of 14
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
  Privacy Enhanced Intrusion Detection Roland BüschkesAachen University of Technology – Department of Computer ScienceInformatik 4 (Communication Systems)D-52056 Aachen, Germanyroland@i4.informatik.rwth-aachen.deDogan communications GmbH & CoDept. Enterprise SecurityD-51063 Kö 1.1 Abstract This paper discusses solutions to protect the privacy of users during the application of intrusion de-tection systems (IDS) and introduces the notion of multilateral secure IDS. The surveillance of usersby an IDS threatens their privacy. However, an IDS depends on data gathered by monitoring and must be able to unambiguously identify an intruder in case of an emergency. To mediate between the con-trary interests of an IDS and the monitored users an IDS must obey the principles of data avoidanceand reduction. Corresponding techniques concerning authentication and anomaly detection are dis-cussed in this paper. 1.2 Introduction The protection of the increasingly complex tele and data communication networks is a critical task, butthe detection, repulse and prevention of abuse by in- and outsiders becomes more and more difficult.  Intrusion Detection Systems  (IDS) provide a promising technique to enhance the security of complexinformation infrastructures. But their application mustn’t weaken the security and privacy of themonitored users or any other cooperating components. An IDS fulfilling this requirement is called a multilateral secure IDS  .This paper deals with potential approaches towards the problem of privacy in the context of intrusiondetection. It describes the approach of the  Aachener Network Intrusion Detection Architecture (ANIDA) to the design of multilateral secure intrusion detection systems. ANIDA focuses on the sur-veillance of client-server network applications and the underlying protocol stacks, with a strong em-phasize on privacy related issues.The paper is organized as follows. In section 2 we give a short survey of intrusion detection tech-niques. Section 3 discusses the privacy issues related to the surveillance of users. Subsequently wedescribe our general architecture (section 4). In section 5 we discuss related works and finally drawsome conclusions in section 6.  1.3 Intrusion Detection Organizations and network providers have a rising demand concerning security. But classical securitymechanisms, i.e. authentication and encryption, and infrastructure components like firewalls cannotprovide sufficient security. Therefore, intrusion detection systems   (IDS) have been introduced as athird line of defense (see e.g. [14] for a general overview).The techniques classically applied within an IDS can be subdivided into the two main categories [17]of     Misuse Detection, and    Anomaly Detection.Misuse detection (see e.g. [8, 12, 13]) tries to detect patterns of known attacks within the audit streamof a system, i.e. it identifies attacks directly.Explicitly describing the sequence of actions an attacker takes, misuse detection is based on the speci-fication of the undesirable or negative behavior    of users and processes. The opposite approach wouldbe the specification of the desired or  positive behavior    of users and processes. Based on this normativespecification of positive behavior attacks are identified by observing derivations from the norm.Therefore, this technique is called  Anomaly Detection .The main problem with anomaly detection techniques is to determine the positive behavior. Two gen-eral approaches exist:1.   learning of user and process behavior2.   specification of user and process behaviorThe former approach is often based on statistical methods (e.g. [9]). Other methods use learning algo-rithms like e.g. neural networks or Bayesian classifiers [2]. This approach is particular popular for theprofiling of users.The latter approach, specification-based anomaly detection, was first proposed in [11]. It is based onthe formal description of positive behavior, e.g. in form of a grammar.Assuming that intrusions and intrusion attempts are an exception and not the rule within a network, theuse of any of these techniques involves a certain danger, namely the breach of the users privacy. 1.4 IDS and Privacy The application of an IDS explicitly introduces a surveillance (Figure 1) facility, which weakens thesecurity and privacy of the monitored users. Obviously, there is a conflict between the organizationsneed for security on the one side, and individuals need for privacy on the other.This conflict can be avoided by the application of a multilateral secure IDS, i.e. an IDS which allowsall involved parties to protect their own interests.A multilateral secure IDS must obey two major design principles:1.   data avoidance2.   