A Talk by Mr. Dahliyusmanto in Seminar In Info. Sec. Class (MCS 2070)

Assalamualaikum...This is the third talk and this time by Mr. Dahliyusmanto on 24th of February 2011. Here's a brief about him, he is from Indonesia and he is a PhD. student under supervised from Prof. Hanan. During his Master by Research study, he is focusing on research on Intrusion Detecting System (IDS) of Combination Anomaly Detecting Different Analysis. In this brief talk, he shared to us about the Intrusion Detecting System (IDS). Firstly he begin with the definition of intrusion. An intrusion is a set of action that attempt to compromise the Confidentiality, Integrity and Availability (CIA) of a resource. For example, a Denial of Service (DoS) attacks ; an attempt to starve a host of resources and Compromises ; obtain privilege access to a host by known vulnerabilities. An Intrusion Detection is a process of identifying & responding to intrusion activities. He then explain about the Elements of Intrusion Detection ; Primary Assumptions - system action are observable and normal & intrusive action have distinct evidence.

The components of IDS from algorithmic perspective are the features and models. The features capture intrusion evidence while the models is a piece of evidences together. From a system architecture perspective, various components : audit data processor, knowledge base, decision engine, alarm generation and responses. The components of IDS are, (1) Information Collection, (2) Detection and, (3) Responses. Meanwhile, the parameters of IDS are (1) Accuracy, (2) Performance and, (3) Completeness. Sources are (1) Host-Based, (2) Network-based, (3) Application-Based and, (4) Hybrid. Furthermore, he stated that there are two responses of IDS such as Active and passive. For IDS placement, it could be place anytime, anywhere whether inner or outer firewall. The IDS approaches Modeling are, (1) features : evidences extracted from audit date and analysis approach. There are two type of detection. First one is Misuse Detection and the other one is Anomaly Detection. Misuse Detection looks for attack signatures in the user's behavior. The weakness of this kind of detection is always need to update virus signature and can't detect new virus threats. The Anomaly Detection is statistically analysis user's current action, compares profiles describing user's normal behavior & report significant deviation to security officer. The advantage of anomaly detection is it can detect new virus threats. He then explains about Host-Based VS Network Based IDS. The Host-Based IDS is using operating system (OS) to auditing mechanisms. For example, BSM on Solaris : logs all direct or indirect events generated by a user. The Host-Based IDS then monitoring executions of system programs, e.g : analyze system calls made by "sendmail". Detect & examine malicious activity. Then optimize for monitoring individual hosts and monitor system network activity, file system, log files and user actions. The Network-Based IDS is deploying sensors at strategic locations, eg. : packet sniffing via tapdump at routers. Inspecting network traffic, watch for violations of protocols & unusual connection patterns. Monitoring user activities and may be easily defeated. He then stated that the next generation of IDS is adaptive - detect new intrusion, the scenario-based, correlate (multiple sources of) audit data and attack information. The challenges of IDS are (1) Runtime limitations, (2) Specification of detection signatures, (3) Dependency on environment- high rate false alarms -  the limitation factor for the performance of IDS. The potential solutions are : (1) Data mining, (2) Machine Learning technique, Supervised Learning, Unsupervised Learning, (3) Co-Simulation Mechanism, integrating the misuse & anomaly detection techniques, applying a co-stimulation mechanism. Lastly, he stated that in the future may be he could talk about Intrusion Prevention System and then the class dismissed.