En otros países

IDS were defined first by Anderson [6] as a "Computer Security Threat Monitoring and Surveillance System", but it was Dorothy Denning’s [57] work that really marked the beginning of research on IDS [14]. Denning defines IDS as an expert system capable of detecting security violations originating from outside break-in attempts or by abuse from inside users. The framework of her work describes the use of statistical methods to detect the intrusions and abnormal user patterns.

There are two basic categories of IDS: anomaly IDS and misuse IDS. Anomaly IDS states that intrusions are deviations of normal traffic. These systems create profiles of different variables over time to get a usage pattern [18]. A significant difference between pattern and current activity triggers an alarm. In other words, anything outside normal is considered an intrusion. Generally, anomaly IDS uses statistical methods but more recent research use machine learning to find patterns in normal and abnormal activity. Anomaly IDS are capable of detecting unknown attacks [125], but they normally have also a high rate of false alarms. Another disadvantage of anomaly IDS is that they can be trained by an attacker to accept malicious activity and consider it as normal [57, 20]. Misuse IDSs on the other hand do not learn anomalous behaviour. The pattern of a particular intrusion is hard coded as a rule or signature [14]. Misuse IDS compare current activity with predefined rules and, if they find a match, they execute an action such as triggering an alarm. That is, contrary to Anomaly IDS, anything not in the

2.2. Intrusion Detection Systems Chapter 2. Intrusion Detection Systems

rules is normal. They are considered fast [141], reliable and typically easy to implement [146]. The biggest disadvantage for misuse IDS is that they are unable to detect new attacks. Other problems are that the accuracy of the rules depends on the designer and slight differences in attacks are not detected.

Another functional division on Intrusion Detection are Host IDS (HIDS) and Net- work IDS (NIDS). Host IDS work inside a host by analysing logs files, memory, disk and network utilization [112]. HIDS search for anomalous or abnormal patterns in the current behaviour of the host. Because they reside inside the host, they are even capable of analysing encrypted information. They are network-topology independent and suit- able for working transparently in complex network environments. This characteristic makes them very effective in detecting attacks from insiders which may be overlooked by network security devices such as firewalls [175]. The disadvantages of Host IDS are they are as good as the log files are [56], there is extra processing in the host due to IDS tasks and they are OS dependant.

Network IDS can be connected in the network between the protected hosts (inside network) and the non-trusted network (outside network) as shown in Figure 2.1. They examine the entire network traffic through both networks and search for patterns that match attacks or intrusions. The first NIDS is described as a Network Security Monitor [73]. The proposed architecture and operation of this system are the foundation of any modern NIDS. In this research Heberlein et al. [73] proposed a packet catcher that captured traffic off the network in real time, a parser that extracted information from the different protocol layers, a matrix generator that holds information of the 4-tuple < source, destination, service, connectionID > , a matrix analyzer that used a hybrid approach between anomalous and misuse IDS to identify attacks and a matrix archiver that wrote information to disk.

In practice, with just one NIDS it is possible to protect several hosts with hetero- geneous operative systems. This characteristic makes this approach easy and cheap to deploy. Other advantages are that they do not produce extra processing in the host and it is more difficult for an attacker to remove evidence from them [175]. The big disadvantage is that they are network topology dependent which makes them difficult to deploy in complex network environments. As depicted again in Figure 2.2 they can be deployed in-line or out-line. In in-line all the network traffic passes through the IDS,

2.2. Intrusion Detection Systems Chapter 2. Intrusion Detection Systems

Figure 2.1: Network Intrusion Detection System

the advantage of this topology is that the IDS can perform defensive actions to filter the attack. The downside is that any problem in the IDS affects the connection of the inside to the outside network. In out-line, the IDS is transparent to the network infras- tructure. The monitored port is mirrored from the network to the IDS. The advantage is that any failure or overload of the IDS does not affect the network operation. The disadvantage is that the device can only monitor the network and defensive actions are restricted.

Distributed Intrusion Detection Systems (DIDS) are groups of IDS or sensors coor- dinated to detect anomalies or intrusions [19]. The system can be homogeneous with every sensor of the same type or heterogeneous with a mixture of types. The archi- tecture of DIDS varies from central control and management [161], hierarchical central management and clustering [181] to peer to peer without central management [87]. We will discuss DIDS in the next section.