Intrusion Detection System(IDS)

IDS- UNIT 3
Different Components of IDS.
Intrusion is defined as malicious, externally or internally tempted and is the act of using
a computer system or resources without the requisite privileges. It could cause loss of
availability, integrity and confidentiality of networked computer systems. Intrusion
detection is defined as the process of monitoring the events occurring in a computer
system and analyzing them for signs of intrusions, defined as attempts to compromise
the confidentiality, integrity availability or bypass the security mechanism of networked
computer systems. It identifies unauthorized use and misuse of computer systems by
both system insiders and external intruders. IDS detect intrusions by analyzing
information about user activity from sources such as audit records, log files, system
tables, and network traffic summaries.
From a system architecture perspective, IDS has various components: audit data
processor, knowledge base, decision engine, alarm generation and responses. Figure
shows the generic architecture of intrusion detection system.

Components of Intrusion Detection System

• system activities are observable
• Audit Records
• Audit Data Pre-processor
• Activity Data Detection
• Models Detection Engine : normal and intrusive activities have distinct evidence

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 1

 Intrusion Detection System(IDS)

• Alarms
• Decision Table
• Decision Engine
• Action/Report
• Data Preprocessor- is responsible for collecting and providing the data that will be used
by next component to make decisions. Then the collected packet or flow level data will
be preprocessed before sending to the detection engine.
• Detection Engine- The intrusion detector is the core component which analyzes the
audit patterns to detect attacks. It uses the detection model using data mining, pattern
matching, soft computing, machine learning and various statistical techniques used as
an intrusion detector.
• Decision Table- used to describe the normal and abnormal user behavior. It is the
database of the audit information, attacks, and events that are going to happen on the
system.
• Decision Engine- The decision engine controls the reaction mechanism and determines
how to respond based on the policies which are stored in the decision table. The system
may raise an alarm and report to administrator based on the rules or policy in the
decision table.
• IDS Model- IDS model is based on the hypothesis that security violations can be
detected by monitoring a system's audit records for abnormal patterns of system usage.
It is an independent system which has profiles which represent the benign and
anomalous behavior and rules for acquiring knowledge about the normal behavior from
audit records and for detecting anomalous behavior.

Different Intrusion Detection Approaches

Intrusion is defined as malicious, externally or internally tempted and is the act of using
a computer system or resources without the requisite privileges. It could cause loss of
availability, integrity and confidentiality of networked computer systems. Intrusion
detection is defined as the process of monitoring the events occurring in a computer
system and analyzing them for signs of intrusions, defined as attempts to compromise
the confidentiality, integrity availability or bypass the security mechanism of networked
computer systems. It identifies unauthorized use and misuse of computer systems by
both system insiders and external intruders. IDS detect intrusions by analyzing
information about user activity from sources such as audit records, log files, system
tables, and network traffic summaries.
There are several approaches on the implementation of IDS. Based on its deployment,
IDS can act either as a host based or as a network based IDS.
The host based IDS monitors and analyzes the internals of a computing system where as
the network based IDSanalyzes network traffic at all layers of the TCP/IP suite and
detects intrusions in network traffic flows from both directions.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 2

 Intrusion Detection System(IDS)

It is also categorized in to anomaly and signature based from the perspective of the
detection approach applied.
Signature baseddetection approach is an IDS technique in which detection of intrusion
is based on the signature of known attacks tuned in the database. In misuse detection
approach, it identifies suspicious data by comparing new instances with the stored
signatures or patterns of attacks in the database. It is efficient and comparably low false
alarm rate IDS technique but it cannot detect emerging or new attack types.
Anomaly based detection approach detects the behavior of a system deviations from
the normal activity as anomalies. Baseline of normal data in network data is defined, in
which the IDS has knowledge of normal behavior it monitors new instances. The new
instances are compared with the baseline, if there is any deviation from baseline, data is
notified as intrusion. Its main advantage is it can detect new attack types but generate
high falsealarms rates. The anomaly detection approach can work basically in four
modes:
Supervised approach- this technique needs a training dataset which has labeled
instances for normal as well as anomaly classes. It can detect known attacks only which
the foremost drawback of this approach.
Semi-supervised approach- it is an approach that operate in a semi-supervised mode
assuming that the training dataset has labeled instances for only the normal class.
Unsupervised Learning- When performing unsupervised learning, the machine is
presented with totally unlabeled data. It is asked to discover the intrinsic patterns that
underlies the data, such as a clustering structure, a low-dimensional manifold, or a
sparse tree and graph. In this method clustering and dimension reduction techniques
can be applied depending on the type the problem.
Hybrid approach- A hybrid intrusion detection method combines supervised and
unsupervised network intrusion detection methods. Supervised methods have the
advantage of being able to detect known attacks with high accuracy and low false
alarms. On the other hand, an unsupervised method has the ability to detect novel
attacks. Thus, a hybrid intrusion detection method is capable of detecting both known
as well as unknown attacks with high accuracy. Figure shows the classification of
intrusion detection approaches.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 3

 Intrusion Detection System(IDS)

A Generic IDS Model

An intrusion-detection system dynamically monitors the actions taken in a given
environment, and decides whether these actions are symptomatic of an attack or
constitute a legitimate use of the environment. An intrusion-detection system can be
described at a very macroscopic level as a detector that processes information coming
from the system that is to be protected. This detector uses three kinds of information:
long-term information related to the technique used to detect intrusions a knowledge
base of attacks, for example, configuration information about the current state of the
system, and audit information describing the events that occur on the system. The role
of the detector is to eliminate unnecessary information from the audit trail and present
a synthetic view of the security-related actions taken by users. A decision is then made
to evaluate the probability that these actions can be considered symptoms of an
intrusion.
The term audit denotes information provided by a system concerning its inner workings
and behavior. Examples of audits include but are not limited to C2 audit trail,
accounting, and syslog in the UNIX world, Syslog in the MVS world, the event log in
Windows NT, and incident tickets in X25 networks.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 4

 Intrusion Detection System(IDS)

Efficiency of intrusion-detection systems:

