attack. Lets not worry about the evasion or any problem associated there-off.

r1 --> user login attempt with username
r2 --> user login attempt with password
r3 --> guest user / no login required / can access the website login page ... and browse through for information on the products that are available etc ... and plan for registration
r4 --> registered user logs in successful/ login attempt succeeded
r5 --> registered user login attempt failed
r6 --> registered user query database for SSN information for their family/ no alarm raised
r7 --> guest user query database for SSN information for their family / alarm should be raised
r8 --> server decodes the query to assess the quality and genuineness of it/ responds back

some tips on IPS testing from CISCO
http://www.cisco.com/web/about/security/intelligence/cwilliams-ips.html

Thoughts

2010-02-23T09:37:00.000-08:00

The aim is to figure out the signature evasions in NIDS systems. Currently how does it work ?

There are rule sets (or could be considered as policy) defined which mimic the real series of event execution, based on which the NIDS identifies if the system is working fine of there are possible intrusions.

Now the existence of the NIDS system or any IDS is known to all. So intruders also come up with a counter attack so as to successful in their venture. The fact is however the IDS is designed to figure out the vulnerable , the rule sets cannot be perfect, there are possible loop holes and the intruders capitalize on these loop holes.

Research has been done to understand the possible signature evasion in the case of an NIDS system with deterministic FSM in place. Test data generator by name AGENT has been implemented using prologue to test the NIDS and identify the possible evasions. Now this test data is based on the rule set and it targets both black and white hat problems.

What we want to do is try to generate test data from the deterministic FSM defined based on the rule set. Research has also been done to identify algorithms which will fix the evasions by considering the FSM of the rule set defined.

Revisiting what we want to do
1. We want to figure out the evasions in the rule sets for the IDS. Rule sets direct the IDS with respect to their performance. If we can identify the evasion in the rule set, we can directly related that to the performance of the NIDS
2. So the rule set can be defined as FSM. We can identify possible evasions. Generate test data depicting those evasions and then use the test data to test the IDS systems. If the system can detect the intrusion then the system is well defined. If not then this would be considered as an evasion to the system.

Characterization and Solution to A Stateful IDS Evasion

2010-01-26T05:47:00.000-08:00

Issam Aib, Tung Tran, and Raouf Boutaba
University of Waterloo, Waterloo, ON, Canada
(iaib, t3tran, rboutaba)@uwaterloo.ca
2009 29th IEEE International Conference on Distributed Computing Systems

In this paper, the authors discuss about the concept of signature evasion, where-in the attackers on purpose try to tamper with the flow stored as a regular flow to complete the attack.

The authors explain this concept through an FTP session intrusion. The steps or states involved in the flow of a normal and admin user authentication are coded as rule set and. Here, the authors say that a normal user by following his states, can innately access a file which he/ she is not authorized to view. This is possible without raising any alarm.

Among the set of rules that are defined for a specific operation, if a fake network packet (in the example scenario) can trigger a signature, then the signature is considered to be evasive (i.e. something which can be deceived easily)

Thus in order to address such a scenario, they have come up with an algorithm based on deterministic finite automate, i.e. using the states of the flow to raise the false positive alarms in the right time.

The set of rules that are defined for a specific flow of operation could contain both an evasive rule and a target rule (which assists in identifying the attack).

Understanding about Finite State Automata machines

2010-01-24T20:49:00.000-08:00

Finite State Automata are helpful in depicting the states and their relationship from start to end of a system. FSM representation could be done either using a state chart or regular expressions.

In the case of intrusion detection systems, if we go by the raw definition of FSM, it is feasible for us to implement a FSM based detection technique. Now let us assume that the detection technique is implemented using an FSM. Then will the technique not be misuse. Is it possible for it to be anomalous in nature? In the misuse scenario, we normally store all the possible intrusions that we have come across and then try to match with the incoming intrusions and raise an alarm. In the case of anomalous, we do the opposite thing, where-in the system is trained with the expected behavior. The expected series of behavior could be classified using the FSM.

