Charles Herring: Intrusion Detection for Things
February 2nd, 2015
Intrusion Detection for Things
The concept of Intrusion Detection Systems (IDS) was introduced in 1987 by Dr. Dorothy Denning in a paper titled “An Intrusion-Detection Model.” The paper describes systems that “aim to detect a wide range of security violations ranging from attempted break-ins by outsiders to system penetrations and abuses by insiders.”
From the concepts laid out by Dr. Denning, the three-tiered detection model was created.
Signature detection focuses on known bad patterns in an object (file, packet, etc.) destined for an endpoint. Behavioral based detection focuses on known bad actions (deleting files, scanning the network, sending spam, etc.) that occur on an endpoint after it has processed a bad object (file, packet, etc.). Anomaly detection also focuses on the behavior of the endpoint, but instead of looking for known bad behaviors, it focuses on deviation from known good ones.
Relationship of Detection Approaches
Signature detection is great at catching known attack types. It can identify packets connected to a specific malware family or SQL injection attack. When given adequate data and specific signatures, this approach can be very accurate in detecting known exploits.
Behavioral detection is effective where the specific exploit is currently unknown (zero-day attack). Behavioral detection can catch zero-day attacks when the action following the attack is known-bad. Most signatures are created by analyzing behavioral alarms.
In the same way that signatures are created by behavioral analysis, behavioral checks are created by anomaly analysis. When new activities (data hoarding, jail breaking) are detected in anomaly detection, behavioral and signature checks can be created.
Starting Over with IoT
The Internet of Things (IoT) resets the clock on intrusion detection. Anomaly data feeds behavioral data which feeds signatures. As toasters, refrigerators, cars and defibrillators get DHCP leases, the baseline of “normal” begins to bend and morph in new ways. While there is wisdom in our current knowledge of intrusion detection, much of what we know is based on human->endpoint->network models. IoT presents a new model of endpoints communicating directly with each other for diverse purposes.
The Path Ahead
Using Network Behavioral Anomaly Detection (NBAD) (see: History of NBAD) is critical to understanding the new communication models and their impact on legacy network traffic. The foundation of monitoring the Internet of Things is accepting that traditional concepts of normal are not sufficient. There is a need to analyze evolving traffic patterns in IoT to build a new set of signatures and behavioral checks to handle the risk posed by an ultra-connected world.
Intrusion Detection for Things
The concept of Intrusion Detection Systems (IDS) was introduced in 1987 by Dr. Dorothy Denning in a paper titled “An Intrusion-Detection Model.” The paper describes systems that “aim to detect a wide range of security violations ranging from attempted break-ins by outsiders to system penetrations and abuses by insiders.”
From the concepts laid out by Dr. Denning, the three-tiered detection model was created.
Signature detection focuses on known bad patterns in an object (file, packet, etc.) destined for an endpoint. Behavioral based detection focuses on known bad actions (deleting files, scanning the network, sending spam, etc.) that occur on an endpoint after it has processed a bad object (file, packet, etc.). Anomaly detection also focuses on the behavior of the endpoint, but instead of looking for known bad behaviors, it focuses on deviation from known good ones.
Relationship of Detection Approaches
Signature detection is great at catching known attack types. It can identify packets connected to a specific malware family or SQL injection attack. When given adequate data and specific signatures, this approach can be very accurate in detecting known exploits.
Behavioral detection is effective where the specific exploit is currently unknown (zero-day attack). Behavioral detection can catch zero-day attacks when the action following the attack is known-bad. Most signatures are created by analyzing behavioral alarms.
In the same way that signatures are created by behavioral analysis, behavioral checks are created by anomaly analysis. When new activities (data hoarding, jail breaking) are detected in anomaly detection, behavioral and signature checks can be created.
Starting Over with IoT
The Internet of Things (IoT) resets the clock on intrusion detection. Anomaly data feeds behavioral data which feeds signatures. As toasters, refrigerators, cars and defibrillators get DHCP leases, the baseline of “normal” begins to bend and morph in new ways. While there is wisdom in our current knowledge of intrusion detection, much of what we know is based on human->endpoint->network models. IoT presents a new model of endpoints communicating directly with each other for diverse purposes.
The Path Ahead
Using Network Behavioral Anomaly Detection (NBAD) (see: History of NBAD) is critical to understanding the new communication models and their impact on legacy network traffic. The foundation of monitoring the Internet of Things is accepting that traditional concepts of normal are not sufficient. There is a need to analyze evolving traffic patterns in IoT to build a new set of signatures and behavioral checks to handle the risk posed by an ultra-connected world.