The following three measures to evaluate the efficiency of an intrusion-detection system have
been highlighted in
Accuracy: Inaccuracy occurs when an intrusion-detection system flags as anomalous or
intrusive a legitimate action in the environment.
Performance: The performance of an intrusion-detection system is the rate at which audit
events are processed. If the performance of the intrusion-detection system is poor, then real-
time detection is not possible.
Completeness: Incompleteness occurs when the intrusion-detection system fails to detect an
attack. This measure is much more difficult to evaluate than the others, because it is impossible
to have a global knowledge about attacks or abuses of privileges.
In addition, we introduce two additional properties:
Fault tolerance: An intrusion-detection system should itself be resistant to attacks, particularly
denial of service, and should be designed with this goal in mind. This is particularly important
because most intrusion-detection systems run on top of commercially available operating
systems or hardware, which are known to be vulnerable to attacks.
Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 5
 Intrusion Detection System(IDS)

Timeliness: An intrusion-detection system has to perform and propagate its analysis as quickly
as possible to enable the security officer to react before much damage has been done, and also
to prevent the attacker from subverting the audit source or the intrusion-detection system
itself. This implies more than the measure ofperformance, because it not only encompasses the
intrinsic processing speed of the intrusiondetection system, but also the time required to
propagate the information and react to it.
The taxonomy/ Characteristics of an IDS:
Intrusion is defined as malicious, externally or internally tempted and is the act of using
a computer system or resources without the requisite privileges. It could cause loss of
availability, integrity and confidentiality of networked computer systems. Intrusion
detection is defined as the process of monitoring the events occurring in a computer
system and analyzing them for signs of intrusions, defined as attempts to compromise
the confidentiality, integrity availability or bypass the security mechanism of networked
computer systems. It identifies unauthorized use and misuse of computer systems by
both system insiders and external intruders. IDS detect intrusions by analyzing
information about user activity from sources such as audit records, log files, system
tables, and network traffic summaries.
There are a number of concepts we use to classify intrusion-detection systems.
The detection method describes the characteristics of the analyzer. When the intrusion-
detection system uses information about the normal behavior of the system it monitors,
we qualify it as behavior-based. When the intrusion-detection system uses information
about the attacks, we qualify it as knowledgebased. Behavior on detection describes the
response of the intrusion-detection system to attacks. When it actively reacts to the
attack by taking either corrective closing holes or proactive logging out possible
attackers, closing down services actions, then the intrusion-detection system is said to
be active. If the intrusion-detection system merely generates alarms including paging,
etc., it is said to be passive. The audit source location distinguishes among intrusion-
detection systems based on the kind ofinput information they analyze. This input
information can be audit trails, system logs or network packets. Usage frequency is an
orthogonal concept. Certain intrusion-detection systems have real-time continuous
monitoring capabilities, whereas others must be run periodically. The three first axes
are grouped in the category ‘‘functional characteristics’’ because they refer to the
internal workings of the intrusion-detection engine, namely its input information, its
reasoning mechanism, and its interaction with the information system. The fourth
characteristic distinguishes RTID . Real-Time Intrusion Detection from scanners used for
security assessment. These scanners are sometimes attached to the intrusion-detection
area, and we must differentiate discriminate between them and ‘‘real’’ intrusion-
detection systems.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 6

 Intrusion Detection System(IDS)

• The detection method describes the characteristics of the analyzer. When the intrusion-
detection system uses information about the normal behavior of the system it monitors, we
qualify it as behavior-based. When the intrusion-detection system uses information about the
attacks, we qualify it as knowledge-based.
• The behavior on detection describes the response of the intrusion-detection system to attacks.
When it actively reacts to the attack by taking either corrective (closing holes) or pro-active
(logging out possible attackers, closing down services) actions, then the intrusion-detection
system is said to be active. If the intrusion-detection system merely generates alarms (such as
paging), it is said to be passive.
• The audit source location discriminates intrusion-detection systems based on the kind of input
information they analyze. This input information can be audit trails (a.k.a. system logs) on a
host, network packets, application logs, or intrusion-detection alerts generated by other
intrusion-detection systems.
• The detection paradigm describes the detection mechanism used by the intrusion-detection
system. Intrusion-detection systems can evaluate states (secure or insecure) or transitions (from
secure to insecure).
• In addition, this evaluation can be performed in a nonobtrusive way or by actively stimulating
the system to obtain a response.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 7

 Intrusion Detection System(IDS)

Signature Based/Misuse based IDS.

Intrusion is defined as malicious, externally or internally tempted and is the act of using
a computer system or resources without the requisite privileges. It could cause loss of
availability, integrity and confidentiality of networked computer systems. Intrusion
detection is defined as the process of monitoring the events occurring in a computer
system and analyzing them for signs of intrusions, defined as attempts to compromise
the confidentiality, integrity availability or bypass the security mechanism of networked
computer systems. It identifies unauthorized use and misuse of computer systems by
both system insiders and external intruders. IDS detect intrusions by analyzing
information about user activity from sources such as audit records, log files, system
tables, and network traffic summaries.
There are several approaches on the implementation of IDS. Based on its deployment,
IDS can act either as a host based or as a network based IDS.
The host based IDS monitors and analyzes the internals of a computing system where as
the network based IDS analyzes network traffic at all layers of the TCP/IP suite and
detects intrusions in network traffic flows from both directions.
It is also categorized in to anomaly and signature based from the perspective of the
detection approach applied.
• Modeling
• Features: evidences extracted from audit data
• Analysis approach: piecing the evidences together
• Misuse detection (a.k.a. signature-based)
• Anomaly detection (a.k.a. statistical-based)
• Deployment: Network-based or Host-based
• Network based: monitor network traffic
• Host based: monitor computer processes

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 8

 Intrusion Detection System(IDS)

Signature Based IDS:

