Chapter 1: Introduction to Intrusion Detection
"That general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack."
Sun Tzu, "The Art of War."
The Need for Intrusion Detection Technologies
Writing books on information security with statistical data on computer security incidents has become a good tradition. I will continue this tradition and provide the data obtained by the Computer Security Institute (CSI) and the computer security group of the San Francisco department of the Federal Bureau of Investigation. This information was published in March 2002 in the "2002 CSI/FBI Computer Crime and Security Survey" report [CSI1-02]. This information is updated on a regular basis, and the latest version is available at the following address: http://www.gocsi.com.
According to this data:
-
90% of respondents (large corporations and governmental organizations) have encountered various attacks on their information resources.
-
80% of respondents reported that these attacks have inflicted heavy financial losses on them; however, only 44% of them were able to evaluate it precisely.
During the last few years, the number of losses caused by security policy violations has also grown significantly. In 1997, the total sum of losses was $100 million. In 2000, it grew to $266 million, and in 2002 it reached $456 million. The total sum of losses inflicted by Demial of Service (DoS) attacks has reached $18.4 million. The tables provided below present other interesting information on this topic, such as information on attack sources (Table 1.1), the most common types of attacks (Table 1.2), and total sums of losses inflicted by them (Table 1.3).
 |
| Attack source (by type) | Attack source (%) |
|---|---|
| | |
| Disgruntled employees | 75 |
| Hackers | 82 |
| U.S. Competitors | 38 |
| Foreign companies | 26 |
| Foreign governments | 26 |
|
|
| Attack type | Frequency of detection |
|---|---|
| | |
| Viruses | 85 |
| Internet abuse by insiders | 78 |
| Unauthorized access by insiders | 38 |
| Denial of Service | 40 |
| System penetration | 40 |
| Confidential data theft | 20 |
| Sabotage | 8 |
| Financial fraud | 12 |
| Telecom fraud | 9 |
|
|
| Attack type | 1998 | 1999 | 2000 | 2001 | 2002 |
|---|---|---|---|---|---|
| | |||||
| Viruses | 7.9 | 5.3 | 29.2 | 45.3 | 50.0 |
| Internet abuse by insiders | 3.7 | 7.6 | 28.0 | 35.0 | 50.1 |
| Unauthorized access by insiders | 50.6 | 3.6 | 22.6 | 6.1 | 4.5 |
| Denial of Service | 2.8 | 3.3 | 8.2 | 4.3 | 18.4 |
| System penetration | 1.6 | 2.9 | 7.1 | 19.1 | 13.1 |
| Confidential data theft | 33.6 | 42.5 | 66.7 | 151.1 | 170.8 |
| Sabotage | 2.1 | 4.4 | 27.1 | 5.2 | 15.1 |
| Financial fraud | 11.2 | 22.5 | 56.0 | 93.0 | 115.8 |
| Telecom fraud | 17.3 | 0.8 | 4.0 | 9.0 | 0.4 |
|
What is most characteristic about this data is that hackers and foreign governments implement attacks more and more frequently (this index grows steadily each year), while other indices are slightly decreasing.
The data in this category has also changed significantly. Compared to 2000, the number of attacks implemented by insiders has been reduced by fifty percent, while the number of Denial of Service attacks is growing steadily.
It is necessary to interpret such reports critically, since they are usually based on the opinions of a limited group of respondents. However, they do allow us to make quite a plausible assessment of the general situation concerning specific problems. For example, according to the fourth yearly report published by the Information Security Magazine [Infosec1-01], 39% of companies were exposed to Denial of Service attacks (compare this to the result provided by the CSI/FBI report, which says 40%). According to the data provided by the consulting company Ernst & Young [EY1-02], the number of attacks implemented by insiders constitutes 41%, which is rather close to the CSI/FBI data. Only the report provided by KPMG [KPMG1-02] was somewhat different. Early in 2002, KPMG polled large corporations and obtained significantly different results — only 14% of the respondents have encountered DoS attacks in their practice, and only 5% have reported theft of confidential information (in contrast to the CSI/FBI report, where this index equals 20%).
Since attacks are becoming more and more numerous and happening more frequently, the problem of identifying them at the earliest stages and reacting quickly and appropriately is a matter of primary importance. In critical situations, intervention must be implemented much faster than is possible for a human being. Another reason for automating the attack detection process lies in the fact that intruders use automated tools to implement attacks more and more frequently. One example found in the literature noted the fact that intruders made 2,000 attempts to access a server, from 500 locations during eight hours (i.e., four attacks per minute). In that case, the automated intrusion detection system helped to track the source of the attack. Without it, detecting of the attack itself and tracing the intruder implementing it would have simply been impossible.
In 1993, the American Defense Information System Agency (DISA) conducted a rather interesting investigation of the security level of the Department of Defense (DoD) information systems. The invited tiger team (tiger teams are sponsored teams of computer experts that attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes) proved that in most cases a person was unable to detect attacks implemented during the experiment (Fig. 1.1). The Department of Defense performs such investigations on a regular basis. For example, during 2001, its information security experts investigated about 8,000 computers and detected about 150,000 vulnerabilities.
Fig. 1.1. The results of testing the security level of the DoD information system
Information systems must be protected. No one can provide any reasonable argument against this statement. To ensure security, one can choose from the following two ways. The first method of ensuring security is by preventing all attempts of unauthorized access by creating a completely protected system. In practice, however, this can not be accomplished because of the following reasons [Sundaram1-96].
-
The inevitable presence of software bugs. Bug-free software still remains a dream. Furthermore, few software developers even try to develop it. Most often, a firm's management insists that the product be released as soon as possible, in order to get maximum profit. The most interesting fact is that security tools are not bug-free either. This trend became especially conspicuous in 2000, when reports on vulnerabilities in firewalls, authentication servers, and so on appeared practically each week.
-
Even a system with the highest level of security is vulnerable, when skilful and knowledgeable users enact the attack. Privileged users can break the security policy requirements, which might result in a weakened level of protection.
-
The more protected the system is, the more inconvenience one encounters when working with it.
| Potential Attacks on NASA Computers | On May 25, 1999, the General Accounting Office (GAO) reported that its specialists were able to intrude upon some NASA systems, including the one responsible for calculating the orbit of one of the space vehicles and the one obtaining scientific data from it. The report states that after a successful attack, it was possible to intercept NASA commands, change the orbit of the space shuttle and so on. |
Thus, we can not create a perfectly protected system. Still, it is necessary at least to detect all (or practically all) security policy violations and react appropriately. Intrusion detection technologies, which will be covered in this book, are intended to do just that.
EAN: 2147483647
Pages: 152