Now the question is, if we use FSM, is there a possibility of reducing the false alarm rates?

Above the advantages of FSM usage, the motive here in front of us is to understand the possibility of generating test cases from the IDS FSM.

IDS systems using FSM technique

2010-01-22T14:32:00.000-08:00

http://www.springerlink.com/content/g25w816354413354/fulltext.pdf

http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4285750 (A Memory-Efficient Reconfigurable Aho-Corasick FSM Implementation for Intrusion Detection Systems)

http://opensiuc.lib.siu.edu/cgi/viewcontent.cgi?article=1009&context=ece_articles (Self-Addressable Memory-Based FSM: A Scalable Intrusion Detection Engine)

Generation and use of test data sets in IDS testing

2010-01-21T07:29:00.000-08:00

Vidar Evenrud Seeberg, "Generation and use of test data sets in IDS testing", September 16, 2005

When evaluating an IDS, the evaluator can choose mainly between four approaches in
generating and using test data sets:

The evaluator can base the test on an empty test data set (no background trac)
The evaluator can generate test data by recording real network trac
The evaluator can generate test data by sanitizing recorded real network trac
The evaluator can generate test data using simulated traffic

Quoted reference to arrive at the approaches-

P Mell, V Hu, R Lippmann, J Haines, and M Zissman. An overview of issues in testing
intrusion detection systems. Technical Report NIST IR 7007, National Institute of
Standards and Technology, August 2003.

Intrusion Detection Testing and Benchmarking Methodologies

2010-01-21T07:21:00.000-08:00

Nicholas Athanasides, Randal Abler et al, "Intrusion Detection Testing and Benchmarking Methodologies", Georgia Institute of Technology, Proceedings of the First IEEE International workshop on Information assurance (IWIA '03)

The authors discuss the existing tools and testing methodologies for performing benchmark testing of intrusion detection systems. Based on their study they propose the use of an open source environment to execute the testing.

Environments discussed include:

1. DARPA Environment
2. LARIAT environment

In addition the authors have also listed the test suite and the tools that could be used

1. Nidsbench and IDS Wakeup
2. IDSwakeup
3. Flame Thrower
4. WebAvalanche/ WebReflector
5. Tcpreplay
6. Fragrouter
7. Hping2
8. Iperf

- Issues in generating realistic evaluation environments are also discussed

- Examples of IDS Evaluation environments include:

1. DARPA Like Environment
2. Custom Software
3. Advanced security audit trail analysis on Unix
4. Vendor Independent testing lab
5. Trade magazine evaluation

A methodology of testing intrusion detection systems

2010-01-21T06:49:00.000-08:00

Nicholas J.Puketza, et al, "A methodology of testing intrusion detection systems", University of California

- Elaborate information is provided on the testing methodology to assess the performance of IDS

- the authors have quoted that test data could be obtained from sources such as CERT advisories, periodicals such as PHRACK and 2600, USENET, analyzing the vulnerabilities detected by security tools such as COPS and TIGER

Possible articles that could be referred to related to obtaining intrusion data:

1. M. Bishop, \A Taxonomy of UNIX System and Network Vulnerabilities," Technical
Report CSE-95-10, University of California at Davis, September 1995.
2. D. Farmer and W. Venema, \Improving the Security of Your Site by Breaking Into
It," USENET posting, December 1993.
3. D. Farmer and E. H. Spaord, \The COPS Security Checker System," Proc., Summer
USENIX Conference, pp. 165-170, June 1990.
4. S. Kumar and E. H. Spaord, \A Pattern Matching Model for Misuse Intrusion Detec-
tion," Proc., 17th National Computer Security Conference, Baltimore, MD, pp. 11-21,
October 1994.
5. D. R. Saord, D. L. Schales, and D. K. Hess, \The TAMU Security Package: An
Ongoing Response to Internet Intruders in an Academic Environment," Proc., Fourth
USENIX UNIX Security Symposium, Santa Clara, CA, pp. 91-118, October, 1993.

- test case selection based on 3 different strategies is elaborated

The authors have not provided in depth information on how large volume of test data could be generated, but they have given guidance related to the direction which needs to be adopted to achieve it

Generation of test data for testing intrusion detection systems

2010-01-20T12:44:00.000-08:00

Internet has information related to the generation of test data for testing IDS systems in assessing its efficiency. detection techniques are implemented based on finite state machines and descriptive languages for the systems in place. But there is no sufficient data available on how these systems are tested.

Following listing consists of the papers available in this area along with the amount of information it contains pertaining to test data generation and usage of test data generation tools if any.

- Nicholas J.Puketza, et al, "A methodology of testing intrusion detection systems", University of california

- Nicholas Athanasides, Randal Abler et al, "Intrusion Detection Testing and Benchmarking Methodologies", Georgia Institute of Technology, Proceedings of the First IEEE International workshop on Information assurance (IWIA '03)

- Ming Li and Wei Zhao, "A principle of a data synthesizer for Performance test of anti-DDOS Flood Attacks", International journal of computers, issue 3, volume 1, 2007

- Vidar Evenrud Seeberg, "Generation and use of test data sets in IDS testing", September 16, 2005

- John McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory"

- Darren Mutz et al, "An Experience Developing an IDS Simulator for the Black Box testing of Network Intrusion Detection Systems", Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003)

- Roy A. Maxion et al, "Benchmarking Anomaly-based detection systems", 2000 IEEE

- Emilie Lundin Barse et al, "Synthesizing Test Data for Fraud Detection Systems"

- R Sekar, A Gupta et al, "Specification based anomaly detection : A new approach for detecting network intrusions", CCS'02 November 18-22, 2002, Washington DC, USA, ACM

Tools for testing IDS

2010-01-08T07:42:00.000-08:00

1. RACOON - RACOON: Rapidly Generating User Command Data For Anomaly Detection From Customizable Templates (http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01377229)
2. fTester - (http://dev.inversepath.com/trac/ftester) Firewall and IDS Testing tool
3. Tcpreplay - network traffic testing (http://tcpreplay.synfin.net/trac/)
4. Nemesis - well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks (http://nemesis.sourceforge.net/)
5. IDSwakeup - IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives
6. Unix tool EXPECT - Simulation of “normal” and “intruder” behaviour.
Extends TCL interpreter to provide simulation scripts. (http://expect.nist.gov/)
7. Fragrouter: Routes network traffic such that it elude most NIDS. (http://www.securityfocus.com/tools/176)

Issues involved in anomaly based detection technique

2010-01-08T07:25:00.000-08:00

1. Inadvertently including malicious activity as part of a profile is a common problem with anomaly-based IDPS (Intrusion Detection and Prevention systems) products
2. It can be very challenging to build profiles in some cases to make them accurate, because computing activity can be so complex.
3. It is often difficult for analysts to determine why a particular alert was generated and to validate that an alert is accurate and not a false positive, because of the complexity of events and number of events that may have caused the alert to be generated.

Source - http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

Evaluating Network Intrusion Detection Signatures

2010-01-07T18:27:00.000-08:00

http://www.securityfocus.com/infocus/1623

Evaluating Network Intrusion Detection Signatures, Part One

http://www.securityfocus.com/infocus/1630

Evaluating Network Intrusion Detection Signatures, Part Two

IDS measurements which can be used to assess performance accuracy

2010-01-07T18:20:00.000-08:00

source - TESTING INTRUSION
DETECTION SYSTEMS
Elizabeth B. Lennon, Editor
Information Technology Laboratory
National Institute of Standards and Technology

1. Coverage
2. Probability of False Alarms
3. Probability of Detection
4. Resistance to attacks directed at the IDS
5. Ability to Handle High Bandwidth Traffic
6. Ability to Correlate Events
7. Ability to Detect Never-Before-Seen Attacks
8. Ability to Identify an Attack
9. Ability to Determine Attack Success
10. Capacity Verification for NIDS