Almost any intrusion can be described in terms of its indications and signs. This
is the basic principle used by misuse based(signature based) detection
systems. First of all, patterns (sometimes called signatures) of all known
attacks must be described in some abstract form and given to IDS. This
patterns are used later by IDS to identify an intrusion. This is done by means of
studying the system
m audit information in order to find some patterns matching
to patterns of known to the system intrusions
• Monitor network or server traffic and match bytes or packet sequences against a set of
predetermined attack lists or signatures.
• When a particular intrusion
trusion or attack session match a signature configured on the IDS,
the system alerts administrators or takes other pre
pre-configured action.
• Signatures are easy to develop and understand if you know what network behavior
you’re trying to identify.
• However, because they only detect known attacks, a signature must be created for
every attack.
• New vulnerabilities and exploits will not be detected until administrators develop new
signatures.
• Another drawback to signature
signature-based IDS is that they are very large and it can be hard
to keep up with the pace of fast moving network traffic.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 9

 Intrusion Detection System(IDS)

• A good example to demonstrate this approach could be a well known SYN flood denial
of service attack. Its goal is to prevent the target host from accepting new connections
on a given IP port. The implementation of this attack utilises a three-step handshake
schema of a TCP/IP connection establishment and usually exploits a resource exhaustion
vulnerability that is common for many TCP/IP implementations. The basic idea is the
following.
• When a client opens a TCP/IP connection, it sends a SYN packet to the server, server
receives it and allocates an entry in a connection queue. Such connection is referred as
being half-open. Then the server sends a SYN-ACK packet to the client that must be
acknowledged by a ACK packet sent by the client to the server. After receiving the
acknowledgement, the server releases the corresponding entry in the queue. This
procedure can be exploited by an intruder that sends series of SYN packets to the server
and does not acknowledge them. This will result in the following: a finite connections
queue of the server will get filled up and will be not emptied until timeout periods will
not expire. The result is – the server is not able to accept connections on the attacked
port any more.
• This attack is characterized in general by the following indications:
• SYN packets arrive periodically in series
• A number of half-opened connections is rapidly increasing (ACK packets arrive
with a not observable delay)
• In order to recognize this attack, IDS must study information on TCP/IP traffic and try to
find these indications in it. If the attack is detected, IDS should react. This reaction could
be done in a form of signaling an alarm, removing corresponding entries from the
connections queue, etc.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 10

 Intrusion Detection System(IDS)

• In a similar manner indications of other attacks can be figured out. They are represented
in a certain form and coded to IDS. There is a number of methods for intrusions
representation and their further recognition.
• The concept behind the SBIDS is that there are ways to represent attacks in the form of
a pattern or a signature so that even variations of the same attack can be detected.
• They can detect many or all known attack patterns, but they are of little use for
unknown attack methods.
• Signature based detection systems try to recognize known “bad” behavior.

Types of Signature Based IDSes:

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 11

 Intrusion Detection System(IDS)

The types of Signature based IDS?

Signature Based IDS:

Almost any intrusion can be described in terms of its indications and signs. This is the basic
principle used by misuse based(signature based) detection systems. First of all, patterns
(sometimes called signatures) of all known attacks must be described in some abstract form
and given to IDS. This patterns are used later by IDS to identify an intrusion. This is done by
means of studying the system audit information in order to find some patterns matching to
patterns of known to the system intrusions
• Monitor network or server traffic and match bytes or packet sequences against a set of
predetermined attack lists or signatures.
• When a particular intrusion or attack session match a signature configured on the IDS,
the system alerts administrators or takes other pre-configured action.
• Signatures are easy to develop and understand if you know what network behavior
you’re trying to identify.
• However, because they only detect known attacks, a signature must be created for
every attack.
• New vulnerabilities and exploits will not be detected until administrators develop new
signatures.
• Another drawback to signature-based IDS is that they are very large and it can be hard
to keep up with the pace of fast moving network traffic.

Types of Signature Based IDS:

 Expert systems

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 12

 Intrusion Detection System(IDS)

• These are modelled in such a way as to separate the rule matching

phase from the action phase. Ex: NIDES developed by SRI. (Next
Generation IDES)
• The NIDES rule base employs expert rules to characterize known
intrusive activity represented in activity logs, and raises alarms as
matches are identified between the observed activity logs and the
rule encodings.
• NIDES is a comprehensive intrusion-detection system that performs
real-time monitoring of user activity on a set of target system
computers and detects unusual and suspicious user behavior in real
time on those target systems.
• It analyzes audit data characterizing user activity collected from
monitored systems to detect a variety of suspicious user behavior.
• It builds user profiles based on many differrent criteria.
• The expert system signature based detection component encodes
known scenarios and attack patterns

 Key Stroke Monitoring

• This is a very simple technique that monitors keystrokes for attack
patterns.
• This technique uses user keystrokes to determine the occurrence of
an attack. The primary means is to pattern match for specific
keystroke sequences indicative of an attack.
• The disadvantages of this approach are the general unavailability of
user typed keystrokes and the myriad ways of expressing the same
attack at the keystroke level.
• Furthermore, without a semantic analysis of the contents, aliases can
easily defeat this technique
• Features of shells in which user definable aliases are present defeat
the technique unless alias expansion and semantic analysis of
commands is taken up.
• Operating systems do not offer much support for keystroke
capturing, so the keystroke monitor should have a hook that analyses
keystrokes before sending them to their intended receiver.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 13

 Intrusion Detection System(IDS)

• An improvement would be to monitor system calls by application

programs as well.
 Model Based Intrusion Detection
• This states that certain scenarios are inferred by certain other
observable activities.
• The model based scheme consists of three important modules
• The antcipator uses the active models and the scenario models to try
to predict the next step in the scenario that is expected to occur.
• The planner then translates this hypothesis into a format that shows
the behavior as it would occur in the audit trail.
• The interpreter then searches for this data in the audit trail.
• The system proceeds in this way, accumulating more and more
evidence for an intrusion attempt until a threshold is crossed.
 State Transition(Model) Analysis
• The monitored system is presented as a state transition diagram.
• As data is analyzed, the system makes transitions from one state to
another.
• A transition takes place on some boolean condition being true.
• Attack patterns can specify only a sequence of events, rather than
more complex forms.
• There are no general purpose methods to prune the search except
through the assertion primitives.
• They can’t detect denial of service attacks.
 Pattern Matching
• This model encodes known intrusion signatures as patterns that are
then matched against the audit data.
• The implementation makes transitions on certain events called
labels, and Boolean variables called guards can be placed at each
transition.

