Analysis of Methods of Attack Detection and Prevention Systems
Download 0.59 Mb.
|
Paper Tashev 2022
NIDS ARCHITECTUREIn practice, IDPS uses one or a combination of the following methods to detect attacks [23, 14]: - analysis of signatures; - statistical analysis; - integrity control; - analysis of state systems; - graphs of attack scenarios; - expert systems; - methods based on specifications; - neural networks; - immune networks; - cluster analysis; - behavioral biometrics. But at the same time, the attack detection methodology can be divided into the following categories: • Signature-based - Attacks are described in a large database of attack signatures known as a set of rules. • Anomaly-Based - Attacks are detected by comparing current activity with a predetermined "normal" activity. Such systems have the advantage that they can detect attacks hidden in encrypted traffic, but often suffer from a large number of false positives, i.e. incorrectly generating an attack notification. It should be noted that a network system using anomaly detection is also known as a Network Behavior Analysis (NBA) system. • Stateful Protocol Analysis - Monitors the status of network, transport, and application protocols and compares activity against correct protocol behavior to detect attacks. Some signature-based systems provide the ability to define rules based on stateful signatures, for example, the flowbits keyword in Snort allows a series of rules to be chained together to keep track of the state of multiple datagrams in a single transport layer session; flow: The set keywords limit the application of the rule to established sessions only. Signature based IDPS methodology. This category includes signature analysis methods. Signature-based detection has been commonly used to detect known attacks. Signature-based IDPS compare observed signatures with known attack signatures. It has a higher level of security than anomaly detection. Signature-based IDPS cannot recognize a new attack in a monitored environment [30] and are therefore unreliable when it comes to threat detection. The IDPS uses known malware signatures that are stored in a database. This kind of detection system is very effective for use in small IDPS. The main disadvantage of such a system is that its database must be updated regularly, resulting in an ever-increasing database that must include as many signatures as possible [29,3]. Thus, the verification process takes longer, which reduces the performance of the IDPS. The architecture shown in Figure 2 uses detectors that detect and evaluate signatures available in the controlled environment against a database of known signatures. The system generates warnings if the signatures match, otherwise, the detector does not generate any warnings if there is no signature match from the database [30]. Anomaly based IDPS methodology. Anomaly-based IDPS require fundamental information and specific knowledge about the system being protected. Such systems have a great advantage in collecting evidence in the form of statistics, data, facts and figures that are responsible for the formation of baseline indicators during the training period. This category includes methods of statistical analysis, integrity control, graphs of attack scenarios, expert systems, neural networks, immune networks, cluster analysis, behavioral biometrics. The baseline profile is the normal learned behavior of the monitored system and is developed during the learning period while the IDPS learns the environment and develops the normal profile of the monitored system. This environment can be a network, users, or system. Anomaly-based IDPS are classified as follows: protocol-based anomaly; and an anomaly based on the application payload [30]. Anomaly-based IDPS recognize violations in computer systems and networks that are outside the normal range for standard network traffic and system operations. Fig.2. Signature based methodology architecture Anomaly-based methodologies can identify and detect unknown intrusions and attacks in a computer network environment without requiring a system upgrade. Whenever an anomalous operation is detected, a standard action to resolve the anomaly should be initiated. Sometimes this can lead to false positives [25, 27, 28]. The anomaly/statistics based NIDPS method is a comparison based method that compares any activity against a profile for all possible activities studied using statistics, facts and figures. With emto, there are two types of profile: fixed and dynamic. The fixed profile is the most efficient of the other schemes because it prevents any unusual behavior from occurring and classifies the behavior as anomalous. A fixed profile cannot be changed once it is created, while a dynamic profile can be changed as the monitored system changes. Additional overhead will be added to the system as IDPS continues to update the dynamic profile. In an IDPS that implements a dynamic profile, an attacker can evade detection by propagating an attack over a long period of time. The attack becomes part of the profile because the IDPS includes changes to the profile as normal system changes. A dynamic profile cannot be created without an existing fixed profile; once a dynamic profile has been created, it allows an attacker to observe and modify their behavior in the long term [30, 9]. Anomaly detection can be used to detect new attacks, but there is no guarantee of detection accuracy. It generates false alarms [25, 27, 8]; therefore, the problem of accuracy is still a problem for researchers [29]. According to Scarfon and Mell [30], there are three main anomaly detection methods: statistical, data mining, and machine learning. The monitored environment is monitored by a detector that compares events to a base profile with two possibilities. If the observed event does not match the baseline, but is within the allowed threshold, the profile is updated. On the other hand, if the observed event matches the base profile, no action is required. If an observed event does not match the baseline profile and is outside the threshold range, a warning should be issued and the event marked as an anomaly (Figure 3). Fig.3. Anomaly based methodology architecture IDPS Methodology: Protocol Stateful Analysis. This category includes methods based on specifications and analysis of system states. The IDPS protocol statefulness methodology includes the concept of state and therefore the ability to understand and track the state of a network protocol. At the same time, protocol stateful models are built on TCP/IP protocols using their specifications. The NIDPS protocol state tracking method is based on the analysis of protocol behavior. It observes protocol behavior and then compares it to the data stored in its protocol behavior database. It detects anomalies in the packet in the protocol header. This technique is quite effective, but attackers working within the limitations of the protocol can easily avoid it [30, 9]. Several vendors have developed and engineered a basic protocol profile. Stateful protocol analysis provides a deep understanding of related applications and protocols and how they interact and work with each other, but adds additional overhead to the system [25, 30]. Fig.4. Architecture of the protocol state tracking analysis method. What's more, attackers typically use signatures that act similar to viruses used on computers. The protocol anomaly detection method analyzes intrusion-related data packets that contain known anomalies and individual signatures or sets of signatures. The detection system is able to identify suspicious activity in the logs and generate alerts based on these signatures and rules. Anomaly-based IDSs typically rely on packet anomaly detection available in portions of the protocol header. The generic stateful protocol architecture and analysis is similar to the signature approach methodology (Figure 4) and requires a database of acceptable protocol behavior. Hybrid IDPS methodologies. At the same time, a hybrid system is an integration of two or more methods. A hybrid methodology can combine two or more intrusion detection and prevention system methodologies to analyze, detect, and correlate any suspicious behavior and signature-based malicious code that attempt to attack the network. The performance of the combination means that it can detect more types of intrusions, thus providing relatively better results compared to other methods. Figure 5 shows the behavior of a common hybrid methodology that combines stateful protocol analysis, signature and anomaly methods. The controlled environment is analyzed using each method in turn [30,9]. Based on the data presented on the methods for detecting IDPS systems, a comparative analysis can be made according to the criteria that are given in Table 1 [30,24]. Fig.5. Hybrid Method Architecture Table 1. Comparison Analysis
Download 0.59 Mb. Do'stlaringiz bilan baham: 
|