An Intrusion-Detection Model

I. INTRODUCTION

THIS paper describes a model for a real-time intrusion detection expert system

The development of a real-time intrusion-detection system is motivated by four factors:

Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons;
Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractivefeatures that are missing in the more-secure systems, or else they cannot be replaced for economic reasons;
Developing systems that are absolutely secure is extremely difficult, if not generally impossible;
The most secure systems are ,even, vulnerable to abuses by insiders who misuse their privileges.

The model is based on the hypothesis(추측) that exploitation of a system's vulnerabilities involves abnormal use of the system (즉, security violations could be detected from abnormal patterns of system usage.)

II. OVERVIEW OF MODEL

The model is independent of ...

Any particular system
Application environment
System vulnerabilitytype of intrusion

The model has six main components

Subjects: Initiators of activity on a target system

Nornally users.

Objects: Resources managed by' the system

files, commands, devices, etc.

Audit records: Generated by the target system in responseto actions performed or attempted by subjects on objects

user login, command execution, file access, etc.

Profiles: Structures that characterize the behavior of subjects with respect to object's in terms of statistical metricsand models of observed activity.

Profiles are automatically generated and initialized from templates.

Anomaly records: Generated when abnormal behavioris detected.

Activity rules: Actions taken when some condition is satisfied

some condition = update profiles, detect abnormal behavior,relate anomalies to suspected intrusions, and produce reports.

The model can be regarded as a rule-based pattern matching system.

III. SUBJECTS AND OBJECTS

1. Subjects

The initiators of actions in the target system.

ex) A terminal user, a process acting on behalf of users or groups of users, or might be the system itself.

All activity arises through commands initiated by subjects

2. Objects

The receptors of actions

ex)Files, programs, messages, records, terminals, printers, user-created structures , program-created structures.

When subjects can be recipients of actions, then those subjects are also considered to be objects in the model.

IV. AUDIT RECORDS

6-tuples representing actions performed by subjects on objects

<Subject, Action, Object, Exception-Condition, Resource-Usage, Time-stamp>
ex) Smith, execute, <Library> COPY. EXE, 0, CPU =00002, 11058521678

Subject
Action: Operation performed by the subject on or with the object
e.g., login, logout, read, execute.
Exception-Condition: Denotes which exception condition is raised on the return.
This should be the actual exception condition raised by the system, not just the apparent exception condition returned to the subject.
Resource-Usage: List of quantitative elements, where each element gives the amount used of some resource,
Number of lines or pages printed, number of records read or written, CPU time or I/O units used, session elapsed time.'
Time-stamp: Unique time/date stamp identifying when the action took place.

가정 : Each field is self-identifying, either implicitly or explicitly

ex) The action field either impliesthe type of the expected object field or else the object field itself specifies its type.

Audit Record가 여러 시스템에서 수집되었을 경우 an additional field is needed for a system identifier.
Our model decomposes all activity into single-object actions

So that each audit record references only one object.
ex ) File copying is decomposed into an

Execute operation on the copy command
A read operation on the source file
A write operation on the destination file

Audit records 예시

[COPY GAME.EXE TO <Library> GAME.EXE] <-사용자(Smith)가 권한이 없어서 실행 안됨

(Smith, execute, <Library> COPY. EXE, 0, CPU =00002, 11058521678)
(Smith, read, <Smith>GAME.EXE, 0, RECORDS=O, 11058521679)
(Smith, write, < Library> GAME. EXE, write-viol, RECORDS=O, 11058521680)

복잡한 action을 분해(Decomposing)함으로 얻는 세가지 장점

Since objects are the protectable entities of a system, the decomposition is consistent' with the protection mechanisms of systems.

Thus, IDES can potentially discover both attempted subversions of the access controls (by noting an abnormality in the number of exception conditions
returned) and successful subversions (by noting an abnormality in the set of objects accessible to the subject).

Single-object audit records greatly simplify the model and its application.
The audit records produced by existing systems generally contain a single object, although some systems provide a way of linking together the audit records associated with a "job step" (e.g., copy or compile) so that all files accessed during execution of a program can be identified.

V. PROFILES

Structures that characterize the behavior of subjects
Observed behavior is characterized in terms of a statistical metric and model.

