acm-header
Sign In

Communications of the ACM

Communications of the ACM

Intrusion Detection Systems and Multisensor Data Fusion


Next-generation cyberspace intrusion detection (ID) systems will require the fusion of data from myriad heterogeneous distributed network sensors to effectively create cyberspace situational awareness.

The vast majority of security professionals would agree that real-time ID systems are not technically advanced enough to detect sophisticated cyberattacks by trained professionals. For example, during the Langley cyberattack the ID systems failed to detect substantial volumes of email bombs that crashed critical email servers. Coordinated efforts from various international locations were observed as hackers worked to understand the rules-based filter used in counterinformation operations against massive email bomb attacks [1].

At the other end of the technical spectrum, false alarms from ID systems are problematic, persistent, and preponderant. Numerous systems administrators have been the subject of an ID system reporting normal work activities as hostile actions. These types of false alarms result in financial losses to organizations when technical resources are denied access to computer systems or security resources are misdirected to investigate nonintrusion events. In addition, when systems are prone to false alarms, user confidence is marginalized and misused systems are poorly maintained and underutilized.

ID systems that examine operating system audit trails, or network traffic [3, 8] and other similar detection systems, have not matured to a level where sophisticated attacks are reliably detected, verified, and assessed. Comprehensive and reliable systems are complex and the technological designs of these advanced systems are only beginning to emerge. There remains much work to be done by ID systems engineers in the design, integration, and deployment of efficient, robust, and reliable ID systems capable of reliably identifying and tracking hostile objects in cyberspace.


Recent industry studies forecast the consumer market for security assessment tools will grow from approximately $150 million per year in 1999 to over $600 million in 2002.


Recent industry studies forecast the consumer market for security assessment tools will grow from approximately $150 million per year in 1999 to over $600 million in 2002. In addition, the author recently participated in a Department of Energy workshop that brought together security experts to help the federal government prioritize a proposed $500 million expenditure for research and development in the area of malicious code, anomalous activity and intrusion detection in 2000. Clearly, there are significant technical challenges ahead and a rapidly growing cyberspace intrusion detection marketplace.

The underlying issues and challenges are not unique to ID systems. Network management is also an expensive infrastructure to operate and these systems often fail to provide network engineers tangible and useful situational information, typically overwhelming operators with system messages and other low-level data. Network management and ID systems must operate in a uniform and cooperative model, fusing data into information and knowledge, so network operators can make informed decisions about the health and real-time security of their corner of cyberspace.

Multisensor data fusion provides an important functional framework for building next-generation ID systems and cyberspace situational awareness. There exist significant opportunities and numerous technical challenges for the commercial application of data fusion theory into the art and science of cyberspace ID. This article provides a brief review of ID concepts and terms, an overview of the art and science of multisensor data-fusion technology, and introduces the ID systems data-mining environment as a complementary process to the ID system data-fusion model.

Back to Top

ID Systems Overview

Defensive information operations and computer ID systems are primarily designed to protect the availability, confidentiality, and integrity of critical information infrastructures. These operations protect information infrastructures against denial-of-service (DoS) attacks, unauthorized disclosure of information, and the modification or destruction of data. The automated detection and immediate reporting of these events are required to respond to information attacks against networks and computers. In a nutshell, the basic approaches to intrusion detection today may be summarized as known pattern templates, threatening behavior templates, traffic analysis, statistical-anomaly detection, and state-based detection.

Computer ID systems were introduced in the mid-1980s to complement conventional approaches to computer security. Technical writers on ID systems often cite Denning's 1987 seminal ID model [3] built on host-based subject profiles, systems objects, audit logs, anomaly records, and activity rules. The underlying ID model is a rules-based pattern matching system where audits are matched against subject profiles to detect computer misuse based on logins, program executions, and file access.

The subject-anomaly model was applied in the design of many host-based ID systems, such as Intrusion Detection Expert System (IDES) [4], Network Intrusion Detection Expert System (NDIX) [2], Wisdom & Sense (W&S), Haystack, Network Anomaly Detection, Intrusion Reporter (NADIR) [7]. There are other ID systems based on the Denning model and an excellent survey of these systems is in [8]. The basic detection algorithms used in these systems include weighted functions to detect deviations from normal usage; covariance matrix-based approaches for normal usage profiling; and rules-based expert systems approaches to detect security events.