USim: A User Behavior Simulation Framework for Training and Testing IDSes in GUI Based Systems

2010-01-07T16:10:00.001-08:00

by A. Garg, S.Vidyaraman, S. Upadhyaya et al,

Currently reading

Information to be looked at

2010-01-05T11:47:00.000-08:00

Firewall and IDS Testing toolhttp://www.secguru.com/link/firewall_and_ids_testing_tool

IDS Testing info from NIST website
http://www.itl.nist.gov/lab/bulletns/

http://csrc.nist.gov/publications/nistbul/bulletin07-03.pdf
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
http://csrc.nist.gov/publications/nistbul/04-2004.pdf
http://csrc.nist.gov/publications/nistir/nistir-7007.pdf

An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems (2003)

Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation (2000)

Testing Network Intrusion Detection Systems (2006) (http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.129.9810)

Data Collection Mechanisms for Intrusion Detection Systems (2000)

Intrusion Detection Systems - Technologies, . . . (2003)

Automated Audit Trail Analysis and Intrusion Detection: A Survey (1988)

Classification of anomaly based intrusion detection under relevant areas

2009-12-15T05:46:00.000-08:00

Anomaly Detection
-Misuse
-System Calls
-Adaptive
-Feature Selection
-Network Based
-Host Based
-Behavior Based
-Cooperative
-Cost Sensitive

The authors as quoted in my previous blog have collated relevant papers related to the classification mentioned above. This could act as a good starting point to understand more about the different anomaly based systems

Intrusion detection systems and models

2009-12-15T05:25:00.000-08:00

Joseph S. Sherif, Tommy G. Dearmond, California Institute of Technology

Mahoney, M., “Computer Security: A Survey of Attacks and Defenses” Hyperlink docshow.net/ids.htm, 2000.

http://cs.fit.edu/~mmahoney/ids.html

According to Mohoney, there exists at least six types of attacks to the system

1. Worms - self replicating programs that spread across a network.
The three security flaws that the worms exploited were
a. a backdoor in the sendmail server program that allowed clients to execute remote commands on the server
b. a buffer overflow vulnerability in the fingerd server
c. weak passwords

2. Viruses - programs that replicate when a user performs some action such as running a program.
types discussed in this paper include the following
a. Boot sector infectors
b. File infectors
c. Email viruses

3. Server attacks - a client exploits a bug in the server to cause it to perform some unintended action.
Examples,
a. Microsoft IIS 4.0 web server
b. Cold Fusion web server
c. lpd attack
d. Sendmail buffer overflow
e. rpc.statd buffer overflow

4. Client attacks - a server exploits a bug in a client to cause it to perform some unintended action.
a. Microsoft Office 2000 UA Control
b. Microsoft Outlook

5. Network attacks (denial of service) - a remote attacker exploits a bug in the network software or weakness in the protocol to cause a server, router, or network to fail.
a. Winnuke
b. IRDP spoofing
c. Teardrop
d. Land
e. Ping of death
f. Smurf
g. Vengeance
h. SYN flood
i. Local network attacks
j. SNMP attacks

6. Root attacks - a user on a multiuser operating system obtains the priveliges of another user (usually root) by either
- Obtaining the other user's password, or
- Bypassing controls that restrict access.

NT attacks - NT password weaknesses
UNIX attacks - Shell script attacks, Dynamic library attacks, Directory tree escapes, Symbolic links in /tmp, Console attacks
Password Capture - Sniffer attacks, Weak encryption, Trojan attacks, Backdoor passwords, Stored passwords, Hardware key attacks

Techniques to detect anomalies (IDS)

2009-12-14T07:02:00.000-08:00

Susheela Sarasamma, Julie Huff, "Anomaly based techniques for intrusion detection systems", Northrop Grumman Mission Systems
In this presentation, the authors provide information on the various anomaly based techniques which can be used for the IDS.
General anomaly based techniques include, statistical, neural network and machine learning.