A metric (양의 측정 - 측정된 값)

A random variable x representing a quantitative measure accumulated over a period.

The period may be...

a fixed interval of time

minute, hour, day, week, etc.

the time between two audit-related events

between login and logout, program initiation and program termination, file open and file close, etc.

Observations ( x_i of x obtained from the audit records) are used together with a statistical model to determine whether a new observation is abnormal.

Obervation 과 Statistical model 두가지를 이용하여서 새로운 observation이 abnormal이지 판별한다.

The statistical model makes no assumptions about the underlying distribution of x; all knowledge about x is obtained from observations. Before describing the structure,generation, and application of profiles,(????????)

1. Metrics

We define three types of metrics:

Event Counter (발생횟수)

x is the number of audit records satisfying some property occurring during a period (each audit record corresponds to an event).

ex) number of logins during an hour, number of times some command is executed during a login session, and number of password failures during a minute.

Interval Timer (두 이벤트 사이의 간격시간)

x is the length of time between two related events
즉, the difference between the timestamps in the respective audit records.

ex) length of time between successive logins into an account.

Resource Measure (자원 소모양)

x is the quantity of resources consumed by some action during a period as specified in the Resource-Usage field of the audit records.

ex) the total number of pages printed by a user per day and total amount of CPU time consumed by some program during a single execution.

resource measure는 본 논문의 침입탐지 모델에서 event counter 나 interval timer로 구현되어 있다.

2. Statistical Models

The purpose of a statistical model of x is to determine whether a new observation x_n+1 is abnormal with respect to the previous observations.

2.1 Operational Model

가정 : Abnormality can be decided by comparing a new observation of x against fixed limits.
Although the previous sample points for x are not used, presumably the limits are determined from prior observations of the same type of variable.
The operational model is most applicable to metrics where experience has shown that certain values are frequently linked with intrusions.

ex) An event counter for the number of password failures during a brief period, where more than 10, suggests an attempted break-in.

실행 값이 지정된 값을 넘는지에 따라 탐지

2.2 Mean and Standard Deviation Model

가정 : All we know about x₁....x_n, are mean and standard deviation(표준편차) as determined from its first two moments:

10번 시행시 평균값을 넘는 것을 탐지..이때 표준편차 적용

A new observation x_n+1 is defined to be abnormal if it falls outside a confidence interval that is d standard deviations from the mean for some parameter d:

췌비쉐프 부등식(Chebyshev's inequality)에 따르면,? the probability of a value falling outside this interval is at most 1 /d²
ex) for d = 4, it is at most 0.0625. Note that 0 (or null) occurrences should be included so as not to bias the data.

This model is applicable to(유용한 분야)

Event counters-timer, interval timers, and resource measures accumulated over a fixed time interval or between two related events.

It has two advantages over an operational model.(오퍼레이션 모델 대비 2가지 장점)

First, it requires no prior knowledge about normal activity in order to set limits; instead, it learns what constitutes normal activity from its observations, and the confidence intervals automatically reflect this increased knowledge.
Second, because the confidence intervals depend on observed data, what is considered to be normal for one user can be considerably different from another.

2.3 Multivariate model(다 변량 모델)

Similar to the mean and standard deviation model except that it is based on correlations among two or more metrics.
다음의 경우 이 모델이 유용하다.

Experimental data show that better discriminating power can be obtained from combinations of related measures rather than individually-
즉, CPU time and I/O units used by a program, login frequency, and session elapsed time (which may be inversely related)

2.4 Markov Process Model

This model regards each distinct type of event (audit record) as a state variable, and uses a state transition matrix to characterize the transition frequencies between states
Applies only to event counters,
New observation is defined to be abnormal

if its probability as determined by the previous state & the transition matrix is too low

This model might be useful for looking at transitions between certain commands where command sequences were important.

2.5 Time Series Model

This model takes into account the order and interarrival times of the observations x₁... , x_n, as well as their values.

Uses an interval timer together with an event counter or resource measure,

A new observation is abnormal

If its probability of occumng at that time is too low.

Advantage of...

Measuring trends of behavior over time and detecting gradual but significant shifts in behavior

Disadvantage of being...

More costly than mean and standard deviation

3. Profile Structure

An activity profile contains

Identifies the statistical model and metric of a random variable
Set of audit events measured by the variable.