SNORT
Snort is a free open source intrusion detection system. It's very popular and powerful multi
packet tool run by a lot of different people and companies. It is one of the Signature based
Intrusion Detection and Prevention System. The beauty of this tool lies with the formation of
rules. Rules can be created/designed to block traffic or to merely send alerts, alerts can be

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 14

 Intrusion Detection System(IDS)

logged to a log file, can be sent to the console or displayed on the screen. They can be
configured to send an email to someone or they can be logged to database. Various options can
be used for the formation of rules. Snort basically works on the three modes: Sniffer mode,
Packet logger mode and NIDS mode. It can be run as a packet sniffer mode from command line
which is simply looking at header information and printing the details on the screen. It can be
used as a packet logger mode, which takes each packet and log it into the log files which resides
in the root directory. The file can be viewed later on using Snort or tcpdump. This mode is for
the later use as if someone wants to view the captured packets later on. The third and the last
mode is Network Intrusion Detection System mode (NIDS mode) which is the most important
mode among all, considering the intrusion detection point of view. Snort as NIDS mode, uses its
rules to find out if there are any intrusion activities going on the network. Snort use NICs
running in promiscuous mode to analyze and capture raw packet data in real time in NIDS mode.
Snort can perform real-time packet logging, content searching/matching and protocol analysis
and also can detect a variety of attacks with known loopholes. It not only monitors or detects
the intrusions but also can prevent it by taking various actions like_ reject, drop and block. The
difference between NIDS and the first two modes of Snort is that the snort in NIDS mode is
actually applying different actions to the packet content that are flowing across the network
against the ruleset that's indicated it is being used by the snort. Snort is a light-weight intrusion
detection tool which logs the packets coming through the network and analyzes the packets.
Snort checks the packets coming against the rules written by the user and generate alerts if
there are any matches found. The rules are written by the user in a text file which is linked with
snort.conf file where all the snort configurations are mentioned. There are few commands
which is used to get snort running so that it can analyze network behavior.
Advantage of SNORT over other tools.
1. Scalability: Snort can be successfully deployed on any network environment.
2. Flexibility and Usability: Snort can run on various operating systems including Linux,
Windows, and Mac OS X.
3. Live and Real-Time: Snort can deliver real-time network traffic event information.
4. Flexibility in Deployment: There are thousands of ways that Snort can be deployed and a
myriad of databases, logging systems, and tools with which it can work.
5. Speed in Detecting and Responding to Security Threats: Used in conjunction with a firewall
and other layers of security infrastructure, Snort helps organizations detect and respond to
system crackers, worms, network vulnerabilities, security threats, and policy abusers that aim to
take down network and computer systems.
6. Modular Detection Engine: Snort sensors are modular and can monitor multiple machines
from one physical and logical location. Snort be placed in front of the firewall, behind the
firewall, next to the firewall, and everywhere else to monitor an entire network. As a result,
organizations use Snort as a security solution to find out if there are unauthorized attempts to
hack in the network or if a hacker has gained unauthorized access into the network system.

Configuration of SNORT:

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 15

 Intrusion Detection System(IDS)

 Packet Sniffer Mode –

o To print TCP/IP header use command
o ./snort –v
o To print IP address along with header use command
o ./snort –vd
o Sniffer Mode ./snort <options>
o Run-time switches:
 -v verbose
 -d dump package payloads
 -x dump entire package in hex
 -a display arp packages //does not work on your version.
 -e display link layer data
o ./snort -dvae

 Packet Logging –
o snort to output packages to a log file.
o Command line options:
o -l dump packages into log directory
o -b log packages in binary (tcpdump) format
o Example: ./snort –b –l /temp/snort
o ./snort –b –l <path-save-the-log-file>
o To store packet in disk you need to give path where you want to store the logs. For this
command is
o ./snort -dev -l ./SnortLogs

 Activate snort in network intrusion detection mode –

o Load snort with a set of rules, configure packet analysis plug-ins, and let it monitor
hostile network activity
o To start this mode use this command
o ./snort -dev -l ./SnortLogs -h <network-id>/<subnet-id> -c snort.conf
o Use –c switch to specify configuration file.
o Snort –c snort.conf

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 16

 Intrusion Detection System(IDS)

o If no config file is specified, snort looks in the /etc directory.

o Specify an alternative logging directory with –l
o Specify an alternate alert mode
o -AL fast, full, none, console
o -M <wrkstn> Send SMB (popup) alerts
o ./snort -dev -l ./SnortLogs -h <network-id>/<subnet-id> -c snort.conf

SNORT Architecture
Snort is a free open source intrusion detection system. It's very popular and powerful multi
packet tool run by a lot of different people and companies. It is one of the Signature based
Intrusion Detection and Prevention System. The beauty of this tool lies with the formation of
rules. Rules can be created/designed to block traffic or to merely send alerts, alerts can be
logged to a log file, can be sent to the console or displayed on the screen. They can be
configured to send an email to someone or they can be logged to database. Various options can
be used for the formation of rules. Snort basically works on the three modes: Sniffer mode,
Packet logger mode and NIDS mode. It can be run as a packet sniffer mode from command line
which is simply looking at header information and printing the details on the screen. It can be
used as a packet logger mode, which takes each packet and log it into the log files which resides
in the root directory. The file can be viewed later on using Snort or tcpdump. This mode is for
the later use as if someone wants to view the captured packets later on. The third and the last
mode is Network Intrusion Detection System mode (NIDS mode) which is the most important
mode among all, considering the intrusion detection point of view. Snort as NIDS mode, uses its
rules to find out if there are any intrusion activities going on the network. Snort use NICs
running in promiscuous mode to analyze and capture raw packet data in real time in NIDS mode.
Snort can perform real-time packet logging, content searching/matching and protocol analysis
and also can detect a variety of attacks with known loopholes. It not only monitors or detects
the intrusions but also can prevent it by taking various actions like_ reject, drop and block. The
difference between NIDS and the first two modes of Snort is that the snort in NIDS mode is
actually applying different actions to the packet content that are flowing across the network
against the ruleset that's indicated it is being used by the snort. Snort is a light-weight intrusion
detection tool which logs the packets coming through the network and analyzes the packets.
Snort checks the packets coming against the rules written by the user and generate alerts if
there are any matches found. The rules are written by the user in a text file which is linked with
snort.conf file where all the snort configurations are mentioned.

