Abstract
We embark into theoretical approaches for the investigation of intrusion detection schemes. Our main motivation is to provide rigorous security requirements for intrusion detection systems that can be used by designers of such systems. Our model captures and generalizes well-known methodologies in the intrusion detection area, such as anomaly-based and signature-based intrusion detection, and formulates security requirements based on both well-known complexity-theoretic notions and well-known notions in cryptography (such as computational indistinguishability).
Under our model, we present two efficient paradigms for intrusion detection systems, one based on nearest neighbor search algorithms, and one based on both the latter and clustering algorithms. Under formally specified assumptions on the representation of network traffic, we can prove that our two systems satisfy our main security requirement for an intrusion detection system. In both cases, while the potential truth of the assumption rests on heuristic properties of the representation of network traffic (which is hard to avoid due to the unpredictable nature of external attacks to a network), the proof that the systems satisfy desirable detection properties is rigorous and of probabilistic and algorithmic nature. Additionally, our framework raises open questions on intrusion detection systems that can be rigorously studied. As an example, we study the problem of arbitrarily and efficiently extending the detection window of any intrusion detection system, which allows the latter to catch attack sequences interleaved with normal traffic packet sequences. We use combinatoric tools such as time and space-efficient covering set systems to present provably correct solutions to this problem.
The research was supported by Telcordia and NSA/ARDA under AFRL Contract F30602-03-C-0239. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of NSA/ARDA.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, J.: Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington (1980)
Axelsson, S.: The Base-Rate Fallacy and its Implication for the Difficulty of Intrusion Detection. In: Proc. of ACM CCS (1999)
Axelsson, S.: Intrusion Detection Systems: A Survey and Taxonomy, Technical Report 99-15, Depart. of Computer Engineering, Chalmers University (March 2000)
Borodin, A., Ostrovsky, R., Rabani, Y.: Subquadratic Approximation Algorithms For Clustering Problems in High Dimensional Spaces. In: Proc. of The 31’st ACM Symposium on Theory of Computing, STOC-1999 (1999)
Cisco Flow Collector Overview, http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcover.pdf
Desmedt, Y., Kurosawa, K.: How to break a practical MIX and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 557. Springer, Heidelberg (2000)
Denning, D.E.: An Intrusion Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)
Esmaili, M., Safavi Naini, R., Pieprzyk, J.: Intrusion Detection: A Survey. In: Proc. of ICCC (1995)
Gordon, D.: La Jolla Covering Repository, website: http://www.ccrwest.org/cover.html
Gordon, D., Kuperberg, G., Patashnik, O.: New Constructions for Covering Designs. Journal of Combinatorial Designs 3, 269–284 (1995)
Gordon, D., Kuperberg, G., Patashnik, O., Spencer, J.: Asymptotically Optimal Covering Designs. Journal of Combinatorial Theory A 75, 220–240 (1996)
Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)
Kushilevitz, E., Ostrovsky, R., Rabani, Y.: Efficient Search for Approximate Nearest Neighbor in High Dimensional Spaces. In: Proc. of the 30’s ACM Symposium on Theory of Computing, STOC-1998 (1998)
Lee, W.: A Data Mining Framework for Building Intrusion Detection Models. In: Proc. of IEEE Symposium on Security and Privacy (1999)
Lunt, T.: Automated Audit Trail Analysis and Intrusion Detection: A Survey. In: Proc. of 11th National Computer Security Conference (1988)
McAuliffe, N., Wolcott, D., Schaefer, L., Kelem, N., Hubbard, B., Haley, T.: Is Your Computer Being Misused? A Survey of Current Intrusion Detection System Technology. In: Proc. of 6th IEEE Computer Security Applications Conference (1990)
Netflow, IETF RFC, ftp://ftp.rfc-editor.org/innotes/rfc3954.txt
Nurmela, K., Ostergard, P.: Upper Bounds for Covering Designs by Simulated Annealing. Congressum Numerantium 96, 93–111 (1993)
Rees, R., Stinson, D.R., Wei, R., van Rees, G.H.J.: An application of covering designs: Determining the maximum consistent set of shares in a threshold scheme. Ars Combinatoria 531, 225–237 (1999)
Schonheim, J.: On Coverings. Pacific Journal of Mathematics 14, 1405–1411 (1964)
Colbourn, C., Dinitz, J.: The CRC Handbook of Combinatorial Designs. CRC Press, Boca Raton (1996); (see D. R. Stinson, Coverings, pp. 260–265)
Flowtools public-domain software, http://www.splintered.net/sw/flow-tools/
Yao, A.: Theory and Application of Trapdoor Functions. In: Proc. of FOCS 1985 (1985)
Ghosh, A., Wong, L., Di Crescenzo, G., Talpade, R.: Infilter: Predictive Ingress Filtering to Detect IP Spoofed Traffic. In: 2nd International Workshop on Security in Distributed Computing Systems, SDCS 2005 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Di Crescenzo, G., Ghosh, A., Talpade, R. (2005). Towards a Theory of Intrusion Detection. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_16
Download citation
DOI: https://doi.org/10.1007/11555827_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)