The structure of a profile contains 10 components,

<Variable-Name, Action-Pattern, Exception-Pattern, Resource-Usage-Pattern, Period, Variable-Type, Threshold, Subject-Pattern, Object-Pattern, Value>
* the first 7 are independent of the subjects and objects

Variable-Name: Name of variable.
Action-Pattern: Pattern that matches zero or more actions in the audit records
ex) "login," "read," "execute."
Exception-Pattern: Pattern that matches on the Exception-Condition field of an audit record.
Resource-Usage-Pattern: Pattern that matches on the Resource-Usage field of an audit record.
Period: Time interval for measurement
ex) Day, hour, minute (expressed in terms of clock units).
This component is null if there is no fixed time interval
ex) the period is the duration of the activity.
Variable-Type: Name of abstract data type that defines a particular type of metric and statistical model
ex) event counter with mean and standard deviation model.
Threshold: Parameter(s) defining limit(s) used in statistical test to determine abnornality.
This field and its interpretation is determined by the statistical model (Variable-Type).
For the operational model, it is an upper (and possibly lower) bound on the value of an observation;
For the mean and standard deviation model, it is the number of standard deviations from the mean.
Subject-Pattern: Pattern that matches on the Subject field of audit records.
Object-Pattern: Pattern that matches on the Object field of audit records.
Value: Value of current (most recent) observation and parameters used by the statistical model to represent distribution of previous values.
For the mean and standard deviation model, these parameters are count, sum, sum-of-squares (first two moments).
The operational model requires no parameters.

특징

A profile is uniquely identified by Variable-Name, Subject-Pattern, Object-Pattern
All components of a profile are invariant except for Value.

Although the model leaves unspecified the exact format for patterns, we have identified the following SNOBO Llike constructs as being useful:

The following is a sample profile...

For measuring the quantity of output to user Smith's terminal on a session basis.
The variable type ResourceByActivity = a resource measure using the mean and standard deviation model.

Whenever the IDS receives an audit record that matches a variable's patterns,

It updates the variable's distribution and checks for abnormality.
The distribution of values for a variable is thus derived(=learned) as audit records matching the profile patterns are processed.

4. Profiles for Classes

Profiles can be defined...

For individual subject-object pairs

ex) Where the Subject and Object patterns match specific names,

e.g., Subject "Smith" and Object "Foo"

For aggregates of subjects and objects

ex) Where the Subject and Object patterns match sets of names

예) File-activity profiles could be created..

For pairs of individual users and files
For groups of users with respect to specific files
For individual users with respect to classes of files
For groups of users with respect to file classes

[ 위 그림에서 각 노드에 대한 설명]

Subject-Object : Actions performed by single subject on single object

ex) user Smith, file Foo.

Subject-Object Class:

Actions performed by single subject aggregated over all objects in the class.
The class of objects might be represented...

As a pattern match on a subfield of the Object field that specifies the object's type(class),
As a pattern match directly on the object's name

(e.g., the pattern "*.EXE" for all executable files),

As a pattern match that tests whether the object is in some list

(e.g., "IN(hit-list)")

Subject Class-Object: Actions performed on single object aggregated over all subjects in the class-

ex) privileged users-directory file < Library >, nonprivileged users-directory file < Library > .

Subject Class-Object Class: Actions aggregated over all subjects in the class and objects in the class-privileged users-system files, nonprivileged users-system files.

Subject: Actions performed.by single subject aggregated over all objects

ex) user session activity.

Object: Actions performed on a single object aggregated over all subjects

ex) password file activity.

Subject Class: Actions aggregated over all subjects in the class

ex) privileged user activity, nonprivileged user activity.

Object Class: Actions aggregated over all objects in the class

ex) executable file activity.

system: Actions aggregated over all subjects and objects.

The random variable represented by a profile for a class can aggregate activity for the class in two ways: Class-as-a-whole activity, Aggregate individual activity

Class-as-a-whole activity

The set of all subjects or objects in the class is treated as a single entity,
each observation of the random variable represents aggregate activity for the entity.

ex) a profile for the class of all users representing the average number of logins into the system per day, where all users are treated as a single
entity.

Aggregate individual activity

The subjects or objects in the class are treated as distinct entities,
each observation of the random variable represents activity for some member of the class.

ex) a profile for the class of all users characterizing the average number of logins by any one user per day. Thus, the profile represents a "typical" member of the class.

Class-as-a-whole activity can be defined by an event counter, interval timer, or resource measure for the class
Aggregate individual activity is defined in terms of the lower-level profiles for the individual class members.

Aggregate individual activity requires separate metrics for each member of the class.

예) For example

Average login frequency per day is defined as the average of the daily total frequencies in the individual user login profiles.
A measure for a class-as-a-whole could also be defined in terms of lower-level profiles, but this is not necessary.

The two methods of aggregation serve difference purposes with respect to intrusion detection.

Class-as-a-whole activity reveals whether some general pattern of behavior is normal with respect to a class.

A variable that gives the frequency with which the class of executable program files are updated in the system per day, For example, might be useful for detecting the injection of a virus into the system (which causes executable files to be rewritten as the virusspreads).
A frequency distribution of remote logins into the class of dial-up lines might be useful for detecting attempted break-ins.

Aggregate individual activity reveals whether the behavior of a given user (or object) is consistent with that of other users (or objects).

This may be useful for detecting intrusions by new users who have deviant behavior from the start.

5. Profile Templates

사용자 계정과 오브젝트가 동적으로 생성될경우에는 해로운 해당 서브젝트와 오브젝트의 Activity profiles을 생성을 위한 메커니즘이 필요하다. 현재 세가지의 방식이 사용되고 있다.

Manual create

The security officer explicitly creates all profiles.
단점 : requiring manual intervention on the part of the security officer.

Automatic explicit create

All profiles for a new useror object are generated in response to a "create" record in the audit trail.
장점 : "Manual create"의 단점 해결
단점

it does not automatically deal with startup conditions, where there will be many existing subjects and objects.
it requires a subject-object profile to be generated for any pair that is a candidate for monitoring, even if the subject never uses the particular object.

cause many more profiles than necessary to be generated.
ex) 1000명의 사용자가, 개인당 200개의 파일을 가지고 있다면, 총 200000파일이 존재 하며. 200,000,000의 사용자-파일 연결이 가능하다. 만약 사용자가 최대 300개의 파일만 접근 할수 있다면 오직 300,000개의 프로파일만 필요하다.

First use

A profile is automatically generated when a subject (new or old) first uses an object (new or old).
IDEA 모델에서 책택한것
장점 : "Manual create"& "Automatic explicit create"의 단점 해결

해결 방법 : 템플릿을 이용하여 프로파일 생성

5.1 Profile Template

A profile template..

Has the same structure as the profile it generates,
Except the subject and object patterns define both a matching pattern & a replacement pattern

matching pattern = on the audit records
replacement pattern = to place in the generated profile

The format for the fields Subject-Pattern and Object-Pattern is thus:

matching-pattern <- replacement-pattern

The Value component of a template profile contains the initial values for the variable, as specified by its type.

When a new audit record is received, (Audit Record가지고 프로파일 만드는 과정)

matches the record against both activity profiles and template profiles,
obtaining existing profiles
new profiles generated from the matching templates.
The subject and object patterns in a generated profile contain the replacement patterns defined during the match;
all other fields are copied exactly from the template.
If a new profile has the same patterns as an existing activity profile,

it is discarded
otherwise, it is added to the set of activity profiles.

The process then returns the activity profiles matching the audit record.

Separate matching and replacement patterns are needed so that a template can match a wide range of subjects and objects,

For example, consider the following patterns:

The subject pattern will match any user name

And generate a replacement pattern with that name.

The object pattern will match any file in the list Special-Files

And generate a replacement pattern with that name.

예) the list Special-Files contains the file names Password and Accounts.
The following shows a sequence of audit records and the profiles that a template with these
matching and replacement patterns will generate:

The subject and object patterns for a template can be mutually dependent as in following patterns:

Here, the object pattern will match any file in the user's directory and generate a profile for the user's directory.

The following shows a sequence of audit records and the profiles that would be generated from a template containing these patterns:

6. New User and Objects

Introducing new users & objects into the target system potentially raises two problems.

The first is generating an excessive number of anomaly records.