Snort is an open source network intrusion prevention system, capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform protocol analysis, content
searching/matching, and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much
more
ARCHITECTURE: Snort is a packet sniffer. However, it is designed to take packets and process
them through the pre-processors. Each packet observed on the network is first passed through a
set of pre-processors, which may extract information and/or modify the packet and then check
those packets against a series of rules (through the detection engine). Then detection plug-ins
matches the packet against signature conditions. If a match was found, sent through the alert
system.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 17

 Intrusion Detection System(IDS)

Snort consist of 5 logical components

o Sniffer: snort sniffs the packets coming from the network and sends them to pre-
processors.A network sniffer allows an application or a hardware device to eavesdrop on
data network traffic. Sniffer are used for Network analysis and troubleshooting,
performance analysis etc. If network traffic is encrypted it can prevent people to sniff
network. As a sniffer, Snort can save the packets to be processed and viewed later as a
packet logger.

o Pre-processor:Preprocessor takes the packets and check them against set plug-ins like
RPC plug-in, HTTP plug-in, port scanner plug-in. These plug-ins check for a certain type of
behavior from the packet. On that particular behavior plug-in send that packet to
Detection engine. Plug-ins can be enabled and disabled on need basis. Snort support
many kind of preprocessors and their attendant plug-ins, covering many commonly used
protocols.A pre-processor is a code that is compiled into the Snort engine upon build in
order to normalize traffic and/or examine the traffic for attacks in a fashion beyond what
can be done in normal rules. Snort allows us to select which pre-processors should be
enabled. From this standpoint, this is done through the Snort configuration file
“snort.conf”. Snort has many pre-processors available. The Snort project team has
certified some, while others are in testing and more yet are still in development. These

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 18

 Intrusion Detection System(IDS)

pre-processors are what make Snort such a powerful and effective intrusion detection
system.
o Detection engine: The detection engine takes the data that comes from the pre-
processor and its plug-ins, and that data is checked through a set of rules. If the rules
match the data in the packet, then they are sent to the alert processor.Once packets are
checked by preprocessor they are passed to Detection engine. Detection engine takes
that data and checks through set of rules. If rules match the data in the packet, they are
sent to the alert processor. Snort has a particular syntax that it uses with its rules. Rule
syntax can involve the type of protocol, the content, the length, the header, and other
various elements, including garbage characters for defining butter overflow rules.
o Rule sets: Rules are a different methodology for performing detection, which bring the
advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting
the actual vulnerability, not an exploit or a unique piece of data. Snort rules are divided
into two logical sections, the rule header and the rule options. The rule header contains
the rule's action, protocol, source and destination IP addresses and net mask, and the
source and destination ports information.

o Alert/logging: if the received packet matched a rule it send the alert message to the user.
Once Snort data processed in Detection engine, if data matches a rule, an alert is
triggered. Alert can be sent to log file through network connection, through UNIX sockets
or Windows Popup (SMB) or SNMP traps. The alerts can also be stored in an SQL
database such as MySQL. Logs can also be used on Web interface. Through Syslog tool
(ex. Swatch), Snort alerts can be sent via e- mail to notify system admin in real time

SNORT Rules/ Snort Headers/ Different SNORT Options

Snort is a free open source intrusion detection system. It's very popular and powerful multi packet
tool run by a lot of different people and companies. It is one of the Signature based Intrusion
Detection and Prevention System. The beauty of this tool lies with the formation of rules. Rules can
be created/designed to block traffic or to merely send alerts, alerts can be logged to a log file, can
be sent to the console or displayed on the screen. They can be configured to send an email to
someone or they can be logged to database. Various options can be used for the formation of rules.
Snort basically works on the three modes: Sniffer mode, Packet logger mode and NIDS mode. It can
be run as a packet sniffer mode from command line which is simply looking at header information
and printing the details on the screen. It can be used as a packet logger mode, which takes each
packet and log it into the log files which resides in the root directory. The file can be viewed later on

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 19

 Intrusion Detection System(IDS)

using Snort or tcpdump. This mode is for the later use as if someone wants to view the captured
packets later on. The third and the last mode is Network Intrusion Detection System mode (NIDS
mode) which is the most important mode among all, considering the intrusion detection point of
view. Snort as NIDS mode, uses its rules to find out if there are any intrusion activities going on the
network. Snort use NICs running in promiscuous mode to analyze and capture raw packet data in
real time in NIDS mode. Snort can perform real-time packet logging, content searching/matching
and protocol analysis and also can detect a variety of attacks with known loopholes. It not only
monitors or detects the intrusions but also can prevent it by taking various actions like_ reject, drop
and block. The difference between NIDS and the first two modes of Snort is that the snort in NIDS
mode is actually applying different actions to the packet content that are flowing across the network
against the ruleset that's indicated it is being used by the snort. Snort is a light-weight intrusion
detection tool which logs the packets coming through the network and analyzes the packets. Snort
checks the packets coming against the rules written by the user and generate alerts if there are any
matches found. The rules are written by the user in a text file which is linked with snort.conf file
where all the snort configurations are mentioned.

Snort is an open source network intrusion prevention system, capable of performing real-time traffic
analysis and packet logging on IP networks. It can perform protocol analysis, content
searching/matching, and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more

Rule sets: Rules are a different methodology for performing detection, which bring the advantage of 0-
day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not
an exploit or a unique piece of data. Snort rules are divided into two logical sections, the rule header
and the rule options. The rule header contains the rule's action, protocol, source and destination IP
addresses and net mask, and the source and destination ports information.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 20

 Intrusion Detection System(IDS)

Snort does not evaluate the rules in the order that they appear in the Snort rules file. In default, the
order is:

1. Alert rules

2. Pass rules

3. Log rules

 Snort rule in rule file “rules”:

alert tcp any any -> any 12345

 snort –r cap.wdp –b –l snortlog –c rules

 To check the rules use the above command where rules are store
 This captures all traffic destined to port 12345, usually used for BackOrifice traffic.
 Rules contains the rule header and the rule option.

alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 any (flags: SF; msg: “SYN-FIN scan)

 Alerts to traffic from outside the 10.1.1.x subnet to the 10.1.1.x subnet with the Syn and the Fin
flags set.
 Snort rules are implemented as Rule Header & rule Options

Rule:

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 21

 Intrusion Detection System(IDS)

alert tcp $External_NET any -> $Home_Net21(msg: “ftp Exploit”; flow_to_server, established;
content: “|31c031db 41c9b046 cd80 31c031db|”; reference: bugtraq,1387;
classtype:attempted-admin; sid 344; rev4;)

 Rule Header:
alert tcp $External_NET any -> $Home_Net21
 Rule Header
o Action Field
• Alert : Activation: Alert and then turn on another dynamic rule.
• Log : Log the traffic, but do not alert.
• Pass (no longer look at package): Ignore the traffic.
• Activate (turns on other rules)
• Dynamic (needs to be turned on by another rule): Log the traffic when called by the
above activation rule.

o tcp: Protocol being used. UDP / IP / ICMP

o $External_NET: This is the source IP, default is any.
o any: This is the source port set to “any”
o ->: Direction of conversation.
o $Home_Net: This is a variable that Snort will replace with
o 21: Port to be monitored.
o The header concerns all tcp incoming packages coming from any port from the outside
to port 21 on the inside.
o Direction Indicator (optional)
 ->
 Source information specified to the left of arrow, destination information
specified to the right of the arrow
o

 Rule Options Example:

(msg: “ftp Exploit”; flow_to_server, established; content: “|31c031db 41c9b046 cd80
31c031db|”; reference: bugtraq,1387; classtype:attempted-admin; sid 344; rev4;)

Rule Options
o ( ): Rule option is placed in parentheses.
o msg: “ftp Exploit”;
o flow_to_server, established: Link to the detection plug-ins.
o content: “|31c031db 41c9b046 cd80 31c031db|”; Snort will look whether the package
contains this string, the dangerous payload.Content checked by the Boyer Moore
pattern matching algorithm.
o reference: bugtraq,1387; Snorts allow links to third-party warnings.
o classtype:attempted-admin; Class Types allow users to quickly scan for attack types
o sid 344; Snort rule unique identifier. Can be checked against www.snort.org/snort-db.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 22

 Intrusion Detection System(IDS)

o rev4; All rules are part of a revision process to limit false positives and detect new
attacks.

Types of Rule Options:

1. Message Option :

 Allows user to assign an appropriate message to the output of a triggered rule.

 Alert or log entries only give the packet, not the rule that was triggered.

2. Logto Option
o Specifies filename to which to log the activity.
o Allows to separate the annoyances from the truly dangerous.

3. TTL option
o Allows to use the time to live field in packet
o Format: ttl: number

4. ID option
o 16-bit value found in the IP header of each datagram.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 23

 Intrusion Detection System(IDS)

5. Dsize option
o Size of payload

6. Sequence& Ack Option

o Value of tcp sequence number
o Value of ack number in tcp

o
7. Itype and Icode Options
o Select ICMP message type and operations code

8. Flags option

9. Content Option

o
Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 24
 Intrusion Detection System(IDS)

10. Offset option

o Specifies offset of content
11. Depth option
o Specifies how far into packet to search for content
12. Nocase option
o Makes content searches case insensitive
13. Regex Option
o Allows wildcards in content searches
14. Session Options
o Allows to capture TCP session.
15. Rest Option
o Allows an automatic active response
16. Tag Option
o Allows to dynamically capture additional packages after a rule triggers.

Evaluate IDS/ IDS Evaluation Strategies

 An intrusion detection system evaluation aims at knowing the system and to find out its
capabilities and limitations. In addition, this is a way to monitor and study the attack
mechanisms of new malwares and the way to repair damages.

 As an evaluation framework of IDS, it should be

 feasible

 less expensive

 accurate

 unbiased

 An evaluation of intrusion detection system should be feasible. A situation that is infeasible to

evaluate is obviously not appropriate for the work. We would not get any expected results from
infeasible evaluations.

 A less expensive evaluation is preferable, compared with the one that is more expensive, as long
as it satisfied the minimum requirements for accuracy and bias.

 An accurate evaluation is obviously preferable to an inaccurate one, since accurate data and
results are closer to the true value and reduce the possibility that researchers made wrong
conclusions. To estimate accuracy, a usual way is to evaluate the IDS several times and then to
calculate a “standard error of measurement”.

 An evaluation should be unbiased; it is preferable to a biased one. However, estimating bias is

difficult. A usual approach is to cross-validate results of evaluations. If one is consistently higher
than the other, then there are some factors that cause the bias in one of both of the
evaluations. It is only possible to get to the “ground truth” in simple cases.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 25

 Intrusion Detection System(IDS)

 For example, one wants to minimize the bias in a measurement of weight on a scale or balance,
it is necessary to set the weight-measurement apparatus so that it reads 0 when nothing is on it.

 To evaluate IDS, demands made on IDS should be considered in a situation. There are many
demands; Stefan Axelsson listed out around six of them in. People should choose the items that
are most interesting to design their evaluation strategy. It is not necessary to cover all of the
demands made on IDS in an evaluation

 The criteria for evaluating an IDS are

 Effectiveness.

 Efficiency

 Ease of use

 Security

 Interoperability

 Collaboration

 Effectiveness.

An evaluation should assess the ability that IDS is able to detect attacks and the percentage of false
alarms. An Intrusion Detection System is able to raise alarm whenever there is an intrusion, while the
false alarm rate should be kept on a low level which does not over users’ tolerance. Ideally, the attack
detection rate should be 1 and the false alarm rate should be 0.

 Efficiency

Good IDS should consume less time and memories to detect intrusions and to report warning messages.
Intrusion detection system is only used to provide security services such as detecting intrusions for
computer systems/network. If it takes up quite a lot of resource, the rest of the resources may not be
enough for services which are provided to users.

 Ease of use.

An intrusion detection system should not be too hard to allow a user who is not a security expert to
operate it. Otherwise, users may give up using the intrusion detection system and choose other one. No
one using an intrusion detection system is just the same as that the system does not provide any
protection for the system security.

 Security.

For some new malwares, their attack mechanisms are much more sophisticated. They no longer stay at
the stage of using IDS evasion techniques. Some of them try to attack IDS and make the system break
down. An example of the malware is Stick which is created by Coretez Giovanni. Stick executes a large
number of simulated attacks in a short time. This causes the IDS on a target machine gets overloaded
and then the system may stop responding. An Intrusion Detection System that has the ability to defend
itself is preferred.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 26

 Intrusion Detection System(IDS)

 Interoperability.

An Intrusion Detection System is able to interoperate with another one in some extension. It is
impossible that an intrusion detection system is able to detect all sorts of attacks. More than one IDS
work together may significantly enhance the intrusion detection rate; however, this may also increase
the false alarm rate and spend more resources as well

 Collaboration.

IDS may be brought with other security mechanisms together to enhance computer system/network
security. We need to evaluate the way that the intrusion detection system collaborates with the other
security mechanisms, such as Firewall. We need to ensure the combination does provide a better overall
security. If the data that were generated and collected in evaluation are saved, it would be better.
Evaluators may need them for further analyze or rechecking.

Example of an IDS evaluation strategy

 In 2006, Frédéric Massicotte and his colleagues proposed a framework which is able to
automatically evaluate Intrusion Detection Systems

 The evaluation framework generates data set of network intrusion detection systems which is
signature-based. In this framework, there are two subsystems. One simulates attack scenarios
and collects data; the other is an IDS evaluation framework.

 The first subsystem creates a virtual network to simulate attack scenarios, documents and
records down all the traffic traces. Alarms of the evaluated IDS are collected as well. For every
traffic trace, the subsystem documents four characteristics of it— the target system
configuration, the VEP configuration, whether the vulnerabilities of the target system has been
exploited by the Vulnerability Exploitation Program (VEP) and whether the attack is successful

 The second subsystem collects all the alarms made by the IDS and relevant traffic traces from a
shared hard disk. It compares the two groups of data and finds out the number of correct alarms
(True Positive) and silences (True Negative) as well as the number of wrong alarms (False
Positive) and silences (False Negative).

 The working procedure of the whole evaluation framework is represented by the following
figure. The black arrows show the working process of the attack simulation and traffic traces
collection. The grey arrows indicate the work of IDS evaluation process. To get a report about
the test result, there are around ten steps:

1. The process chooses a malware to attack the target system and sets configuration of
the target system.
2. The process uses a sandbox, VMware, to build a virtual network for a test.
3. The evaluation system sets the attack configuration on the virtual attacker.
4. The virtual attacker machine attacks the target and, meanwhile, the traffic traces are
documented and recorded by the system. Alarms raised by IDS are also collected.
5. The recorded data are saved into a data set in the shared disk.
6. The virtual attacker and target machines are restored to their initial configuration for
next round of test.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 27

 Intrusion Detection System(IDS)

7. IDS Evaluator picks out all the traffic traces of a test case from the data set.
8. The IDS Evaluator put those traffic traces to the tested IDS.
9. IDS Result Analyzer gets those traffic traces as well as the alarms generated by the
IDS. It compares the traffic traces against the alarms to figure out the number of
intrusions are detected by the IDS in the test scenario.
10. The evaluation framework generates the report.

Cost sensitivity of an IDS/ Cost Sensitive IDS


 When measuring cost factors, we only consider individual attacks detectable by IDSs.

 For example, a coordinated attack that involves port-scanning a network, gaining user-level
access to the network illegally, and finally acquiring root access, would normally be detected

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 28

 Intrusion Detection System(IDS)

and responded to by an IDS as three separate attacks because most IDSs are designed to
respond quickly to events occurring in real-time.

 It is therefore reasonable to measure the attacks individually.

Cost Factors – Damage Cost

 There are several factors that determine the damage cost of an attack.

 Northcutt uses criticality and lethality to quantify the damage that may be incurred by some
intrusive behavior

 Criticality measures the importance, or value, of the target of an attack.

 This measure can be evaluated according to a resource’s functional role in an organization or its
relative cost of replacement, unavailability, and disclosure .

 Northcutt’s analysis, assigned 5 points for firewalls, routers, or DNS servers, 4 points for mail or
Web servers, 2 points for UNIX workstations, and 1 point for Windows or DOS workstations.

 Lethality measures the degree of damage that could potentially be caused by some attack.

 For example, a more lethal attack that helped an intruder gain root access would have a higher
damage cost than if the attack gave the intruder local user access.

 Other damage may include the discovery of knowledge about network infrastructure or
preventing the offering of some critical service.

 For each main attack category specified in Table, we define a relative lethality scale and use it as
the base damage cost, or baseD.

 By assigning damage cost according to the criticality of the target, we are using the intrusion
target dimension.

 Using these metrics, we can define the damage cost of an attack targeted at some resource
criticality baseD.

 Using these metrics, we can define the damage cost of an attack targeted at some resource as
criticality X baseD.

 For example, a DOS attack targeted at a firewall has DCost = 150, while the same attack targeted
at a Unix workstation has DCost = 60.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 29

 Intrusion Detection System(IDS)

 In addition to criticality and lethality, we define the progress of an attack to be a measure of

how successfully an attack is in achieving its goals.

 For example, a Denial-of-Service (DOS) attack via resource or bandwidth consumption (e.g. SYN
flooding) may not incur damage cost until it has progressed to the point where the performance
of the resource under attack is starting to suffer.

 The progress measure can be used as an estimate of the percentage of the maximum damage
cost that should be accounted for.

 That is, the actual Damage Cost is equal to progress X criticality X base D .

 However, in deciding whether or not to respond to an attack, it is necessary to compare the

maximum possible damage cost with the response cost.

