Anomaly-based intrusion detection system
An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.[1]
In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and testing phase (where current traffic is compared with the profile created in the training phase).[2] Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar based methods, and Artificial Immune System.[2]
Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer end points. They allow for fine-tuned, granular protection of end points at the application level.[4]
Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack.[3] Attempts have been made to address these issues through techniques used by PAYL[5] and MCPAD.[5]
See also
[edit]- fail2ban
- Cfengine – 'cfenvd' can be utilized to do 'anomaly detection'
- Change detection
- DNS analytics
- Hogzilla IDS – is a free software (GPL) anomaly-based intrusion detection system.
- RRDtool – can be configured to flag anomalies
- Sqrrl – threat hunting based on NetFlow and other collected data[6]
References
[edit]- ^ Wang, Ke (2004). "Anomalous Payload-Based Network Intrusion Detection" (PDF). Lecture Notes in Computer Science. Vol. 3224. Springer Berlin. pp. 203–222. doi:10.1007/978-3-540-30143-1_11. ISBN 978-3-540-23123-3. Archived from the original (PDF) on 2010-06-22. Retrieved 2011-04-22.
{{cite book}}
:|journal=
ignored (help); Missing or empty|title=
(help) - ^ a b Khalkhali, I; Azmi, R; Azimpour-Kivi, M; Khansari, M. "Host-based web anomaly intrusion detection system, an artificial immune system approach" (PDF). ProQuest.
- ^ a b A strict anomaly detection model for IDS, Phrack 56 0x11, Sasha/Beetle
- ^ Beaver, K. "Host-based IDS vs. network-based IDS: Which is better?". Tech Target, Search Security.
{{cite web}}
: Missing or empty|url=
(help) - ^ a b Perdisci, Roberto; Davide Ariu; Prahlad Fogla; Giorgio Giacinto; Wenke Lee (2009). "McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection" (PDF). Computer Networks. 5 (6): 864–881. doi:10.1016/j.comnet.2008.11.011.
- ^ Alonso, Samuel. "Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)". Archived from the original on 2021-07-31. Retrieved 2019-08-17.