The authors have specifically discussed a couple of anomaly detection techniques for an IDS which include the following
1. A novel anomaly detection technique using Kohonen network
2. Conclusions on the test conducted on multi-level k map

Kinds of anomalies to be considered as outliers include the following
1. outlier detection
2. novelty detection
3. noice detection
4. deviation detection
5. exception mining

* Now suppose we have to come up with efficient testing techniques for anomaly based intrusion detection systems there are set of things which we might want to understand

- study the different anomaly based intrusion detection systems. As the test methodology might vary depending on the technique which has been adopted.

- research on the platform which might be required for performing the testing for such a system.

- in addition we might have to come to a decision or rather the focus of the research

- we might also want to understand the typical attacks in the case of the anomaly based intrusions

- audit trails how are they being used for testing purposes

- if we need to compose of a testing methodology, then how should the evaluation be done for it

Road Map

2009-12-11T10:02:00.000-08:00

In the last quarter report, there were two potential streams identify for research

1. Testing of anomaly based intrusion detection systems

2. Modeling intrusion detection systems

Proceeding ahead with the testing of anomaly based IDS, we intended to do the following

1. Understand the anomaly based IDS models
2. How currently the IDS systems are tested. i.e. testing methodology, test scripts generation etc
3. How audit records are used to understand any intrusions in the system etc.

Currently, based on the information obtained. There are not many research papers supporting the testing of IDS systems.

When we are not getting sufficient information, the thought on what could have led to scenario is a question that comes up. In addition most of the testing related research have been carried out a few years ago, implying there is no currently existing research based on the literature review that has been obtained.

Given the situation what could be the steps ahead.

1. Irrespective of the availability of specific information, understanding the basic model of anomaly based IDS would help us in deriving better testing techniques.

2. Improvement of the test scripts could be an option which need to be worked on.

3. In addition, there was also some work related to the software platform for testing IDS undertaken by Prof. Biswanath Mukherjee and his associates.

4. The model itself could be looked at. One fact that should be considered is that anomaly based IDS does have the ability to raise an alarm for all possible situations which it was not trained before, hence there is greater probability of false alarms as well. Hence we could spend some effort here to understand how this could be avoided.

Though we have signature and anomaly based IDS. Current industry preference is signature since it is trained to identify fixed anomalies and it does most of the time. While in the case of anomaly based IDS, it is dynamic, but there is a probability if the system is trained to accept an intrusion as a normal behavior it cannot differentiate.

General definition of anomaly based intrusion detection

2009-12-09T10:43:00.000-08:00

An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls out of normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.

In order to determine what is attack traffic, the system must be taught to recognise normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.
Source : - http://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system

IDS Testing Methodology

2009-12-09T10:07:00.000-08:00

Nicolas J Puketza et al, "A methodology for testing intrusion detection systems"
In this paper, the authors try to test the performance objectives of the IDS systems
Precondition - IDS systems should be installed and configured appropriately.
They have considered the basic testing procedure as described below and brought in variations in it
1. create or select a set of test scripts
2. establish the desired conditions in the computing environment
3. start the IDS
4. run the test scripts
5. analyze the IDS's output
The different IDS Tests considered include the following

1. Intrusion Identification tests
- Basic detection tests
a. create a set of intrusion scripts
b. as much as possible, eliminate unrelated computing acitvity in testing environment
c. start the IDS
d. run the intrusion scripts
Another technique, test results include a number associting it to warning based on the level of abnormal behavior. This would assist the testers in better classification of the abnormal behavior.
- Normal Users test - Here instead of the intruder scripts, normal user scripts are introduced resulting in the understanding on how often normal scenarios are flagged as intrusions.

