IDS Engine Categories

Statistical anomaly detection is an IDS approach that looks for deviations from statistical measures to detect unusual behavior. A set of variables is defined for subjects and objects such as users, groups, workstations, servers, files, network adapters, and other resources. The baseline is established for each variable by looking at historical data or by declaring expected values. As system activities occur, a list of variables is maintained and updated for each subject or object of interest. For example, the IDS can keep track of the number of files read by an individual user over a given period of time. Variables often are combined mathematically with a weighting function to give a consolidated measure. In addition, the IDS watches for individual threshold conditions, such as three or more failed attempts to su root. An intrusion is defined as any unacceptable deviation from expected values.

Pattern matching detection compares activities against a collection of known attacks to find intrusions. The idea is to define, in advance, known problems and then to watch for event data that matches one of the patterns. Individual patterns can be composed of single events, sequences of events, thresholds of events, or general regular expressions in which AND and OR operators are allowed. Negation also is permitted when defining a pattern, although the computational complexity of looking for “everything but this event” can be staggering.

Some interesting implementation challenges are faced by IDS developers. Garbage collection is necessary when a pattern is partially matched but will never be completely satisfied. For example, if the pattern looks for actions only for the duration of a single program, and the program finishes without incident, active partial patterns waste precious memory unless discarded. Also, the efficiency of the pattern-matching engine is important for scalability. Finite-state machine models, well proven in compiler technology, seem to be suitable for filtering large numbers of events. Other pattern-matching engines include rule-based systems or decision trees. The computer science literature contains a tremendous number of pattern-matching techniques. Detecting computer intrusions is just one domain in which expert systems, neural nets, decision trees, fuzzy classification systems, or probabilistic reasoning models might be beneficial. Early IDSs were often based on expert systems. Therefore, you will find commercial tools that rely on rule-based inference engines for detecting intrusions, too.

Overlap with statistical techniques is unavoidable in pattern matchers because sequences such as “three failed logins in a row” represent patterns of interest. Thus, the division between a pattern-matching IDS and an anomaly detector IDS is not completely clean. One chief difference is that pattern-matching approaches have proportionally fewer statistical calculations than the anomaly detector systems.

The set of attack patterns that an IDS supports is compiled from various sources including CERT advisories, proprietary knowledge, and practical experiences. It is not always necessary to update the pattern database when a new hack attack is discovered. If the patterns are defined generally, and the new attack is really just a member of a class of problems, then an existing pattern will catch the intrusion. This capability is in contrast to virus detectors that must be continually updated as new viruses are discovered. A pattern-matching IDS does not necessarily need to be updated just because a new program experiences a buffer overflow attack. The challenge for the IDS vendor is to write the buffer overflow attack pattern in a general enough manner to truly detect the scenario, regardless of which program or system library exhibits the weakness. Vulnerability scanners are updated more often because they look for specific attacks rather than general patterns.

Anomaly Detection versus Pattern Matching

To be accurate, many different types of anomaly detection and pattern matching IDS tools are available. Nonetheless, sticking with these two broad categories is enough for the moment. Both types have strengths and weaknesses.

The advantages of pattern matching tools include the following:

•  The number and types of events to monitor are both constrained to only those data items needed to match a pattern. If you aren’t worried about watching for Web server attacks because your system is a mail server, then you do not need to turn on all of the patterns in the database. Also, you probably can reduce the number and types of events you monitor.

•  The pattern-matching engine tends to be more efficient due the absence of floating-point computations for statistical measures.

Disadvantages of pattern-matching approaches include the following:

•  Scalability and performance is a function of the size and architecture of the pattern database or rule base.

•  Extensibility is often difficult because no general-purpose pattern specification language exists. Adding your own attack signatures is complicated.

•  Additions to the pattern database are required as new classes of attacks are found. Although patterns are flexible and do not need to be updated as often as virus scanners, some new attacks may not be caught by existing patterns.

•  Learning is not generally designed into the model, although nothing precludes the addition of a learning component into pattern-matching models. None of the commercial IDSs exhibit any type of artificial intelligence learning capabilities today. This feature would be one way to automatically update the pattern-matching database as new attacks are learned.

•  Converting a natural language description of a hack into a pattern can be difficult. Hence, the task can require substantial manual encoding efforts. If the pattern is not specified correctly, it won’t catch the hack. Therefore, IDS vendors who build patterns are required to run extensive test cases to guarantee that attacks are caught. Reporting an intrusion when one did not occur also is to be avoided by the pattern creator.