Charles Herring: Intrusion Detection for Things

February 2nd, 2015

Intrusion Detection for Things

The concept of Intrusion Detection Systems (IDS) was introduced in 1987 by Dr. Dorothy Denning in a paper titled “An Intrusion-Detection Model.” The paper describes systems that “aim to detect a wide range of security violations ranging from attempted break-ins by outsiders to system penetrations and abuses by insiders.”

From the concepts laid out by Dr. Denning, the three-tiered detection model was created.Blog_CHerring

Signature detection focuses on known bad patterns in an object (file, packet, etc.) destined for an endpoint. Behavioral based detection focuses on known bad actions (deleting files, scanning the network, sending spam, etc.) that occur on an endpoint after it has processed a bad object (file, packet, etc.). Anomaly detection also focuses on the behavior of the endpoint, but instead of looking for known bad behaviors, it focuses on deviation from known good ones.

Relationship of Detection Approaches

Signature detection is great at catching known attack types. It can identify packets connected to a specific malware family or SQL injection attack. When given adequate data and specific signatures, this approach can be very accurate in detecting known exploits.

Behavioral detection is effective where the specific exploit is currently unknown (zero-day attack). Behavioral detection can catch zero-day attacks when the action following the attack is known-bad. Most signatures are created by analyzing behavioral alarms.

In the same way that signatures are created by behavioral analysis, behavioral checks are created by anomaly analysis. When new activities (data hoarding, jail breaking) are detected in anomaly detection, behavioral and signature checks can be created.

Starting Over with IoT

The Internet of Things (IoT) resets the clock on intrusion detection. Anomaly data feeds behavioral data which feeds signatures. As toasters, refrigerators, cars and defibrillators get DHCP leases, the baseline of “normal” begins to bend and morph in new ways. While there is wisdom in our current knowledge of intrusion detection, much of what we know is based on human->endpoint->network models. IoT presents a new model of endpoints communicating directly with each other for diverse purposes.

The Path Ahead

Using Network Behavioral Anomaly Detection (NBAD) (see: History of NBAD) is critical to understanding the new communication models and their impact on legacy network traffic. The foundation of monitoring the Internet of Things is accepting that traditional concepts of normal are not sufficient. There is a need to analyze evolving traffic patterns in IoT to build a new set of signatures and behavioral checks to handle the risk posed by an ultra-connected world.

Charles Herring - Consulting Security Architect, Lancope

Charles started his career in InfoSec in 2002 as a network security analyst and network security officer within the US Navy. He has labored as a network security product tester for InfoWorld Magazine, led a technology consulting firm and currently serves as Consulting Security Architect for Lancope. Charles spends most of his time consulting with […]