data reductionFollowing the principle of data avoidance a user should only be forced to disclose the minimum of information necessary to the IDS. Data avoidance is especially relevant in the context of identification  and authentication. An IDS does not need to know the identity of a monitored user, until it provablydetects an abuse.  = IDS NetworkMonitoring Component= IDS HostMonitoring Component  ServerClientsWAN Gateway Figure 1 : LAN monitored by an IDS  Data reduction stresses the fact, that an audit stream contains a lot of unsuspicious events. There is no need – at least from a security point of view – to store these events or to make them accessible to ahuman operator. A multilateral secure IDS should therefore filter the audit stream and only store rec-ords of critical events and detected intrusions. 1.5 The Architecture Our approach to the design of a multilateral secure IDS is driven by the principles of data avoidanceand reduction. The adherence to these principles results in the concept of transactions under pseudo-nyms  and the control flow depicted in Figure 2.A user accesses a service over a network under a pseudonym (data avoidance). This pseudonym isgenerated in cooperation with a trusted third party  (TTP). The TTP is responsible for checking theuser’s identity and issuing the corresponding credentials. As the network and the service are monitoredby the IDS, the events contained within the audit stream are related to the pseudonym. The IDS con-tinues its normal work. In our architecture we take a hybrid approach by combining anomaly and mis-use detection components. As a matter of fact, our anomaly detection component uses a new techniqueof anomaly detection, namely transaction-based anomaly detection.Transaction-based anomaly detection is especially suited to meet the data reduction requirement, as itfilters out all non-critical and unsuspicious events (denoted by ε ). All suspicious events remain in theaudit stream and are passed on to the next level of processing. On this level a human operator can, incombination with a standard misuse detection component, examine the suspicious events more closelyand classify them. This examination results in the deletion of additional uncritical events (denoted by ε ). The remaining events indicate - with a certain error probability - an intrusion or intrusion attemptand provide evidence that an attack has been launched under a certain pseudonym. This evidence canbe presented to the TTP and results in the revelation of the user’s real identity.  As a consequence our architecture realizes the concept of two domains (see Figure 2). The fist domainknows the true identity of the user, while the second or any other domain does not. In the second do-main the IDS completely controls the surveillance process. Authentication Service UsageAnomaly DetectionMisuseDetectionIdentificationPseudonym CreationAudit Stream ε ε Figure 2: Control flow For the further discussion we focus on the network scenario depicted in Figure 1 and assume the fol-lowing scenario:The IDS focuses on client-server network applications and the related communication processes. Ourmodel is therefore based on the ISO/OSI reference model (see e.g. [6]), which is made up of sevenprotocol layers. The IDS runs monitors on the server and the network, i.e. it has access to the network services and network traffic related data. For ease of presentation we assume that a single network  monitor collects all network relevant information (layer 1 – 4) and the host monitors collect only in-formation related to the services (layer 5 – 7). 1.5.1 Data Avoidance The principle of data avoidance is especially relevant in the context of identification and authentica-tion. Until an IDS does not have a well-founded suspicion, it does not need to know anything about theidentity of a user. And even in the case of a suspicion, the suspicion can be refuted through the pres-entation of additional credentials, but without the revelation of the user’s identity. A straightforwardidea in order to build a multilateral secure IDS is therefore to apply anonymity or pseudonym tech-niques. It is obvious that anonymity techniques are not suited for the use in systems, which are moni-tored by an IDS, because in case of an incident it must be possible to reveal the true identity of a user.Therefore pseudonyms are the preferable choice.A pseudonym is an identifier for a user to a transaction, which is not, in the normal course of events,sufficient to associate the transaction with an individual user. The user gives only as much informationabout himself as is strictly necessary to access a service.Several questions are related to the usage of pseudonyms in the context of intrusion detection:1.   When to introduce the pseudonym for a user (at login time, before the pass on of log files, etc.)?2.   Where to introduce the pseudonym (at the login server, at the monitoring process, etc.)?3.   How to generate the pseudonym (general technique, number of participating parties, etc.)?
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks