Application Intrusion Detection Systems: The Next Step
Robert S. Sielken
Anita K. Jones
The Pseudo-Internal Intruder: A New Access Oriented Intruder Category
The proliferation of distributed systems with complex networks has necessitated a reexamination of intruder definitions. When the notion of internal and external intruders was defined, systems were largely stand-alone computers - typically contained in a single area sometimes with remote peripherals. Today computers are part of networked, distributed systems that may span multiple buildings sometimes located thousands of miles apart. The network of such a system is a pathway for communication between the computers in the distributed system. The network is also a pathway for intrusion.
We define a new category, the pseudo-internal intruder. This new category encompasses intruders without user accounts who circumvent the perimeter defenses of a modern distributed system and attack the system via its network. In contrast, external intruders attack a system from the outside through a system's perimeter defenses. Having a pseudo-internal category is useful because it gives the intrusion detection community a framework in which to clearly describe the capabilities of the pseudo-internal intruder, defend against the pseudo-internal intruder, and develop techniques for detecting the pseudo-internal intruder.
Full Text (Word97)
Application Intrusion Detection
We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within their bounds of normal behavior, but who are actually abusing the system. To test this hypothesis, we developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an application intrusion detection system (AppIDS) can detect the intrusions, and the possibility of cooperation between an AppIDS and an OS IDS to detect intrusions. From the case studies, we were able to discern some similarities and differences between the OS IDS and AppIDS. In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be set for the AppIDS' relations that differentiate normal and anomalous behavior thereby improving the overall effectiveness of the IDS.
We also investigated the possibility of cooperation between an OS IDS and an AppIDS. From this exploration, we developed a high-level bi-directional communication interface in which one IDS could request information from the other IDS, which could respond accordingly. Finally, we explored a possible structure of an AppIDS to determine which components were generic enough to use for multiple AppIDS. Along with these generic components, we also explored possible tools to assist in the creation of an AppIDS.
Full Text (Word97)
CS Dept. Technical Report (PostScript)
Last Modified: January 18, 2000