Intrusion Detection Systems

Question 1

What is the Aho-Corasick algorithm?

Answer 1

A multi-pattern search algorithm. The lecture suggests that this is a suitable algorithm for IDS/IPS.

Question 2

What is the goto transition function in the Aho-Corasick algorithm?

Answer 2

A function that maps (state, input symbol) into a state or failure.

Question 3

What is the failure transition function in the Aho-Corasick algorithm?

Answer 3

A function that is called when the goto function has no suitable state to go to. The failure function maps a state into a state.

Question 4

What is the output function in the Aho-Corasick algorithm?

Answer 4

A function that associates a set of patterns from the input set to any state.

Question 5

What is an IDS and what does it do? What is an IPS?

Answer 5

An IDS is a device that tries to detect and identify intrusion activities in a network.

An IPS combines detection with prevention. This is typically acomplished through combining and IDS and a firewall which is often implemented in hardware (ASIC) for greater performance. Other options are antivirus scanners and vulnerability scanners.

Question 6

What are the main components of an IDS?

Answer 6

Any IDS consist of three main parts:

1. The data pre-processor which parses and normalizes incoming traffic/logs.
2. A detection algorithm which employs several detection models for detecting intrusive activity.
3. An alert filter which takes the output from the detection algorithm and a set of decision criteria to estimate a severity. The final action will depend on this severity score.

Question 7

What are some of the main types of IDS?

Answer 7

There are four main types of IDS:

1. Host-based
2. Network-based
3. Application-based
4. Target-based (use hashes to detect changes to system objects, e.g., system files.

Question 8

What is misuse detection?

Answer 8

Misuse detection is centered around detecting behaviour deemed to be malicious or undesierable. It uses signatures of known intrusions to detect such activity. It is a reliable method for detecting known attacks and will often use pattern matching, i.e., search for detection. An example of such an algorithm is Aho-Corrasick.

Misuse is not capable of detecting new attacks, i.e., those for which no signature has been made.

Question 9

What is anomaly detection?

Answer 9

Anomaly detection established profiles of normal/expected user behaviour. If the observed behaviour deviates from the expectations to a sufficient extent, then an alarm may trigger. A simple example may be a user login on to an organizations networks. If the user always logs on from the office with an IP address 123.123.123.0/24 but suddenly logs on from home with the address 90.202.11.34, then an anomaly has occurred and an alarm may be triggered.

Anomaly detection assumes that abnormal behavior signifies intrusion. This allows anomaly detection to detect new attacks, but it will generate many false positives.