The second leading technical approach to present-day intrusion detection is multihost network-based. Heberlein et al. extended the Denning model to traffic analysis on Ethernet-based networks with the Network Security Monitor (NSM) framework [6]. This was further extended with the Distributed Intrusion Detection System (DIDS), which combined host-based intrusion detection with network traffic monitoring [8, 9]. Current commercial ID systems such as Real Secure and Computer Misuse Detection System (CMDS) have distributed architectures using rules-based detection, statistical-anomaly detection, or both.

A significant challenge remains for ID systems designers to combine data and information from numerous heterogeneous distributed agents (and managers) into a coherent process that can be used to evaluate the security of cyberspace. Multisensor data-fusion technology is an important avenue on the road toward the development of highly reliable intrusion detection and security-decision systems that identify, track, and assess cyberspace situations with multiple complex threats. (See Figure 1.)

Back to Top

ID System Data Fusion

Multisensor data fusion, or distributed sensing, is a relatively new engineering discipline used to combine data from multiple and diverse sensors and sources in order to make inferences about events, activities, and situations. These systems are often compared to the human cognitive process where the brain fuses sensory information from the various sensory organs, evaluates situations, makes decisions, and directs action.

Data-fusion technology has been applied most prominently to military applications such as battlefield surveillance and tactical situation assessment. Data fusion has also emerged in commercial applications such as robotics, manufacturing, medical diagnosis, and remote sensing [5].

The application of data fusion in technical systems requires mathematical and heuristic techniques from fields such as statistics, AI, operations research, digital signal processing, pattern recognition, cognitive psychology, information theory, and decision theory [5]. The functional application of multisensor data fusion to the art of intrusion detection is grounded in mathematical theory beyond the scope of this article. (See [5, 10, 12] for more detail.)

Input into a data fusion cyberspace ID system consists of sensor data, commands and a priori data from established databases. For example, the system input would be data from numerous distributed packet sniffers, system log files, SNMP traps and queries, user profile databases, system messages, and operator commands. The output of data fusion cyberspace ID systems would be estimates of the identity (and possibly the location) of an intruder, the intruder's activity, the observed threats, the attack rates, and an assessment of the severity of the cyberattack.

In a typical military command and control (C2) system, data fusion sensors are used to observe electromagnetic radiation, acoustic and thermal energy, nuclear particles, infrared radiation, noise and other signals. In cyberspace ID systems the sensors are different because the environmental dimension is different. Instead of a missile launch and supersonic transport through the atmosphere, cyberspace sensors observe information flowing in networks. However, just as C2 commanders are interested in the origin, velocity, threat, and targets of a warhead, network security personnel are interested in the identity, rate of attack, threat, and target of malicious intruders and criminals.

Waltz [12] described the generic sensor characteristics of a multisensor fusion system. These generic characteristics can be applied to next-generation cyberspace ID systems. We introduce these characteristics based on the Waltz model:

Detection performance is the detection characteristics, such as false alarm rate, detection probabilities and ranges, for an intrusion characteristic against a given "noisy" background.

Spatial/temporal resolution is the ability to distinguish between two or more cyberintrusions in space or time.

Spatial coverage is the span of the coverage or field of view for the sensor, (such as the spatial coverage of a network sniffer might be the LAN segment it is monitoring.)

Detection/tracking modes is the mode of operation of the sensor, such as staring or scanning; single or multiple cybertarget tracking, or capable of multimode operation.

Target revisit rate is the rate at which a cybertarget or intrusion is revisited by the sensor to perform measurements.

Measurement accuracy is the statistical probability that the cyberspace measurement or observation is accurate.

Measurement dimensionality is the number or measurement variables between cybertarget categories.

Hard vs. soft data reporting is the status of the sensor reports, such as can a decision be made without correlation, or does the sensor require confirmation.

Detection/tracking reporting is the characteristic of the sensor to report individual cyberevents or does the sensor maintain a time-sequence of the events.

Real-time human decision-making processes are supported by information derived from the fusion process. At the lowest level of inference, a data fusion cyber ID system would indicate the presence of an intruder or an attack. At the highest level the inference could be an analysis of the threat and the vulnerability. Figure 2 illustrates the hierarchy of ID data fusion inferences for a cyberthreat.

