Chapter 3: Introduction to Intrusion Detection

Overview

"Plan for what is difficult while it is easy, do what is great while it is small. The most difficult things in the world must be done while they are still easy, the greatest things in the world must be done while they are still small. For this reason, sages never do what is great, and this is why they can achieve that greatness."

Tao-te Ching.

Information security is not the only field in which intrusion detection is used. It is also used in alarm sensors (security alarm systems), financial and wire-fraud detection systems, and homing guidance systems in artillery, among other things. Unfortunately, the limited scope of this book precludes coverage of all these areas of the application of intrusion detection technology. Therefore, I will present only information aspects of this technology, i.e., detecting attacks on hosts within a corporate network.

The main goal of the tools and devices that implement intrusion detection technologies (similarly to other security systems) is the automation of the routine and tedious procedures necessary in managing system security, and to make them understandable for those who are not experts in the field of information security. Generally speaking, it is not necessary to use automated tools. Practically all attacks can be detected by means of a "manual" analysis of the logs. In addition, one can use the operating system's built-in tools. Such an approach provides for less expensive deployment of the intrusion detection infrastructure. However, more time is required to accomplish this process. Furthermore, manual analysis or the usage of general-purpose automated tools does not allow the detection and prevention of most attacks in time. For this reason, it is necessary to use specialized, automated tools customized especially for the detection of security policy violations. This book explicitly focuses on such systems. However, universal security tools and manual methods are given brief mention.

It is necessary to take note of the fact that intrusion detection technology is not yet quite established. Nonetheless, it is constantly attracting new vendors and developers that spring up like mushrooms after warm rain. From 1999 to 2002, more than 50 businesses supplying services in this area have appeared. As for commercial, shareware, and freeware tools for intrusion detection, their number has long exceeded 100. On the other hand, firms providing intrusion detection products also quickly disappear, or are taken over by more powerful competitors. Still, despite the lack of a theoretical basis for this particular technology, some rather efficient methods of intrusion detection have already been developed. These methods, along with their advantages and drawbacks, are described in this book.

Like most security mechanisms, intrusion detection technology should solve several important problems. These include:

• Simplifying the tasks of security personnel. Automated intrusion detection systems can even totally free up employees' time spent on routine operations related to controlling users, systems, and networks.

• The capability to "understand" sources of information on attacks (which might sometimes be encrypted).

• The capability to be managed by employees who are not security experts.

• Total control over all subjects of the information system (users, programs, processes, and so on, including ones that have been granted administrative privileges).

• Detection of known attacks and vulnerabilities, as well as informing IS personnel.

Obviously, some of these tasks can be solved using the mechanisms that have been built into operating systems or application programs. For example, you can audit all actions of all users and programs by means of manually analyzing the log files (AppEvent.evt and SecEvent.evt in Windows NT/2000/XP or syslog in Unix). However, manual analysis of the log is a tedious and time-consuming process, requiring you to perform lots of routine operations. As a result, some violations that deserve the administrator's attention might be overlooked.

According to a public opinion poll conducted in 2002 by the Computer Security Institute (CSI) and the FBI, 60% of respondents use intrusion detection tools in their networks. And, according to the data provided by Ernst & Young, such organizations comprise only 36% [EY1-02], while Symantec reports 41% [TechRepublic1-01]. The vast majority of respondents have detected intruders using these tools (Table 3.1). Hence, the number of companies that use intrusion detection technologies in their work is growing at a rapid rate. Automatic tools for intrusion detection can simplify this process and eliminate the necessity of manual operations, thus enabling security personnel to save time and labor. This is rather important, since, according to the poll, a lack of time is one of the main factors preventing security specialists from improving the security level of corporate resources.

Table 3.2 outlines quite an interesting set of statistics on the percentages of commercial and government organizations using intrusion detection technologies in the United States.

About 30% of all 745 respondents plan to use this technology in the future (Table 3.3).

However, if you ask IS specialists what the function of an intrusion detection system is and what problems it can solve, in most cases you'll get the following typical answer: "That's a silly question! It detects attacks like Denial of Service and reacts to them." On the one hand, this is true. On the other hand, however, intrusion detection systems have long ago ceased to be just another security tool. They have become sophisticated sets of tools capable of solving a large variety of problems, some of which I would like briefly to cover.