Intrusion Detection Systems - Integrated Defence Staff

More documents

Recommendations

Info

4abstract attack representation. If an appropriate abstraction can be found, signaturebasedsystems can identify previously unseen attacks that are abstractly equivalent toknown patterns. They are inherently unable to detect truly novel attacks and suffer fromfalse alarms when signatures match both intrusive and nonintrusive sensor outputs.Signatures can be developed in a variety of ways, from hand translation of attackmanifestations to automatic training or learning using labeled sensor data. Because agiven signature is associated with a known attack abstraction, it is relatively easy for asignature-based detector to assign names (such as Smurf or Ping-of-Death) to attacks.Anomaly-based detectors equate “unusual” or “abnormal” with intrusions. Given acomplete characterization of the noise distribution, an anomaly-based detectorrecognizes as an intrusion any observation that does not appear to be noise alone. Theprimary strength of anomaly detection is its ability to recognize novel attacks. Itsdrawbacks include the necessity of training the system on noise with the attendantdifficulties of tracking natural changes in the noise distribution.5. Changes can cause false alarms, while intrusive activities that appear to benormal can cause missed detections. Anomaly- based systems have difficultyclassifying or naming attacks. We can also classify IDSs based on the phenomenologythat they sense. Network-based systems look at packets on a network segment,typically one serving an enterprise or a major portion of one. While network-basedsystems can simultaneously monitor numerous hosts, they can suffer from performanceproblems, especially with increasing network speeds. Many network-based systemsmake simplifying assumptions about such network pathologies as packet fragmentationand can suffer from resource exhaustion problems when they must maintain attackstateinformation for many attacked hosts over a long period of time.6. In spite of these deficiencies, they are popular because they are easy to deployand manage as standalone components and they have little or no impact on theprotected system’s performance. Host-based systems operate on the protected host,inspecting audit or log data to detect intrusive activity. A variety of log and auditfunctions can serve to drive ID algorithms; these can be supplemented by sensors thatmonitor the interaction of applications with the host operating system. Host-basedsystems can monitor specific applications in ways that would be difficult or impossible ina network-based system. They can also detect intrusive activities that do not createexternally observable behavior. Because they consume resources on the protectedhost, they can affect performance substantially. Successful intrusions that gain highlevels of privilege might be able to disable host-based IDSs and remove traces of theiroperation. Installing and effectively using IDSs on networks and hosts requires a broadunderstanding of computer security.Preparation
57. Before an organization invests in security technologies, it must understand whichof its assets require protection and determine the real and perceived threats againstthose assets. We can characterize threats by the likely type of attack and attackercapabilities (that is, resources and goals) and the organization’s tolerance for loss of,damage to, or disclosure of protected assets. Attacker motives can be arbitrary(curiosity or vandalism) or targeted to meet a specific objective such as revenge orgaining a competitive advantage. Motives can make some forms of attack more likelythan others. Gaining a competitive advantage might require compromising specificinformation such as a marketing plan. Each form of attack requires diverse detectionstrategies. For example, information retrieval is likely to occur during a stealthy attack,while information corruption might require speed. Determining whether the potentialattacker is inside or outside the organization’s infrastructure affects the type andplacement of an IDS. Often, the most significant obstacle to an information securityimprovement initiative is lack of management support. Surveys conducted by securitytrade magazines cited lack of management support as one of the principle barriers toeffective information security. Security only becomes important when it impinges on theorganization’s high-priority interests and reputation. Deploying and operating an IDSrequires significant management support.Defense in Depth8. ID is only one aspect of a layered defensive posture or “defense in depth.”Defense in depth begins with the establishment of appropriate and effective securitypolicies. Effective policies help ensure that threats to critical assets are understood,managers and users are adequately trained, and actions to be taken when an intrusionis identified are defined. A good security policy puts ID in its proper perspective andcontext. Whenever possible, the policy should reflect the mission of the organizationthat promulgates it. Therefore, it should codify the rules governing enterprise operationsas they are reflected in its information infrastructure and should explicitly excludeactivities or operations not needed to support the enterprise’s mission. A missionorientedsecurity policy can aid in configuring both firewalls and IDSs. Establishing alayered security architecture is advantageous whether an IDS is deployed or not. Inaddition to formulating a security policy, the essential steps consist of implementinguser authentication and access controls, eliminating unnecessary services, applyingpatches to eliminate known vulnerabilities, deploying firewalls, using file integritychecking tools such as Tripwire, and so forth. Because most real-time commercial IDSsbase their detection approach on known attempts to exploit known vulnerabilities, anadministrator’s time is often better spent minimizing vulnerability through the applicationof patches or other security measures. Detecting and responding to penetrationattempts that cannot succeed (such as Unix-specific at attempts against a network of
Page 1 and 2: Intrusion Detection SystemsIntroduc
Page 3: 3response organizations such as the
Page 7 and 8: 7policy, installing appropriate sig
Page 9: 9interface to display filtering res

Intrusion Detection Systems - Integrated Defence Staff

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?