Decision-support systems for situational awareness are tightly coupled with data fusion systems. The basic decision system—observe-orient-decide-act (OODA)— is the classic decision-support mechanism used in military information operations. OODA provides a cognitive mapping of the lowest level of cyber-inference to knowledge-based personnel actions. This cyberfusion process requires the utilization of techniques ranging from processing algorithms and statistical estimations, to heuristic methods such as template correlation, or expert systems to assess situations and threats in cyberspace.

The ID systems observe functions include the technical and human collection of data, comprising ID sensors, network sniffers, and computer system log files. The orient function includes data mining concepts to discover or learn previous unknown characteristics in the recorded data and computer files. The orient function also encompasses the application of templates for intrusion detection and association in data fusion processes.

In the decision function, cyberinformation is further refined into threat knowledge used in the determination of an appropriate action or countermeasures. Act functions include both automated and human responses. Simple responses to cyberattacks may be automated, however, more complex decisions will always require human intervention.

The OODA decision-support process may be mapped into the three levels of abstractions. Data is the measurements and observations. Information is the data placed in context, indexed, and organized. Knowledge or intelligence is information explained and understood. These abstractions make up the ID data-fusion model, illustrated in Figure 3, introduced by Waltz [11] for physical targets.

Cyberspace situational data is collected from sniffers and other ID sensors with primitive observation identifiers, times of observation, and descriptions. This raw data will require calibration or filtering and is commonly referred to as Level 0 Refinement in fusion models. All of these measurements must be aligned to a common frame of reference. This alignment is referred to as Level 1 Object Refinement where data is correlated in time (and space if required) and assigned weighted metrics based on the relative importance. Observations may be associated and paired in this step of the process and classified according to ID primitives.

After objects have been aligned, correlated, and placed in context in an information base, aggregated sets of objects are then detected by their coordinated behavior, dependencies, common points of origin, common protocols, common targets, correlated attack rates, or other high-level attribute. This step, called Situation Refinement, provides situational knowledge and awareness.

Situation knowledge of cyberspace is used to analyze objects and aggregated groups against existing ID templates to provide an assessment of the current situation and suggest or identify future threatening attacks or cyberspace activity. Correlation between the Level 3 Threat Assessment and the security policy and objectives determine the implications of the current situation base. The entire process is refined via Level 4 Resource Management based on the current situational awareness (and additional data as required) to further refine detection. For example, certain objects and subjects of interest may receive a higher processing priority, forming an ID-data fusion feedback loop.

This ID model is a deductive process used to detect previously known patterns in many sources of data by searching for specific intrusion signatures and templates in data streams to understand the state of the network security. As networks continue to evolve in complexity, the number of objects, situations, threats, sensors and data streams dramatically increase, presenting a very complex challenge for advanced ID systems designers.

Back to Top

ID Systems Data Mining

ID cyberspace data mining is an offline knowledge creation process where large sets of previously collected data are filtered, transformed, and organized into information sets. This information is used to discover hidden, but previously undetected situational patterns.

Data mining is often called "knowledge discovery" and is distinguished from the data fusion process by two important characteristics: inference method and temporal perspective [11]. Data fusion uses known ID templates and pattern recognition. Data mining processes search for hidden patterns based on previously undetected intrusions to help develop new detection templates. In addition, data fusion focuses on the current state of the network based on past data; data mining focuses on new or hidden patterns in old data to create previously unknown knowledge, illustrated in Figure 4.

Raw data from relevant network management and ID systems is collected and indexed in the data warehouse. A major technical issue is how to reconcile the raw data from many different formats and inconsistent data definitions. This process is a part of the data cleansing operation. Data cleaning performs checks to ensure that collected data is in correct ranges and limits, evaluates the overall consistency of the data, and ensures all indexed and referenced data and hierarchical relationships exist.

The initial data sets used in a data mining operation are selected in the data selection and transformation process. Data mining is normally performed on a small set and then extended to larger sets as patterns emerge and are validated. The data mining operation is performed on the selected data sets in either manual or automated modes. Waltz summarizes these operations in [12] for the physical realm:

Clustering is when data is segmented into subsets that share common properties.

