10.9 Misuse IDSs

Event or misuse IDSs have been constructed using expert systems, which are encoded with rules and are designed in such a way as to separate the rule matching phase from the action (rule firing) phase. The rule matching is done based on the audit trail events. A new prototype IDS known as the Next Generation Intrusion Detection Expert System (NIDES) was developed by SRI and takes this expert-system approach. However, NIDES combines a hybrid intrusion detection technique consisting of a misuse detection component, as well as an anomaly detection component. This is the best of both types of detection techniques. The anomaly detector is based on the statistical approach and flags events as intrusive if they are largely deviant from the expected behavior. To do this, it builds user profiles based on over 30 different criteria, such as CPU and I/O usage, commands used, local network activity, and system errors, with the profiles updated at periodic intervals.

The expert-system misuse detection component encodes known intrusion scenarios and attack patterns. The rule database can be changed for different systems. One advantage of the NIDES approach is that it combines both data mining and expert system components. This is the bottom-up and top-down solution to the intrusion detection problem. This increases the chances of one system catching intrusions missed by the other component. Another advantage is that the problem's control reasoning is cleanly separated from the formulation of the solution.

The drawback to the expert-system approach is that its rules are only as good as the knowledge of the security professional who programs it. It is for this reason that NIDES has an anomaly, as well as a misuse, detection component. These two components are loosely coupled in the sense that they perform their operations independently for the most part. The NIDES system suffers from the same drawbacks of other expert systems: the high cost of maintaining its rules. Furthermore, additions and deletions of rules from the rulebase must take into account their sequential order, which could be problematic. The SRI system was able to establish a historical behavior profile for each desired entity (e.g., user, group, device, process). It was able to compare current behavior with the profiles. The system could detect departures from established norms, although the profiles had to be continuously updated to learn changes in subject behavior and address unanticipated intrusion types.