Using Attack-Detection Methods

Previous page
Table of content
Next page
 < Day Day Up > 

This section explores some methods of computer network attack detection in use today and attempts to draw conclusions based on their success against well-known attacks and in concert with other common defense strategies.

Signature-Based Attack Detection

A signature in the context of attack detection is a pattern of data that characterizes or defines a particular attack or exploit. Signature-based attack detection relies on a list of known signatures and an engine to compare data either on a network or scanned by a process on a system to this signature list. If a match with a list item is discovered, the matching system generates an alert indicating the match and the expected severity.

Log File Scraping

Log file scraping refers to the act of watching system logs for particular log entry types. The log entries are compared to a list of types that indicate suspicious behavior, much like the signature-based detection. When these particular types are encountered, they are either correlated with other activities on the system or alarmed directly as attack evidence. Note that in this method, the damage is usually done by the time the alarm is generated; therefore, this type of attack detection is called reactive detection.

Application Fingerprinting

Computer applications such as SQL, word processors, and web server programs are composed of one or more executable files and a number of supporting files such as dynamic link libraries (DLLs), object libraries, configuration files, and the like. Some of these files change during the execution of the application program, but many of them, called static files, do not. These static files are usually the core application executable and DLL or object files. One attack-detection method that relies on this fact that static files should never change is called application fingerprinting. Application fingerprinting tools create lists of checksums for each static file in an application suite. A checksum is a unique mathematical result of an operation performed on the static file in question. Periodically, the application fingerprinting tool reruns the checksum generator on each protected file and compares the results with the stored value. A change in the checksum indicates a change in the associated file. Any such change generates an alert. As with the log file scraping method, this is purely reactive: An alarm indicates that the damage has already occurred.

Behavior-Based Attack Detection

Behavior-based or anomaly detection is relatively new in the security realm and holds great promise in attack detection and mitigation. Unfortunately, many companies have latched on to the term as a marketing tool and apply it to tools that do little or no behavior-based detection. This detection method is difficult to write and implement, because the system to be protected must be characterized to a high degree of abstraction and accuracy. After doing so, you must define allowed and questionable behaviors.

The beauty of this system is that it is the first type of attack-detection system that works just as successful attacks do: It takes advantage of the behavior of the system itself to do its job. When you move from the reactive role of checking for damage to the active role of denying damaging behavior, you can finally eliminate many types of threats. Moreover, you eliminate them in a general sense so that you protect your network from tomorrow s threats as well. Anomaly-based security systems represent the sophisticated future of reliable threat detection and mitigation. The Cisco Security Agent (CSA) is an example of a behavior-based security mechanism. Throughout this book, you learn the behavior mechanisms the CSA product uses and the many ways to implement policy to securely control agent-protected systems.

Automation

In nearly every case, those attempting to detect or mitigate security issues should implement an automated detection method. Automation of the detection method rather than manual human-driven multistep processes provides consistency and certainty to the process. Freeing the IT or security staff from mundane and repetitive tasks, the automated system can allow them to instead work on anomalies or focus their talents on more difficult engineering or design issues.

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Cisco Security Agent
    Cisco Security Agent
    ISBN: 1587052059
    EAN: 2147483647
    Year: 2005
    Pages: 145
    Authors: Chad Sullivan
    BUY ON AMAZON
    Qshell for iSeries
    SQL Tips & Techniques (Miscellaneous)
    The Complete Cisco VPN Configuration Guide
    Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
    An Introduction to Design Patterns in C++ with Qt 4
    Understanding Digital Signal Processing (2nd Edition)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy