Sources of Information on Attacks


Before we can come to a conclusion about an attack based on the above-described principles, it is necessary to obtain information on the basis of which one can draw such a conclusion. There are two categories of such sources: main and auxiliary. Main sources include network traffic, log files, and the system objects' current activity (users, programs, processes, etc.). Classic intrusion detection systems make active use of these sources. Security scanners that detect potential attacks use other sources. In most cases, they get the required data by means of analyzing software (including implementations of network services), processes, or data files. Usually, security analyzers look there for various attack indications (as a rule, digital "fingerprints" and headers). Additional sources of information on attacks represent information obtained from system users, messages in security bulletins, etc.

It is important to understand that information from a single source can not serve as unequivocal proof of a security policy violation. Using information from different sources (preferably independent from one another) allows you to draw conclusions on the presence and type of attack more reliably.

Log Files

This method was the first one to be used for detecting security policy violations. Even today, it still remains one of the most efficient methods. A specific feature of this method is that it is indispensable in cases in which there are no other intrusion detection methods available for use. The necessity of registering system and security events in log files is stated in most security documents and requirements, including the famous "Orange Book," ISO 17799, etc. I will not concentrate on the formats of the log files produced by different types of software and hardware, since this task can not be practically implemented. Each system has its own, unique format of log file. Furthermore, even different versions of the same product might use different log file formats. Therefore, I will limit myself to providing several examples of log files — Cisco IOS (Listing 4.44), Windows 2000 (Fig. 4.8), CheckPoint Firewall-1 (Listing 4.45), and Apache (Listings 4.46 and 4.47).

Listing 4.44. Examples of Security Messages Produced by Cisco Equipment

start example
   (for IOS 12.0 T)   Feb 25 21:14:38 134.161.1.101 21043: %SEC-6-IPACCESSLOGP: list ingress   denied udp 38.29.63.57 (4419) -> 134.161.67.71 (34555), 1 packet   Dec 22 16:15:26: %SEC-6-IPACCESSLOGDP: list Internet denied icmp   172.20.20.1 -> 255.255.255.255 (8/0), 1 packet   May 10 09:26:34.260 UTC: %SEC-6-IPACCESSLOGP: list 100 denied tcp   10.0.0.57(0) -> 192.231.90.254(0), 1 packet 
end example

Listing 4.45. A Fragment of the Check Point Firewall-1 Log File

start example
   "421316" "29Dec2000" " 9:32:16" "daemon" "localhost" "alert" "accept"   "" "x.x.x.x" "x.x.x.x"  "ip"  "" ""  "" ""  ""  "" ""   "" "" ""  ""   "MAD" " additionals:   attack=blocked_connection_port_scanning"   "422255" "29Dec2000" " 9:33:59" "daemon" "localhost" "alert" "accept"   "" "x.x.x.x" "x.x.x.x" "ip" "" "" "" "" "" "" "" "" "" "" ""   "MAD" " additionals: attack=blocked_connection_port_scanning"   "427220" "29Dec2000" " 9:43:26" "daemon" "localhost" "alert" "accept"   "" "x.x.x.x" "x.x.x.x" "ip" "" "" "" "" "" "" "" "" "" "" ""   "MAD" " additionals: attack=blocked_connection_port_scanning" 
end example

Listing 4.46. A Fragment of the Apache Log File (access_log)

start example
   193.56.123.47 - - [04/Apr/1997:16:39:06 -0500] "GET /etc/passwd HTTP/1.0"404 139 
end example

Listing 4.47. A Fragment of the Apache Log File (error_log)

start example
   [Fri Apr 4 16:37:39 1997] HTTPD: access to / export/home/httpd_root/   cgi-bin/phf failed for 193.56.123.47, reason: script does not exist from - 
end example

click to expand
Fig. 4.8. A Windows 2000 Security Log file

I would just like to make one small comment. You need to study the formats and specific features of the log files used in your systems carefully. Otherwise, a situation similar to something that happened to me once might occur. A security administrator sent me a message asking me to help him resolve a conflict with his IT department. Along with this, he sent me a fragment of a log that, he suspected, had been tweaked by the network administrator.

Network Traffic

Network traffic is one of the most basic sources of information used by intrusion detection systems. Network traffic consists of network packets being transferred (also known as frames). Without diving into details of implementation of different network architectures, let us take the packet as the basic unit of network traffic, which in general cases comprises the following three parts:

  • Packet header (service information, source address, destination address and other fields)

  • Data field of the packet

  • Packet trailer (control sums, delimiter and so on)

Depending on the network architecture, some parts might be missing. Based on an analysis of the above-listed parts of the network packet, the intrusion detection system decides if security policy violations really took place. In early 2000, 70$ of all networks were TCP/IP networks, and this number is gradually increasing. On the other hand, percentages taken by other protocol stacks (IPX/SPX, SMB/NetBIOS etc.) do not exceed 20%. This explains why intrusion detection systems using network traffic as the source of information usually function only in TCP/IP networks.

Activity of System Subjects

This source reflects all actions performed by the objects within a controlled system (users, processes, etc.) in real-time mode. These actions can also be analyzed on the basis of log files. However, not all events that take place in the system being controlled are registered in log files. Therefore, it is much more efficient (but at the same time much harder) to analyze all system activity in real time. Looking somewhat ahead, I would like to mention that only a small number of the systems intended for detection of abnormal activity work according to this principle. The complications related to implementation of this mechanism prevent developers from using it in intrusion detection systems, because it requires them to build the interception system into all requests. Intrusion detection systems work according to another principle — they never lock specific activity immediately. Rather, they first analyze it, and then react appropriately. The more complicated the analysis algorithm is, the more resources it requires for implementation and, consequently, the more it degrades the performance of the system it controls.

Additional Sources

Information on an attack can be obtained not only from various software tools, but also from additional indicators. Most intruders, especially the ones who attack networks in order to improve their self-esteem, boast of their deeds to their colleagues. Quite often, whole Web sites or sections of Web sites are dedicated to these achievements (for example, you can find such a topic at http://www.alldas.org). You can use this information to get additional knowledge and find out additional attack indicators. Here are some sources where you might be able to find some useful information:

  • Hacker magazines (including e-zines)

  • Mailing lists (such as the one from SecurityFocus)

  • Books (such as "Maximum Security" or "Counter Hack")

  • Hacking resources on the Internet (such as http://www.securityfocus.com or http://packetstormsecurity.nl)

  • USENET and FIDONET conferences

  • IRC channels

  • Conferences and seminars (such as DEFCON).

Notifications from the Users

Notifications from the users represent an additional source of information that must not be neglected. Although these notifications often are only figments of the imagination of unskilled users, sometimes they can help to reveal problems that can not be detected using other methods. Notification of the appearance of a duplicate IP address can serve as an example of such a message. If you are not able to react in a timely manner to the notifications from the users of your informational system, it is necessary at least to register them. If a problem arises, these records can be used for further investigation.

Mail Lists

Mail lists are rather popular all over the world. Except for the cost of an Internet connection, this additional source of information does not require any additional expenses, since notifications on new vulnerabilities found and new attack methods are distributed for free to all interested persons.

Such bulletins are composed by so-called Response Teams as a reaction to security incidents. The most famous among such teams are the Computer Emergency Response Team (CERT/CC), SecurityFocus, X-Force, and SecuriTeam.

The above-mentioned groups collect statistics on the attacks and vulnerabilities found in software and hardware, develop efficient countermeasures against these attacks, and publish this information for all interested individuals via mail lists and/or web servers. All response teams and developers of intrusion detection systems work in contact with software and hardware developers in order to provide efficient methods of counter-acting attacks. However, information on a newly found vulnerability is not officially published before the team develops efficient countermeasures. This is the main drawback of all methods used for searching for vulnerabilities, because intruders can use the available information before anyone finds a method to eliminate the security breach.

Web Servers

web servers are among the most common additional information sources from which specialists can get information on attacks and vulnerabilities. Such sources can be classified into the following three categories:

  • Servers supported by software and hardware manufacturers and vendors. This list includes the above-mentioned technical-support sites of such companies as Microsoft, Novell, Sun, Hewlett-Packard, Cisco, and so on. These servers mainly contain information on security holes detected in solutions provided by these companies.

  • Servers of specialized organizations and companies. This resource list includes web servers supported by ISS, Symantec, MITRE, along with servers of such organizations as NASA, Purdue University, etc.

  • Independent servers, such as Insecure (http://www.insecure.org). You can find such servers using various search engines, such as http://neworder.box.sk.

Internet and FIDONET Conferences

With the development and growth of messaging technologies, which allow one to distribute information via web servers and mail lists, USENET conferences and FIDONET echo conferences are gradually losing their popularity. Still, several years ago, the FIDO network was nearly as popular as the Internet. Recently, as Internet connections become less expensive, its popularity is constantly growing, while the number of FIDO participants has significantly decreased. However, even now, FIDO members are still quite numerous.

Intrusion Detection Technologies

Intrusion detection requires one of the following two conditions to be satisfied: You either need to understand the expected behavior of the controlled system object or know all possible attacks and their modifications. In the first case, the anomaly detection technology is employed, while, in the second case, the misuse detection technology is applicable. Usually, commercial systems combine both approaches, trying to get the most out of both technologies and eliminate the drawbacks characteristic of each of them.

Anomaly Detection

This technology is based on the assumption that attacks or any other malignant actions often manifest themselves as unusual or anomalous behavior of the system, application program, or user. For example, a large number of connections during a short time interval, a high processor or network workload, attempts to access peripherals that are not normally used can all be considered to be anomalous behavior. Supposing that we can describe the profile of normal object behavior, any deviation from this profile can be interpreted as anomalous behavior. However, anomalous behavior does not necessary indicate an attack. For example, this relates to the case of a large number of responses to the requests on the workstation activity from the network management system. Many intrusion detection systems would identify this case as a Denial of Service attack. Taking this factor into account, one can notice that two extremities are possible when using such systems:

  • False positive — a case when intrusion detection system detects and classifies some anomaly as an attack when it is not a real attack.

  • False negative — a situation in which the intrusion detection system does not detect the situation that does not satisfy the definition of anomalous behavior. This case is much more dangerous than a false positive.

Therefore, when customizing and using the systems of such a category, the administrator must work on:

  • Creating the behavior profile of an object. This problem is rather complicated, hard to formulate, and time-consuming. Also, it requires a large amount of preparatory steps from the administrator.

  • Determining boundary values of the object behavior characteristics. This is required to decrease the probability of false positive and false negative situations.

This technology is rather expensive, and the results are hard to achieve when employing it, because logging of all activities of the controlled object required for this kind of detection significantly degrades the performance of the protected host. Usually, such systems are characterized by heavy loads on the CPU and require large amounts of disk space to store the collected data. In general, such systems are not suitable for real-time systems where performance and response time are or critical importance.

For example, operators in banks perform the same actions in their day-to-day activities. For such deterministic systems, one can easily develop anomaly detection methods that, strictly speaking, are implemented in fraud detection systems. However, for many environments, these methods and approaches are inapplicable. Such environments include, for example, university networks or web servers accessed by thousands of users via a single user account.

The scheme of a typical intrusion detection system based on anomaly detection is shown in Fig. 4.9.

click to expand
Fig. 4.9. A typical anomaly detection system

Usually, anomaly detection systems use log files and current user activity as their main information sources. However, there are examples of systems detecting anomalies in network traffic (such as the Traffic Signature technology, implemented in the n Genius Performance Management System from the NetScout) company [NetScout1-02].