2. Resource Usage tests
This is done to understand the resource consumption of the IDS systems. The main test is the disk space. The procedure adopted is as follows:
1. eliminate unrelated activity in the test environment
2. start the IDS
3. run the test script for a measured period of time (e.g., one hour) and
4. calculate the total disk space used by the IDS to record the session associated with the script.

Evaluation:

An intrusion detection model

2009-12-04T14:32:00.000-08:00

Denning, D. E. 1987. An intrusion detection model. IEEE Transactions of Software Engineer-
ing 13, 2, 222 - 232.

The model denning arrived at was for a generic purpose which could cater to any kind of environment and system vulnerability and the type of intrusion. He believed that most of the intrusions could be identified from the audit records that is created by the intrusion detection system. He proposed a model in lines of the IDES and claimed it to work well.

The model proposed by him was expected to cater to the following list of intrusions
1. attempted break-in
2. masquerading or successful break-in
3. penetration by legitimate user
4. leakage by legitimate user
5. Inference by legitimate user
6. Trojan horse
7. Virus
8. Denial of service

Model proposed by him:

Since his model was a general purpose one, he called it as an intrusion-detection expert system (IDES). The six main components of his model includes the following:
subjects
objects
audit records
profiles
anomaly records
activity rules

Denning also describes various metrics and statistical models using the audit records could be analyzed for detecting anomalies

The metrics defined are:

1. event counter - number of audit records satisfying some property occurring during a period
2. interval timer - length of time between two related events
3. resource measure - quantity of resources consumed by some action during a period as specified in the Resource-Usage field of the audit records.

Statistical models proposed include the following:

1. Operational model
2. Mean and standard deviation model
3. Multivariate model
4. Markov Process model
5. Time series model

In this paper, in addition to defining metrics and models, Denning also elaborates on the various profiles of data that could be generated for different sessions.

Thus this data could be used for designing intrusion detection system test cases

Follow - up survey - focus

2009-12-04T11:05:00.001-08:00

The authors from the University of Minnesotta as explained in my previous blog had conducted an extensive study on the anomaly detection in different domains. The domain of interest to us are the intrusion detection systems, where-in they try to focus on the intrusions based on anomaly's in computer systems.

According to the authors the complexity with respect to anomaly detection in computer intrusion systems is the volume of data. In general labeled data corresponding to the expected behavior is available while those beyond expected are large in number and difficult to collate. In addition we understand that behavior beyond the normal and expected are considered to be an anomaly.

Denning in his paper classifies the types of intrusion detection systems to be host and network based.
(Denning, D. E. 1987. An intrusion detection model. IEEE Transactions of Software Engineer-
ing 13, 2, 222{232.)

Anamoly detection

2009-12-04T10:46:00.000-08:00

This is based on the technical report consisting of a survey conducted by Varun Chandola, Arindam Banerjee and Vipin Kumar from University of Minnessota.

They talk in detail on what anamolies are and how they could be identified by using different techniques.

They discuss about anomaly detection in terms of intrusions from the following perspective

1. Host based intrusion detection systems
2. Network intrusion detection systems

Apart from the intrusion detection systems, they also delve into fraud detections like credit card, mobile, insurance claim frauds and insider trading detections.

The different techniques that they discuss on to detect anomaly include the following

1. Neural network based
2. Bayesian network based
3. Support vector machine based
4. rule based

The authors also talk about the additional anomaly detection techniques from a mathematical perspective as well.

Among the research objectives that we have in place, one of them is to identify the testing technique that could be adopted to detect anomaly based intrusions.

Thus the technical report defined by the authors could act as an input to the way test data is being prepared for identifying intrusions. Effort needs to be added in order to achieve this. At the same time, this does sound to be a source to be taken into consideration.

The authors process of writing down the advantages and disadvantages of each technique they describe which could be used for anomaly detection could also add into the understanding.

One drawback which the authors quote is that, they believe the data considered for describing the various techniques in the report is not standard. It seems to be varying across. So the results that they have achieved might not give us a consistent understanding. Hence one of their future work would be to unify all the assumptions that they have considered.

