Defining Intrusions | SUSE LINUX Enterprise Server 9 Administrators Handbook

For the purpose of this chapter, we expand on the standard definition of the term intrusion detection. Typically, intrusion detection is understood to be the ability to recognize that, at some point in time, unexpected access to resources was obtained. In most cases, it is assumed that there is a human driving the exploit. A broader, more general definition should also include malware. Though not a pure intrusion, malware can cause significant problems for systems and services.

MALWARE

Malware is defined as a category of software that, by design, attempts to inflict harm or damage to systems. Included in this class of programs are viruses and Trojans.

Other important members of the malware family are spyware, keyloggers, and password grabbers.

In the context of intrusion, malware can often be detected, not by its presence, but by the network traffic it generates.

The most commonly known form of intrusion is that obtained through a known vulnerability in an application. What is less advertised is access obtained by attackers through applications that were inadvertently exposed beyond their intended scope.

As long as there are hackers and requirements for machines to share information, there will be incidents of intrusion. What is important, therefore, is the ability to detect such trespasses and adjust defenses accordingly to mitigate a recurrence. Evaluating the depth of the penetration and the sensitivity of information exposed to the breach is beyond the scope of this chapter. Its importance, however, cannot be overstated. Additional reading on this topic can be found in several places on the Internet. You can find a good article that is a bit Windows centric at http://www.nsa.gov/snac/support/WORMPAPER.pdf.

The successful exploit of a vulnerability can only be achieved by first discovering that the target application is available. This implies that in most cases a certain amount of preparatory work, or reconnaissance, is required by the attacker. A proactive approach for preventing intrusions should include watching for reconnaissance scans. It is often impossible to find a single request for service among normal day-to-day traffic, unless of course, it comes from an unexpected source. Diligence in monitoring activities often yields the first hits of an intrusion attempt.

Intrusion detection efforts are typically segregated into two camps; both categories are complementary and must be addressed in a proper detection solution. Tools for managing both of these approaches are covered further in later sections.

The first category is called Network Intrusion Detection Systems (NIDS). This approach requires the deployment of sensors or appliances in strategic locations throughout the network. The sensors passively monitor network traffic for anomalies and can trigger alerts when unexpected events occur.

Similarly, Host-based Intrusion Detection Systems (HIDS) watch for changes on individual hosts. Unlike NIDS, HIDS solutions are, for the most part, not run in real-time. Detecting changes in machine content can therefore go undetected for a period of time.

A complete HIDS and NIDS approach allows for weaknesses in the one technique to be lessened by the other. In many cases, exploited systems start conversations on atypical ports and therefore get caught by the NIDS. If the exploit uses only known, allowed ports, the HIDS system will catch unauthorized changes to the system's content.

Before delving into the various tools available for HIDS and NIDS, we need to examine possible ways to reduce the exposure of systems.