발생 원인 : the lack of profile information about the user's behavior as well as by the user's own inexperience with the system,
해 결 방법 : ignoring anomalies for new users were it not for the second problem: failing to detect an intrusion by the new user. (<-문장 이상함)

We would like a solution that minimizes false alarms without overlooking actual intrusions.

False alarms can be controlled...

by an appropriate choice of statistical model for the activities causing the alarms
by an appropriate choice of profiles.

예) With the mean and standard deviation model the confidence intervals are initially large so that more diversity is tolerated while data are being collected about a User's behavior;the intervals then shrink as the number of observations increases.

This reduces false alarms caused by an individual user profile, but does not protect the system against new users (or infrequent users) whose behavior is devious, or against users who establish unusual behavior from the beginning, as a cover.
To deal with this problem, current activity can be compared to that in aggregate individual profiles or with the set of profiles for all users or all users in some group.
Although the operational model does not automatically adapt to an individual user (because it uses fixed thresholds to determine abnormality), the problem can be solved by using more lenient bounds with new users, and by adjusting the bounds as the user gains experience.

7. Possible Profiles

We shall now describe candidate profiles for measuring...

login and session activity,
command and program usage,
file accesses.

For each profile, we suggest a metric and statistical model for measuring the activity.

7.1 Login and Session Activity

LoginFrequency
LocationFrequency
LastLogin

Interval timer measuring time since last login using the operational model.
This type of profile could be defined for individual users but location classes,
since the exact location seems less relevant than the lapse of time.
It would be particularly useful for detecting a break-in on a "dead" account.

SessionElapsedTime
SessionOutput
SessionCPU; SessionlO, SessionPages, etc.
PasswordFails
LocationFails

7.2 Command or Program Execution

ExecutionFrequency
ProgramCPU, ProgramIO, etc.
ExecutionDenied
ProgramResourceExhaustion

7.3 File-Access Activity:

ReadFrequency, WriteFrequency, CreateFrequency, DeleteFrequency
RecordsRead, RecordsWritten
ReadFails, WriteFails, DeleteFails, CreateFails
FileResourceExhaustion

VI. ANOMALY RECORDS

Through its activity rules, IDES updates activity profiles and checks for anomalous behavior whenever an audit record is generated or a period terminates.

If abnormal behavior is detected, an anomaly record is generated

An anomaly record = < Event, Time-stamp, Profile>

Event: indicates the event giving rise to the abnormality
either "audit," meaning the data in an audit record was found abnormal,
or "period," meaning the data accumulated over' the current interval was found abnormal.
Time-stamp:
either the time-stamp in the audit record
or interval stop time
Profile: activity profile with respect to which the abnormality was detected
(rather than including the complete profile, IDES might include a "key" field, which identifies the profile in the database, and the current state of the Value field).

VII. ACTIVITY RULES (여기서 부터 미완성)

An activity rule specifies an action to be taken...

when an audit record or anomaly record is generated,
When a time period ends.

It consists of two parts:

A condition that, when satisfied, causes the rule to be "fired,"

The condition is specified as a pattern match on an event.

A body.

Action이라고 부르지 않는 이유 : actions monitored by IDES와의 혼돈을 피하려고

4종류의 룰들..

Audit-record rule

Condition : triggered by a match between a new audit record and an activity profile,
Body : updates the profile and checks for anomalous behavior.

Periodic-activity-update rule

Condition : triggered by the end of an interval matching the period component of an activityprofile
Body : updates the profile and checks for anomalous behavior.

Anomaly-record rules,

Condition : triggered by the generation of an anomaly record,
Body : brings the anomaly to the immediate attention of the security officer.

Periodic-anomaly-analysis rule,

Condition : triggered by the end of an interval,
Body : generates summary reports of the anomaliesduring the current period.