New tool for detecting intrusions in the web

2009-11-06T11:55:00.000-08:00

Authors Sean McAllister, Engin Kirda and Christopher Kruegel in their paper "Leveraging User Interactions for In-Depth Testing of Web Applications" talk about a new scanner (automated testing tool) which they have put in place for detecting web application vulnerabilities as the reflected and stored cross site scripting.

Their claim is that the new tool deleveloped would be able to identify more defects comparatively. This is due to the fact that more number of test cases could be generated leading to more test scenario coverage for the web applications.

In the process of their evaluation, they have tested three applications with 3 other existing scanners along with their new developed one. Burp Spider, w3af spider and Acunetix Web Vulnerability are the others. They had concentrated on blogging applications, Forum application and online shopping application.

The authors feel that black box testing might not be very efficient as it lacks the capability to enter to all the requisite pages to perform the testing. While the tool they have developed has the feature to store and use the values keyed in so as to enter into the pages of the application and ensure there is no possible vulnerability injected in.

In order to ensure that they application does a deeper testing, the techniques adopted by them include guided fuzzing and stateful fuzzing.

In the case of guided fuzzing, it stores the previous valid values entered by the user and tries to reevaluate the page and compares the existence of any possible intrusion. They also use the extended fuzzing concept where-in they try to extensively use the data and dig even deeper into the application. Next is the stateful fuzzing which was built to ensure that the use cases are not repeated often as a result of the requirement of guided fuzzing in performing the testing of the applications. They call this as the undesirable side-effects.

They seem to be happy with what they have produced and talk about no extention to their current work.

Swarm attacks

2009-11-06T11:27:00.000-08:00

swarm attacks against networks are in trend these days, where-in the aim of the attacker is not to win his bid immediately but to win in increments there-by resulting in the performance degradation of the IDS systems.

Though the IDS systems are being tested for misuse patterns of the system, such attacks go beyond the scanner. One reason could be a repeated performance without violation could train the IDS system to accept that as a basic behavior or the network its protecting.

Hence the authors Simon P Chung and Aloysius K. Mok in their paper "Swarm Attacks against Network-level Emulation/ Analysis" (11th international symposium, RAID 2008 Cambridge, MA, USA, September 2008 Proceedings) try to analyze the possibility of breaking through the network by attacking the system incrementally. Their work is to understand if the IDS in place will defer to detect such an attack. They have implemented an attack similar to this for 8 different systems to see if the behavior will differ.

Now the question that arises is, we have different testing methodologies that concentrate on misuse and anamoly based intrusion detection. If the swarm attack is to fall under the category of repeating the same attack more number of times but performing limited violations, it is not a misuse patter of intrusion detection.

How can the IDS be trained such that it is able to understand such swarm attacks.

Further the authors quote that due to time gap between two attacks of the swarm attack, there is higher probability of even the Intrusion prevention systems not identifying the trend thereby evading the identification of the attack that is existing.

Future work as quoted by the authors is that they want to extend their research extensively on both types of systems to understand what the real time behavior

RAID - Recent Advances in Intrusion Detection

An overview of testing issues in IDS

2009-11-06T10:41:00.000-08:00

The paper gives a list of possible measurements which could be obtained as a result of testing the IDS.

Centres that are currently spending efforts on testing the IDS include the following:

1. University of California at DAVIS
2. IBM Zurich
3. MIT Lincoln Laboratory
4. Air Force Research Laboratory
5. MITRE
6. Neohapsis/ Network-Computing
7. The NSS Group
8. Network World Fusion

List of challenges as quoted include the following

1. Difficulties in Collecting Attack Scripts and Victim Software
2. Differing Requirements for Testing Signature Based vs. Anomaly Based
IDSs
3. Differing Requirements for Testing Network Based vs. Host Based IDSs
4. Four Approaches to Using Background Traffic in IDS Tests
- Testing using no background traffic/logs
- Testing using real traffic/logs
- Testing using sanitized traffic/logs
- Testing by generating traffic on a testbed network

