10.10 Anomaly IDSs

The anomaly detection model is based on a system detecting intrusions by looking for activity is different from a user's or system's normal behavior. The main approach is to use a statistical model of user behavior—a profile. In this method, initial behavior profiles for subjects are generated. As the system continues running, the anomaly detector constantly generates the variance of the present profile from the original one. There may be several measures that affect the behavior profile (e.g., like activity measures, CPU time used, number of network connections in a time period, applications normally used).

In some systems, the current profile and the previous profile are merged at intervals, but in some other systems, profile generation is a one-time activity. The main advantage of statistical systems is that they are adaptive; they learn the behavior of users and are, thus, more sensitive than security administrators. One potential flaw with anomaly IDSs is that they can gradually be trained by intruders so that eventually, intrusive events are considered normal. False positives and false negatives are generated depending on whether the threshold is set too low or too high, and relationships between events are missed because of the insensitivity of statistical measures to the order of events.

An open issue with all anomaly IDSs is the selection of measures to monitor. It is not known exactly what subset of all possible measures most accurately predicts intrusive atacks. Static methods of determining these measures are sometimes misleading because of the unique features of a particular system. Thus, it seems that a combination of static and dynamic determinations of the set of measures should be done. As with most investigative data mining projects, a hybrid solution mixing machine-learning or statistical models with human insight is usually the best.

Anomaly IDSs have also been developed using a predictive pattern-generation methodology. This method of intrusion detection tries to predict future events based on the events that have already occurred. The rules may be based on data mining analyses. Therefore, we could have a rule like the following:

      IF       Event 1      AND      Event 2      THEN     Event 3 = 80%               Event 4 = 15%               Event 5 = 5%

This would mean that given that events 1 and 2 have occurred, with event 2 occurring after event 1, there is an 80% probability that event 3 will follow, a 15% chance that event 4 will follow, and a 5% probability that event 5 will follow. The problem with this is that intrusion scenarios not described by the rules will not be recognized, identified, and flagged.

However, there are several advantages to this approach. First, rule-based sequential patterns can detect anomalous activities that were difficult with traditional methods. Second, systems built using this model are highly adaptive to change. The rules can be based on a combination of machine-learning models and human domain observations. This is because low-quality patterns are continuously eliminated, finally leaving the higher-quality patterns behind. Third, it is easier to detect users who try to train the system during its learning period. And fourth, anomalous activities can be detected and reported within seconds of receiving audit events.