Application Intrusion Detection

Get BibTex-formatted data

Author

Robert S. Sielken

Entry type

misc

Abstract

Intrusion detection has traditionally been performed at th operation system (OS) level by comparing expected and observed system resource usage. OS intrusion detection systems (OSIDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence or those intruders whose behavior pattern statistically varies from a norm. Internal intruders are said to comprise at least fifty percent of intruders {ODS99}, but OS intrusion detection systems are frequently not sufficient to catch such intruders since they neither significantly deviate from expected behavior, nor perform the specific intrusive actions becase tehy are already legitimate users of the system. We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within thier bound of normal behavior, but who are actually abusing the system. to test this hypothesis, we developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an application intrusion detection system (AppIDS) can detect the intrusion, and the possibility of cooperation between an AppIDS an OS IDS to detect between the OS IDS and AppIDS. In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be st for the AppIDS\' relations that differentiate normal and anomalous behavior therby improbing the overall effectiveness of the IDS. We also investigated the possibility of cooperation between and OS IDS and an AppIDS. From this exploration, we developed a high-level bi-diretional communication interface in whichone IDS could request information from the other IDS, which could respond accordingly. Finally, we explored a possible structure of an AppIDS to determine which components were generic enough ouse for multiple AppIDS. Along with these generic components, we also explored possible tools to assist inthe creation of an AppIDS.

Institution

University of Virgina

Key alpha

Sielken

School

School of Engineering and Applied Science

Acknowledgement

Brownell Combs, Anita Jones, Kaselehlia Sielken

Publication Date

0000-00-00

Abstract....1 Table of contents...2 Acknowledgements....3 1 Introduction ....4 2 State of Practice-OS IDS 2.1 Threats can be detected by an IDS....7 2.2 Intrusion Detection Approaches....7 2.21 Anomaly Detection ....8 2.2.2 Misuse Detection .....9 2.2.3 Extensions-Networks...10 2.3 Generic Characteristics of IDS...12 3.1 ELECTRONIC TOLL COLLECTION....15 3.1.1 Electronic Toll collection Systems Description.....15 3.1.2 Application Specific Intrusions...17 3.1.3 Relation Hazard Tables....17 3.2 Health Record Mgmt...33 3.2.1 Health Record mgmt Systems Description....34 3.2.2 Applicaition Specific Intrusion...34 3.2.3 Health Record Management Relation Hazard Tables....35 4 Application Intrusions Detection ....40 4.1 Difference between OS ID and AppIDS....40 4.2 Dependenceis between OS nad AppIDS ....43 5 Construction of an AppIDS....45 6 Conclusions and Future Work....48 7 References....49

Location

A hard-copy of this is in the CERIAS Library

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Misc{ Sielken,
	title = "Application Intrusion Detection",
	author = "Robert S. Sielken",
	institution = "University of Virgina",
	school = "School of Engineering and Applied Science",
	abstract = "Intrusion detection has traditionally been performed at th operation system (OS) level by comparing expected and observed system resource usage.  OS intrusion detection systems (OSIDS) can only detect intruders, internal or external, who perform specific system actions in a specific sequence or those intruders whose behavior pattern statistically varies from a norm.  Internal intruders are said to comprise at least fifty percent of intruders {ODS99}, but OS intrusion detection systems are frequently not sufficient to catch such intruders since they neither significantly deviate from expected behavior, nor perform the specific intrusive actions becase tehy are already legitimate users of the system.
We hypothesize that application specific intrusion detection systems can use the semantics of the application to detect more subtle, stealth-like attacks such as those carried out by internal intruders who possess legitimate access to the system and its data and act within thier bound of normal behavior, but who are actually abusing the system.  to test this hypothesis, we developed two extensive case studies to explore what opportunities exist for detecting intrusions at the application level, how effectively an application intrusion detection system (AppIDS) can detect the intrusion, and the possibility of cooperation between an AppIDS an OS IDS to detect between the OS IDS and AppIDS.  In particular, an AppIDS can observe the monitored system with a higher resolution of observable entities than an OS IDS allowing tighter thresholds to be st for the AppIDS\' relations that differentiate normal and anomalous behavior therby improbing the overall effectiveness of the IDS.
We also investigated the possibility of cooperation between and OS IDS and an AppIDS.  From this exploration, we developed a high-level bi-diretional communication interface in whichone IDS could request information from the other IDS, which could respond accordingly.  Finally, we explored a possible structure of an AppIDS to determine which components were generic enough ouse for multiple AppIDS.  Along with these generic components, we also explored possible tools to assist inthe creation of an AppIDS.",
	acknowledgement = "Brownell Combs, Anita Jones, Kaselehlia Sielken",
	contents = "Abstract....1
Table of contents...2
Acknowledgements....3
1 Introduction ....4
2 State of Practice-OS IDS
  2.1  Threats can be detected by an IDS....7
  2.2 Intrusion Detection Approaches....7
    2.21 Anomaly Detection ....8
    2.2.2 Misuse Detection .....9
    2.2.3 Extensions-Networks...10
2.3 Generic Characteristics of IDS...12
3.1 ELECTRONIC TOLL COLLECTION....15
3.1.1 Electronic Toll collection Systems Description.....15
3.1.2 Application Specific Intrusions...17
3.1.3 Relation Hazard Tables....17
3.2 Health Record Mgmt...33
3.2.1 Health Record mgmt Systems Description....34
3.2.2 Applicaition Specific Intrusion...34
3.2.3 Health Record Management Relation Hazard Tables....35
4 Application Intrusions Detection ....40
4.1 Difference between OS ID and AppIDS....40
4.2 Dependenceis between OS nad AppIDS ....43
5 Construction of an AppIDS....45
6 Conclusions and Future Work....48
7 References....49",
}