Detection and Immunisation of Network-based Security
First step in building/designing/researching IDS and
network anomaly systems is the research of data gathering techniques
from various sources such as Intrusion Detection systems.
Problems involved with regards to data management, collection
How do we collect the data? Which source of data is the most
useful? Specifically, where on the network is the most effective
place to monitor? Should the hosts have an IDS as well as network
based IDS. Also, what type of traffic needs to be analysed? Network
traffic vs application data. It certainly looks like a range of
different levels of the network need to be monitored. With modern
systems, a lot of data is generated and often overwhelms the human
and computer systems set up to sift through them.
- ...typically overwhelming operators with system messages
and other low-level data. (BASS, T, 2000)
- False alarms from ID systems are problematic, persistent,
and preponderant (BASS, T, 2000)
For example (SEKAR et al) implements a high performance network
intrusion detection system which works on network. It suggests
that it will be able to work with network speeds as high as 500mbps.
It uses a form of pattern matching which closely resembles regular
expressions. This approach is meant to cut down on the development
time for newly discovered attacks. Disadvantages are mainly that
of being unable to quickly respond to newly discovered threats.
(KRÜGEL et al) investigates an application based IDS which
builds a model of behaviour based on service specific traffic.
This system extends the model which only includes TCP packet information
and considers the payload as well. The model proposed by KRÜGEL
splits the traffic into it’s main components: HTTP, DNS,
SMTP, FTP. Unfortunately, this type of model depends on an initial
training period which once again is prone to errors once large
variations within network traffic occur.
Once the data has been collected, how do we make sense of it?
Is it used as it comes in? Is it stored later on and used for
The application of data fusion in technical
systems requires mathematical and heuristic techniques from
fields such as statistics, AI, operations research, digital
signal processing, pattern recognition, cognitive psychology,
information theory, and decision theory (BASS, T, 2000)
Huge volumes of data and false positives are a problem that need
to be addressed. Further research into the filed of neural networks
will need to be undertaken.
ID systems that examine operating system
audit trails, or network traffic and other similar detection
systems, have not matured to a level where sophisticated
attacks are reliably detected (BASS, T, 2000)
… Network management and ID systems must operate
in a uniform and cooperative model, fusing data into information
and knowledge, so network operators can make informed decisions
about the health and real-time security of their corner
of cyber-space (BASS, T, 2000)
In a nutshell, the basic approaches to intrusion detection
today may be summarized as known pattern templates, threatening
behavious templates, traffic analysis, statistical-anomaly
detection, and state-based detection (BASS, T, 2000)
There are certainly a number of areas to investigate with regards
to active network management. So far the SNMP protocol framework
has been looked at. A more comprehensive compare/contrast of these
network management protocols would be recommended.
Proactive network management implies
setting up network devices to automatically detect problems
and correct them without the network manager’s intervention,
allowing the networks to ‘heal’ themselves.
(CHIU, T. 1998)
Platforms do not provide much in the way of proactive network
management. Platforms like HP open-view and SunNet manager
provide a method of monitoring existing traffic patterns
and devices in the network, but generally cannot give much
help in preventing problems from occurring. (CHIU, T. 1998)
In addition, proactive network management requires the
user to capture data about network behaviours, existing
(CHIU, T. 1998)
If we were to consider a more holistic approach to network defence,
then (YEGNESWARAN et al) suggest based on research that a list
of common offenders IP addresses could be compiled using the data
from router logs collect from many organisations:
Such attacks are fairly common, and
that blacklisting the worst offenders would be an affective
mechanism of defending against non-port 80 (YEGNESWARAN
et al, 2003)
Once again, it comes down to the amount of processing of data
which needs to be done and the way we process it.
BASS, T, 2000. Intrusion Detection Systems and Multisensor Data
Fusion Communications of the ACM archive, Volume 43 , Issue 4
Pages: 99 - 105
CHIU, T. 1998. Getting Proactive Network Management From Reactive
Network Management Tools. International Journal of Network Management
archive. Volume 8 , Issue 1 Pages: 12 - 17
YEGNESWARAN V, BARFORD P, ULLRICH J, June 2003. Internet Intrusions,
Global Characteristics and Prevalence. ACM SIGMETRICS Performance
Evaluation Review , Proceedings of the 2003 ACM SIGMETRICS international
conference on Measurement and modeling of computer systems, Volume
31 Issue 1
SEKAR R, GUANG., Y., VERMA S., SHANBHAG T., November 1999. A
high-performance network intrusion detection system. Proceedings
of the 6th ACM conference on Computer and communications security.
KRÜGEL C, TOTH T, KIRDA E, March 2002. Service specific
anomaly detection for network intrusion detection. Proceedings
of the 2002 ACM symposium on Applied computing