Network Attack Detection Techniques: Attack detection techniques are broadly cla
ID: 3568350 • Letter: N
Question
Network Attack Detection Techniques:
Attack detection techniques are broadly classified into signature-based and anomaly-based
detection techniques. Both arealso vulnerable to Type I (?) and Type II (?) errors. A good detection algorithm is expected to detect an attack with minimum number of samples (run length) while minimizing Type I and Type II errors.
(a) Give an example how one can detect an attack based on its signature.
i. it involve Type I and Type II errors? How?
(b) Give an example how one can detect an attack based on its behavior (anomaly).
i. What is needed to minimize Type I and Type II errors? How?
Explanation / Answer
a)
Consider the signature based attack detection technique. A signature based detection systems perform pattern matching and reports if a situation that matches the pattern to an attack type.
Consider the following example for detecting the attack using the signature based technique.
A signature for a known attack type can describe a series of TCP SYN packets which are sent to many different ports which are in succession. And at times when they are close to one another, a port scan situation will arise. A signature detection will not find anything unusual in the first SYN which is sent to say port 20 and then to 30. In case when more and more ports start to receive SYN packets, where the ports are not open, this pattern will reflect a possible port scan. In the same way the protocol stack will fail to implement if they receive any of the ICMP packets with their data length having 65535 bytes. Hence, this type of the packet will be the pattern which must be watched. In this case type I and type II error would be while accepting the packets received at the ports.
Signatures must match all the instances of an attack ideally. It should match the subtle variations of the attack.
b)
As the signatures are very much limited to a set of specific and known patterns, Anomaly based detection technique is used. In this technique instead of looking for the matches, the behaviour which is out of ordinary is detected.
Consider the example explained in previous sub part. The attacker can modify the basic attack in a different way which does not match the known signature of that particular attack. That is, the lower and upper case letters can be changed or convert the blank spaces and so on. And even a new attack cannot be identified for which there is no pattern or signature is defined.
Hence, a behavioural or anomaly based detection is used in which the behaviour will be traced and any new kind of behaviour is detected than the ordinary, the scenario will be considered as an attack.
Another example to be considered is say an individual may start up the day by reading e-mails, writing the documents and save the documents. The person may not use much of the administration related utilities. If that person uses the sensitive administration related utilities, it can be considered as the attack.
The process of hypothesis testing must be used to keep track the type I and type II errors. The values of I and II must be controlled using this hypothesis.