Intrusion Detection: A Survey [chapter]

Aleksandar Lazarevic, Vipin Kumar, Jaideep Srivastava
Managing Cyber Threats  
This chapter provides the overview of the state of the art in intrusion detection research. Intrusion detection systems are software and/or hardware components that monitor computer systems and analyze events occurring in them for signs of intrusions. Due to widespread diversity and complexity of computer infrastructures, it is difficult to provide a completely secure computer system. Therefore, there are numerous security systems and intrusion detection systems that address different aspects
more » ... different aspects of computer security. This chapter first provides taxonomy of computer intrusions, along with brief descriptions of major computer attack categories. Second, a common architecture of intrusion detection systems and their basic characteristics are presented. Third, taxonomy of intrusion detection systems based on five criteria (information source, analysis strategy, time aspects, architecture, response) is given. Finally, intrusion detection systems are classified according to each of these categories and the most representative research prototypes are briefly described. 1. nine-level tree of attack classes. Lindqvist and Jonsson [128] extended the Neumann and Parker model by expanding several attack categories (categories 5, 6 and 7 from original nine-level tree of attacks) and by introducing the concept of dimension, which represents a basis of the attack classification. They specified two interesting criteria for system owners to perform attack classification, namely "intrusion techniques" and "intrusion results", and they called these criteria dimensions. Jayaram and Morse [96] also developed a taxonomy of security threats to networks, in which they provide five "classes of security threats" and two "classes of security mechanisms". Another significant work in computer attack taxonomies is performed by the CERIAS group at Purdue University [11, 108, 112] . Their first attempt [112] provided a classification of computer intrusions on Unix systems using system logs and colored Petri nets. Aslam [11] extended this work by providing a taxonomy of security flaws in Unix systems. Finally, Krsul [108] reorganized both previous taxonomies and provided a more complex taxonomy of computer attacks that contains four main categories (design, environmental assumptions, coding faults and configuration errors). Richardson [189, 190] extended these taxonomies by developing a database of vulnerabilities to help study of the problem of Denial of Service (DoS) attacks. The database was populated with 630 attacks from popular sites that report computer incidents. These attacks were cataloged into the categories that correspond to extensions from Aslam's taxonomy of security flaws [11] and Krsul's taxonomy of computer attacks [108] . Within the DARPA intrusion detection project, Kendall [103] developed a similar database of computer attacks that exist in DARPA intrusion detection evaluation data sets [52] . An excellent overview of these techniques as well as their extensions is provided in Lough's PhD thesis [135] . Anderson presented one of the first categorizations of attack perpetrators according to their types. He used a 2x2 table to classify computer threats into three groups (external penetration, internal penetration and misfeasance), based on whether or not penetrators are authorized to use the computer system or to use particular resources in the system [7]. One of the most influential taxonomies in categorizing attack perpetrators is the classification of types of attackers, used tools, access information, attack consequences and the objectives of the attacks, performed by CERT [84] . Researchers at Sandia National Laboratories [45] proposed a very similar taxonomy, with a few added or merged categories. The taxonomy we provide in this survey is more general, and is obtained by examining and combining existing categorizations and taxonomies of host and network attacks published in the intrusion detection literature, and by revealing common characteristics among them. In previously published Chapter 2 taxonomies, categories used in classification of attacks were usually either a cause of a vulnerability or the result (i.e., effect) of a vulnerability. In the taxonomy proposed here, we use traditional cause of vulnerability to specify the following categories of attacks: • Attack type • Number of network connections involved in the attack • Source of the attack • Environment • Automation level Attack type. The most common criterion for classifying computer attacks and intrusions in the literature is according to the attack type [84, 103] . In this chapter, we categorize computer attacks into the following classes: -Denial of Service (DoS) attacks. These attacks attempt to "shut down a network, computer, or process; or otherwise deny the use of resources or services to authorized users" [144] . There are two types of DoS attacks: (i) operating system attacks, which target bugs in specific operating systems and can be fixed with patches; and (ii) networking attacks, which exploit inherent limitations of networking protocols and infrastructures. An example of operating system attack is teardrop, in which an attacker exploits a vulnerability of the TCP/IP fragmentation re-assembly code that do not properly handle overlapping IP fragments by sending a series of overlapping packets that are fragmented. Typical example of networking DoS attack is a "SYN flood" attack, which takes advantage of three-way handshake for establishing a connection. In this attack, attacker establishes a large number of "half-open" connections using IP spoofing. The attacker first sends SYN packets with the spoofed (faked) IP address to the victim in order to establish a connection. The victim creates a record in a data structure and responds with SYN/ACK message to the spoofed IP address, but it never receives the final acknowledgment message ACK for establishing the connection, since the spoofed IP addresses are unreachable or unable to respond to the SYN/ACK messages. Although the record from the data structure is freed after a time out period, the attacker attempts to generate sufficiently large number of "half-open" connections to overflow the data structure that may lead to a segmentation fault or locking up the computer. Other examples of DoS attacks include disrupting connections between machines thus preventing access to a service, preventing particular individuals from accessing a service, disrupting service to a specific system or person, etc. In distributed DoS (DDoS) attack, which is an advanced variation of DoS attack, multiple machines are deployed to attain this goal. DoS and DDoS attacks have posed an increasing threat to
doi:10.1007/0-387-24230-9_2 fatcat:bevjweagffhevc6xhjx633xtr4