 This requires that we assume a worst-case scenario in which progress=1.0 (Successful attack).

Cost Factors- Response cost

 Response cost depends primarily on the type of response mechanisms being used. This is usually
is determined by an IDS's capabilities, site-specific policies, attack type, and the target resource.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 30

 Intrusion Detection System(IDS)

 Responses may be either automated or manual, and manual responses will clearly have a higher
response cost.

 Responses to intrusions that may be automated include the following: termination of the
offending connection or session (either killing a process or resetting a network connection),
implementation of a packet-filtering rule, rebooting the targeted system, or recording the
session for evidence gathering purposes and further investigation .

 In addition to these responses, a notification may be sent to the administrator of the offending
machine via e-mail in case that machine was itself compromised.

 A more advanced response which has not been successfully employed to date could involve the
coordination of response mechanisms in disparate locations to halt intrusive behavior closer to
its source.

 Additional manual responses to an intrusion may involve further investigation (perhaps to

eliminate action against false positives), identification, containment, eradication, and recovery.

 The cost of manual response includes the labor cost of the response team, the user of the
target, and any other personnel that participate in response. It also includes any downtime
needed for repairing and patching the targeted system to prevent future damage.

 We estimate the relative complexities of typical responses to each attack type in Table in order
to define the relative base response cost, or baseR.

 Attacks with simpler techniques (i.e., sub-categories x.1 in our taxonomy) generally have lower
response costs than more complex attacks (i.e., sub-categories x.2), which require more
complex mechanisms for effective response.

Cost Factors- Operational Cost

 The main cost inherent in the operation of an IDS is the amount of time and computing
resources needed to extract and test features from the raw data stream that is being monitored.

 We associate OpCost with time because a real-time IDS must detect an attack while it is in
progress and generate an alarm as quickly as possible so that damage can be minimized.

 A slower IDS which uses features with higher computational costs should therefore be
penalized. Even if a computing resource has a ``sunken cost'' (e.g., a dedicated IDS box has been
purchased in a single payment), we still assign some cost to the expenditure of its resources as
they are used.

 If a resource is used by one task, it may not be used by another task at the same time.

 The cost of computing resources is therefore an important factor in prioritization and decision
making.

 Some features cost more to gather than others. However, costlier features are often more
informative for detecting intrusions.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 31

 Intrusion Detection System(IDS)

 For example, features that examine events across a larger time window have more information
available and are often used for ``correlation analysis'' in order to detect extended or
coordinated attacks such as slow host or network scans. Computation of these features is costly
because of their need to store and analyze larger amounts data.

 Based on our experience in extracting and constructing predictive features from network audit
data, we classify features into three relative levels, based on their computational costs:

 Level 1 features are computed using a small amount of information available at the
beginning of an event. For example, the ``destination service'' can be determined using
the first packet of a connection.

 Level 2 features are computed at any point during an event, and are maintained
throughout the event's duration. For example, the ``number of data bytes from the
source to the destination'' is such a feature.

 Level 3 features are computed using information from several events within a given
time window. For example, the feature measuring ``the percentage of connections in
the past 5 seconds that are to the same destination host as the current connection and
are half-open'' can be computed by examining all the connections of the past 5 seconds
and may help detect SYN-flooding.

 We can assign relative magnitudes to these features according to their computational costs. For
example, level 1 features may cost 1 or 5, level 2 features may cost 10, and level 3 features may
cost 100.

 These estimations have been verified empirically using a prototype system for evaluating our ID
models in real-time that has been built in coordination with Network Flight Recorder.

Cost Factors- Consequential cost

 A cost model formulates the total expected cost of intrusion detection.

 It considers the trade-off among all relevant cost factors and provides the basis for making
appropriate cost-sensitive detection decisions.

 We first examine the cost trade-off associated with each possible outcome of observing some
event e, which may represent a network connection, a user's session on a system, or some
logical grouping of activities being monitored.

 In our discussion, we say that e=(a, p, r) is an event described by the attack type a (which can be
normal for a truly normal event), the progress p of the attack, and the target resource r.

 The detection outcome of e is one of the following: false negative (FN), false positive (FP), true
positive (TP), true negative (TN), or misclassified hit. The costs associated with these outcomes
are known as consequential costs (CCost), as they are incurred as a consequence of prediction,

Cost Factors of IDSs

 Development cost

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 32

 Intrusion Detection System(IDS)

 Damage cost (DCost)

 The amount of damage when ID is not available or ineffective.
 Response cost (RCost)
 The cost of acting upon an alarm of potential intrusion.
 Operational cost (OpCost)
 The cost of processing and analyzing audit data ;
 Mainly the computational costs of the features.
 Consequential cost (CCost)
 The total cost of an IDS over a set of events:
 CumulativeCost(E) =  eE (CCost(e) + OpCost(e))
 CCost(e), the consequential cost, depends on prediction on event e
 For event e :

Outcome CCost(e) Conditions

Miss (FN) DCost(e)
False Alarm (FP) RCost(e’)+PCost(e) DCost(e’)  RCost(e’)
0 Otherwise
Hit (TP) RCost(e)+DCost(e) DCost(e)  RCost(e)
DCost(e) Otherwise
Normal (TN) 0
Misclassified Hit RCost(e’)+DCost(e) DCost(e’)  RCost(e’)
DCost(e) Otherwise

Cost-sensitive Modeling: Objectives

 Reducing operational costs:
 Use least significant features in ID models.
 Reducing consequential costs:
Do not respond to an intrusion if RCost > DCost
Cost-sensitive Modeling: Approaches
 Reducing operational costs:
 A multiple-model approach:
 Build multiple rule-sets, each with features of different cost levels;
 Use less significant rule-sets first, costlier ones later only for required accuracy.
 Feature-Cost-Sensitive Rule Induction:
 Search heuristic considers information gain AND feature cost.
 Reducing consequential costs:
 MetaCost:
 Purposely re-label intrusions with Rcost > DCost as normal.
 Post-Detection decision:
 Action depends on comparison of RCost and DCost.

Nazia Tabassum, Assistant Professor, IT Dept, MGIT Page 33