Audit-Record Rules

triggered whenever a new audit record matches the patterns in an activity profile.
It updates the profile to reflect the activity reported in the record and checks for deviant behavior.
If an abnormality is detected, it generates an anomaly record.
Since the algorithm for updating the profile and checking for abnormality depends only on the type t of variable (statistical metric and model) represented by the profile, but not on the profile's other components (e.g., subject, object, action, etc.), it can be encoded in a procedure AuditProcesst.
Thus, all audit record rules are represented by the following generic rule:

Periodic-Activity-Update Rules

triggered whenever the clock implies a period of length p completes, the Period component of a profile is p, and the Variable-Type component is t.
The rule updates the matching profile, checks for abnormal behavior,

if an abnormality is detected, generates an anomaly record

Anomaly-Record Rules

triggered whenever a new anomaly record matches patterns given in the rule for its components Event and Profile
Thus, a rule may be conditioned on a particular variable, a particular subject or object, on the audit action that was found to be anomalous, and so forth.

참고 : Dorothy E. Denning, "An Intrusion-Detection Model", IEEE, 1987
정리 : 2008.12.15 by 임헌정
http://www.4ellene.net

BonnMotion

A mobility scenario generation and analysis tool

Information

Copyright ? 2002-2005 University of Bonn
This software is distributed under the terms of the GNU General Public License which is included in the archive.

BonnMotion is a Java software which creates and analyses mobility scenarios. It is developed within the Communication Systems group at the Institute of Computer Science IV of the University of Bonn, Germany, where it serves as a tool for the investigation of mobile ad hoc network characteristics. The scenarios can also be exported for the network simulator ns-2 and GlomoSim/QualNet. Several mobility models are supported, namely

the Random Waypoint model,
the Gauss-Markov model,
the Manhattan Grid model and
the Reference Point Group Mobility model.

For further information consult the documentation. Please send questions and feedback concerning BonnMotion to Christian de Waal or Michael Gerharz.

Download

Download BonnMotion v1.3a (2005-10-07) as complete ZIP archive (376K) or as gzipped patch to version 1.3 (1K; re-run compile after applying the patch).

If this is of any use for you, you can also download a script to scale the time axis of a BonnMotion scenario, which might be included in future versions of BonnMotion.

Change Log

Changes from version 1.3 to 1.3a:

Fixed the bug that prevented the wrapper from executing the OriginalGaussMarkov module.

Changes from version 1.2b to 1.3:

Changed the semantics of attraction points: While in previous versions, it was the distance from an attraction point which was normally distributed with mean zero (with uniformly distributed directions), it is now the deviation from the attraction point in each dimension which is normally distributed (resulting in distances which follow a Ricean distribution).
Fixed a bug in the LinkDump module that caused links which go down after simulation end not to be printed.
Added the OriginalGaussMarkov module, which is more closely related to the Gauss-Markov model as originally proposed (for details please consult the README file).
Added some features to the previous GaussMarkov model (for details please consult the README file).

Changes from version 1.2a to 1.2b:

Fixed another bug in the Manhattan Grid model that caused the nodes to move out of the simulation area. Also changed the implementation so that nodes do not start at (0,0) but at random positions using random directions, so the choice of the initialisation phase is less critical.

Changes from version 1.2 to 1.2a:

Fixed a bug in the Manhattan Grid model that occured when using a pause probability greater than zero and caused mobile nodes to move slower rather than really pausing.

Changes from version 1.1 to 1.2:

Added the XML schema proposed by Horst Hellbr?ck <horst.hellbrueck@i-u.de> as a standardised mobility file format for the research program "Schwerpunktprogramm 1140" of the DFG (Deutsche Forschungsgemeinschaft).
Fixed a bug in the Statistics module. This bug resulted in a wrong calculation of the average node degree. (The higher the node count, the smaller was the deviation from the correct value.)
Added the "Qualnet mode" to the GlomoFile module (starts numbering nodes with 1, not with 0).

Changes from version 1.0 to 1.1:

Fixed a severe bug in the RPGM implementation.
Fixed a bug in the Statistics application that lead to wrong calculations of the "partitioning degree".
Added GlomoSim/Qualnet support (thanks to the University of Karlsruhe).
Slightly modified the LinkDump application (formerly LinkDurationDump) which is now more intuitive to use.
Fixed a bug in GaussMarkov that messed up the field size when using parameters from another scenario (using -I).

The development of this software was supported in part by the German Federal Ministry of Education and Research (BMBF) as part of the IPonAir project.

출처 :http://web.informatik.uni-bonn.de/IV/Mitarbeiter/dewaal/BonnMotion/

열정의 힘을 믿는다...

'분류 전체보기'에 해당되는 글 1096건