Association is the analysis of both cause-and-effect and structure of relationships between data sets.

Statistical analysis is performed to determine the likelihood of characteristics and associations in selected data sets.


As networks continue to grow and the expanding realms of cyberspace evolve, the marketplace will drive ID systems toward next-generation capabilities.


Rule abduction is the development of IF-THEN-ELSE rules that describe associations, structures, and the test rules.

Link or tree abduction is performed to discover relationships between data sets and interesting connecting pattern properties.

Deviation analysis locates and analyzes deviations from normal statistical behavior.

Neural abduction is the process of training artificial neural networks to match data, extract node weights, and structure (similar to abducted rule sets).

As cybersensor information is mined into new ID knowledge, refined models are developed that seek to predict future events based on historical data. This process is known as "discovery modeling." In addition, analysts require visualization tools to support the very well developed human process of pattern recognition. The entire data mining process is refined by adjusting parameters, sets, and associations in lower-level processes.

Both the data mining and fusion process are in the very early stages of technical development. However, as networks continue to grow and the expanding realms of cyberspace evolve, the marketplace will drive ID systems toward next-generation capabilities. Integrated reasoning and decision-support tools are emerging requirements for robust and reliable intrusion detection in complex internetworks.

Back to Top

Challenges in IS Systems Fusion

This discussion illustrates the complexity of designing reliable ID systems. These systems are required to fuse data and information from heterogeneous distributed cybersensors, where cybersensors are broadly defined as all hardware–software devices collecting cyberspace situational information (for example, processor and network events that may be evidence of intrusion). One of the first challenges is to extend the groundwork introduced by Denning in [3] to develop a structured metalanguage for generic ID–network management objects. A standard metalanguage is required for Level 0 and Level 1 Object Refinement, data storage, cleansing, and primitive correlation.

Data refinement is simplified when a common metalanguage for both intrusion detection and network management exist. The temporal calibration of numerous streams of raw data from heterogeneous sources are also required. Internetworking protocols are evolving and may be used to synchronize objects and events in a distributed Internet environment. However, the security of TCP/IP information flows remain a critical issue.

Correlation in physical space compares observations to a physical coordinate system (for example, the Euclidean distance between two measurements) to determine if there is a common source. Correlation in cyberspace requires the comparison of observations based on a different set of parameters such as source (IP address), network path, session flow, or behavior.

The automated identification and tracking of dynamic intrusion subjects (suspected intrusion events) in cyberspace are also formidable technical challenges. Imagine intruders executing TCP-based attacks from numerous geographically dispersed networks, or initiating attacks with one network connection and continues with another, sequentially changing IP addresses. Tracking and assessing the threat of these classifications of cyberattacks require new technical solutions. These topics have not been adequately addressed, however, the threats to critical infrastructures are emerging.

Hall [5] discusses mathematical techniques for multisensor data fusion. The application of these techniques to cyberspace ID systems is also quite complex. At the lowest level of inferences is the process of data association. These are example fusion concepts related to data association that are also requirements for cyberspace ID systems:

Gating. Methods used to eliminate unlikely associations to reduce the number of associated pairs of network events to evaluate.

Association. The selection of metrics used to quantify the closeness or similarity between observed events.

Assignment. Selection of the events to declare to be associated with the intrusion hypothesis, and hypothesis processing.

Parametric data is used to estimate basic parametrics of network events. Estimation theory is required to infer intrusion attack rates, attack targets, origins and other cyberspace situational parametrics. The estimation and detection process is highly mathematical and processor intensive, drawing from subdisciplines such as optimization, least squares estimation, and sequential estimation. Also required for cyber ID systems are complex error analysis algorithms and stochastic models for noise and false alarm estimation [5].

The identity declaration and pattern recognition phase of the fusion model is a difficult technical problem because the level of inference is very high. This is often done by extracting features that are abstractions of raw data. The basic parametric for pattern recognition is templating. Elementary forms of templating are used in current state-of-the-art ID systems. Future systems tracking coordinated multifaceted cyberspace attacks require cluster analysis techniques, adaptive neural networks, and rules-based knowledge systems.