Recommendations

1. Shared Datasets
2. Attack Traces
3. Cleansing Real Data
4. Sensor and Detector Alert Datasets
5. Real-life performance metrics
6. New Technologies

Synthesizing Test Data for Fraud Detection Systems

2009-10-20T09:13:00.000-07:00

Emilie Lundin Barse, Håkan Kvarnström, Erland Jonsson: Synthesizing Test Data for Fraud Detection Systems. ACSAC 2003: 384-395

Day 2 Research

2009-10-13T11:11:00.000-07:00

Following the paper on Intrusion Detection System testing, the authors came up with a following paper:

"A Software Platform for Testing Intrusion Detection Systems"

(Its a post script hence I have provided a link to its conversion)

In Prof. B. Mukherjee's web page, I could get details on related work, but nothing beyond 1997 on the testing of Intrusion Detection Systems. I do not have access to the following 3 papers which I got from this page. (http://networks.cs.ucdavis.edu/~mukherje/bio/pubsa.html)

G. Dias, K. Levitt, and B. Mukherjee,
``Modeling Attacks on Computer Systems: Evaluating Vulnerabilities and Forming a Basis for Intrusion Detection,''
Proc., CERT Workshop, Pleasanton, CA, June 1990.

N. Puketza, B. Mukherjee, R. A. Olsson, K. Zhang,
``Testing Intrusion Detection Systems: Design Methodologies and Results from an Early Prototype,''
Proc., National Computer Security Conference (NCSC), Baltimore, MD, pp. 1-10, Oct. 1994.

M. Chung, K. Zhang, N. Puketza, R. A. Olsson, and B. Mukherjee,
``Simulating Concurrent Intrusions for Testing Intrusion Detection Systems--Parallelizing Intrusions,''
Proc., 18th National Information Systems Security Conference, Baltimore, MD, pp. 173-183, Oct. 1995.

Following 2 papers are beyond the references obtained from the web page of the authors of "A Methodology of testing Intrusion Detection Systems"

An Overview of Issues in Testing Intrusion Detection Systems
by Peter Mell , Vincent Hu , Richard Lippmann , Josh Haines , Marc Zissman

Synthesizing Test Data for Fraud Detection Systems (2003)
by Emilie Lundin Barse , Emilie Lundin , Kvarnström Erl

IEEE Paper 1

2009-10-10T08:11:00.000-07:00

A Methodology of Testing Intrusion Detection Systems:

Introduction:
Software Testing concepts have been used as a basis for performing testing of the Intrusion detection systems.
Testing goals concentrated are the performance measures of the intrusion detection systems. The test case selection and procedures have been filtered to satisfy this goal.

Issues in evaluating an IDS
1. It might be difficult to identify all possible intrusions in a website where the IDS could be employed so as to arrive at the parameters for testing
2. Depending on the usage of the system, the IDS may at times miss out on identifying and tracking specific attacks

Types of Intrustions in focus:

1. Single Intruder Single Terminal (SIST)
2. Single Intruder Multiple Terminal (SIMT)
3. Multiple Intruder Multiple Terminal (MIMT)

Performance Objectives:

Broad Detection Range
Economy in Resource Usage
Resilience to Stress

Proposed Methodology:
Intrusion Identification tests
Resource Usage tests
Stress tests - Smoke screen noise, background noise, High Volume Sessions, Intensity and Load

Future Work:
1. Careful development of a suite of Intrusion test cases for basic detection system
2. Identification of additional performance objectives based on the information obtained from testing of other systems
3. Another task is to fine tune the testing procedures and develop suitable metrics to create a benchmark suite of IDSS, similar in spirit to the well established benchmarks such as SPECmarks, Livermore Loops and Dhrystone , which are used to test the performance of various computer architectures.
4. Testing techniques arrived at in this paper could be looked to adopt to testing other systems as well