Integral Misuse and Anomaly Detection and Prevention System

Nowadays hardly anyone will dare to deny the serious security problems that computer networks must cope with. Old-fashioned techniques for isolating the network and providing a secure access control are just impotent to stop the attack flood since the production of code with harmful intentions grows not only in number but in quality as well. Network Intrusion Detection Systems (NIDS) were developed with this scenario in mind. Historically, the first efficient methodology was misuse detection, consisting on recognising malicious behaviours based upon a knowledge base. This technique successes on discovering threads already registered in its database but fails when detecting new, unknown menaces. Anomaly detection was specifically designed to address this shortcoming. This kind of techniques model the legitimate usage of the system in order to afterwards notice, evaluate and, if applies, avoid deviations from that normal profile. Still, its efficiency decreases dramatically when handling well-known attacks, specially if compared to misuse detections systems. As the reader may note, both do flop when applied to each other’s natural domain. More in detail, misuse detection is currently the most extended approach for intrusion prevention, mainly due to its efficiency and easy administration. It’s philosophy is quite simple: based on a rule base that models a high number of network attacks, the system compares incoming traffic with the registered patterns to identify any of these attacks. Hence, it does not produce any false positive (since it always finds exactly what is registered) but it cannot detect any new threat. Further, any slightly-modified attack will pass unnoticed. And, finally, the knowledge base itself poses one of the biggest problems to misuse detection: as it grows, the time to search on it increases as well and, after some time, it may require too long to be used on real-time. Anomaly detection systems, on the contrary, start not from malicious but from legitimate behaviour in order to model what it is allowed to do. Any deviation from this conduct will be seen as a potential menace. Unfortunately, this methodology is a two-sided sword since, though it allows to discover new unknown risks, it also produces false positives (i.e. packets or situations marked as attack when they are not). Moreover, anomaly detection presents a constant throughput since its knowledge base does not grow uncontrollably but gets adapted to new situations or behaviours. Again, an advantage is also source of problems because it is theoretically possible to make use of this continuous learning to little by little modify the knowledge so it ends seeing attacks as proper traffic (in NIDS jargon, this phenomenon is known as session creeping). This is, its knowledge tends to be unstable. Finally, anomaly detection, unlike misuse, demands high maintenance efforts (and costs). In sum, Integral Misuse and Anomaly Detection and Prevention System