Classical Inference, Bayesian Inference, Dempster-Shafer Method, Generalized EPT, and Heuristic Methods are a few of the mathematical methods that are required in the decision-level identity fusion process. (For more information, see [5, 10]). The application of these technologies to intrusion detection and network monitoring is required to realize the cyberspace situational awareness required for advanced ID systems.

Knowledge fusion—the highest level of inferences—is also a very complex and challenging area. Imagine future ID systems that identify and track multiple hostile information flows for targets, attack rate, and severity in cyberspace. Determining the origin of highly sophisticated attacks in cyberspace will continue to grow in complexity as attackers become more cyberspace astute. The time allowed for network operators to trace (multiple) attack origins is a function of the attack rate and the potential damage (situation assessment). These are just a few of the exciting requirements of cyberspace ID systems. Dreaming, brainstorming, developing, and articulating the engineering requirements for these next-generation systems is the first step.

Back to Top

Conclusion

The current state-of-the-art of ID systems is relatively primitive with respect to the recent explosion in computer communications, cyberspace, and electronic commerce. Organizations fully realize that cyberspace is a complex realm of vital information flows with both enabling and inhibiting technical factors. Identifying, tracking, classifying, and assessing hostile and inhibiting activities in this ever-growing complex dimension is an enormous and fascinating technical challenge.

Multisensor data fusion is a multifaceted engineering approach requiring the integration of numerous diverse disciplines such as statistics, artificial intelligence, signal processing, pattern recognition, cognitive theory, detection theory, and decision theory. The art and science of data fusion is directly applicable in cyberspace for intrusion and attack detection.

Dynamic cyber-data-mining operations are required to develop new ID models based on historical data in data warehouses. Hence, a significant research and development effort is required to bring next-generation ID systems into the commercial marketplace. I hope this article, in some small way, stimulates the neurons of engineers and scientists interested in Internet security and, in particular, the research and development of advanced ID systems and cyberspace situational awareness.

Back to Top

References

1. Bass, T., Freyre, A., Gruber, D. and Watt, G. E-Mail bombs and countermeasures: Cyber attacks on availability and brand integrity. IEEE Netw. 12, 2 (Mar./Apr. 1998), 10–17.

2. Bauer, D. and Koblentz, M. NDIX—An expert system for real-time network intrusion detection. In Proceedings of the IEEE Computer Networking Symposium (April 1988); 98–106.

3. Denning, D. An intrusion-detection model. IEEE Trans. Softw. Eng. SE–13, 2. (Feb. 1987), 222–232.

4. Denning, D. et al. A Prototype IDES: A real-time intrusion detection expert system. Computer Science Laboratory, SRI International (Aug. 1987).

5. Hall, D. Mathematical Techniques in Multisensor Data Fusion. 1992. Artech House, Boston, MA.

6. Heberlein, L. et al. A network security monitor. In Proceedings of the IEEE CS Symposium on Research in Security and Privacy. (May 1990). IEEE, New York, N.Y.; 296–303.

7. Hochberg, et al. NADIR: An automated system for detecting network intrusion and misuse. Computers & Security. 1993. Elsevier Science, New York, 235–248.

8. Mukherjee, D., Heberlein, L., and Levitt, K. Network intrusion detection. IEEE Netw. 8, 3 (May/June 1994), 26–41.

9. Snapp. S. et al. A system for distributed intrusion detection. In Proceedings of IEEE COMPCON. (Mar. 1991). IEEE, New York, NY., 170–176.

10. Varshney, P. Distributed Detection and Data Fusion. 1995. Springer-Verlag, New York, NY.

11. Waltz, E. Information Warfare Principles and Operations. 1998. Artech House, Boston, MA.

12. Waltz, E. and Llinas, J. Multisensor Data Fusion. 1990. Artech House, Boston, MA.

Back to Top

Author

Tim Bass ([email protected]) provides network-centric subject matter expertise to the U.S. Air Force Communications and Information Center; www.silkroad.com.

Back to Top

Figures

F1Figure 1. Multiple complex threats.

F2Figure 2. Hierarchy of IDS data-fusion inferences.

F3Figure 3. Intrusion detection data fusion.

F4Figure 4. Intrusion detection data mining.

Back to top


©2000 ACM  0002-0782/00/0400  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2000 ACM, Inc.


 

No entries found