Previous | Table of Contents | Next |
Statistical anomaly detection is an IDS approach that looks for deviations from statistical measures to detect unusual behavior. A set of variables is defined for subjects and objects such as users, groups, workstations, servers, files, network adapters, and other resources. The baseline is established for each variable by looking at historical data or by declaring expected values. As system activities occur, a list of variables is maintained and updated for each subject or object of interest. For example, the IDS can keep track of the number of files read by an individual user over a given period of time. Variables often are combined mathematically with a weighting function to give a consolidated measure. In addition, the IDS watches for individual threshold conditions, such as three or more failed attempts to su root. An intrusion is defined as any unacceptable deviation from expected values.
Pattern matching detection compares activities against a collection of known attacks to find intrusions. The idea is to define, in advance, known problems and then to watch for event data that matches one of the patterns. Individual patterns can be composed of single events, sequences of events, thresholds of events, or general regular expressions in which AND and OR operators are allowed. Negation also is permitted when defining a pattern, although the computational complexity of looking for everything but this event can be staggering.
Some interesting implementation challenges are faced by IDS developers. Garbage collection is necessary when a pattern is partially matched but will never be completely satisfied. For example, if the pattern looks for actions only for the duration of a single program, and the program finishes without incident, active partial patterns waste precious memory unless discarded. Also, the efficiency of the pattern-matching engine is important for scalability. Finite-state machine models, well proven in compiler technology, seem to be suitable for filtering large numbers of events. Other pattern-matching engines include rule-based systems or decision trees. The computer science literature contains a tremendous number of pattern-matching techniques. Detecting computer intrusions is just one domain in which expert systems, neural nets, decision trees, fuzzy classification systems, or probabilistic reasoning models might be beneficial. Early IDSs were often based on expert systems. Therefore, you will find commercial tools that rely on rule-based inference engines for detecting intrusions, too.
Overlap with statistical techniques is unavoidable in pattern matchers because sequences such as three failed logins in a row represent patterns of interest. Thus, the division between a pattern-matching IDS and an anomaly detector IDS is not completely clean. One chief difference is that pattern-matching approaches have proportionally fewer statistical calculations than the anomaly detector systems.
The set of attack patterns that an IDS supports is compiled from various sources including CERT advisories, proprietary knowledge, and practical experiences. It is not always necessary to update the pattern database when a new hack attack is discovered. If the patterns are defined generally, and the new attack is really just a member of a class of problems, then an existing pattern will catch the intrusion. This capability is in contrast to virus detectors that must be continually updated as new viruses are discovered. A pattern-matching IDS does not necessarily need to be updated just because a new program experiences a buffer overflow attack. The challenge for the IDS vendor is to write the buffer overflow attack pattern in a general enough manner to truly detect the scenario, regardless of which program or system library exhibits the weakness. Vulnerability scanners are updated more often because they look for specific attacks rather than general patterns.
Anomaly Detection versus Pattern Matching
To be accurate, many different types of anomaly detection and pattern matching IDS tools are available. Nonetheless, sticking with these two broad categories is enough for the moment. Both types have strengths and weaknesses.
The advantages of pattern matching tools include the following:
Disadvantages of pattern-matching approaches include the following:
Previous | Table of Contents | Next |