It is important to understand that this approach is becoming more and more widely used in contemporary intrusion detection systems. Most developers of security tools implement this mechanism. In particular, control over network workload fluctuations is especially useful for detecting DoS and DDoS attacks.

The Department of Defense Detects Anomalies 

In April 2001, the US Department of Defense signed a contract for $20 million with the American Institute for Research to develop an Advanced Intrusion Prevention System (AIPS) based on the anomaly detection mechanisms. Currently, the system is under construction and is to be released in December 2004.

Detecting Malicious Activity

Another approach to intrusion detection is based on misuse detection. This approach implies describing an attack as a pattern or signature and searching for a specific pattern within the controlled area (for example, in network traffic or in log files). This technology is very much like non-heuristic scanning for viruses (most antiviral scanners represent examples of intrusion detection systems). This means that the system is capable of detecting all known attacks, but it is hardly equipped to detect new attacks that are not already included in the database.

The approach implemented in such systems is rather simple. It is this principle upon which most contemporary intrusion detection systems available on the market are implemented. However, administrators often encounter problems when working with such systems. The first problem lies in creating a signature description mechanism, i.e., attack description language. The second problem is the consequence of the first one, and is formulated as follows: How does one describe a known attack in such a way as to register all its possible modifications?

The scheme of a typical intrusion detection system based on this principle is shown in Fig. 4.10.

click to expand
Fig. 4.10. A typical misuse detection system

Normally, misuse detection systems employ log files and network traffic as their basic information sources.

Approaches to Intrusion Detection

In the following few sections, we will concentrate on a description of the two main approaches used for intrusion detection — statistical and expert approaches. However, I will also provide useful references on the new and prospective directions of the devel-opment of intrusion detection technologies, such as those implementing artificial neural networks, genetic algorithms, etc.

Statistical Analysis

This approach is widely used in anomaly detection. Deviation from the mean value (i.e., dispersion) of the normal behavior profile notifies the administrator of the fact that attack has been detected. Average frequencies and variable values are calculated for each type of normal behavior (such as, for example, number of logons, number of access-denial events, time, and so on). The system reports a probable attack when these values do not fit within the range of normal values, i.e., exceed the specified threshold. For example, statistical analysis can help to detect an abnormal event such as a logon of the authorized user in unusual time (for example, from 6 a.m. to 8 p.m.).

Parameters included in the behavior pattern can be classified into the following groups:

  • Numeric parameters (amount of data transferred using different protocols, processor workload, number of accessed files, etc.)

  • Category parameters (file names, user commands, opened ports, etc.).

  • Activity parameters (number of attempts to access files or number of connections per specified time period)

When using this approach, it is important to make a correct selection of controlled parameters for the intrusion detection system. A small number or incorrect selection of these parameters will result in an incomplete model of system-object behavior. Thus, many attacks will not be covered by such a system. On the other hand, an excessive number of monitoring parameters will significantly degrade the host performance at the expense of increasing system-resource requirements (RAM, disk space, processor workload, and so on).

Although statistical methods are rather efficient and can reliably detect some types of attacks, they are not widely used at the moment because of the above-mentioned drawbacks. One of the most significant drawbacks of statistical methods lies in the difficulties of specifying the correct threshold values. If the threshold value is set too high, many attacks will not be detected. On the other hand, if this value is too small, many false attack signals will result. Note that some intrusion detection systems, such as the RealSecure Network Sensor, allow users to customize threshold values for some kinds of attacks. However, selection of correct values for these parameters is a non-trivial task that requires a solid knowledge of the controlled system. Other drawbacks of the statistical approach are listed in Table 4.8.

Table 4.8. Advantages and Drawbacks of Statistical Methods for Intrusion Detection

Advantages

Drawbacks


Statistical systems can detect new and unknown attacks.

Intruders can mislead the intrusion detection system, which will interpret the activity indicative of the attacks as a normal activity due to gradual changes of the working mode and "adaptation" of the system to anomalous behavior.

Statistical methods allow the detection of more complex attacks than other methods.

When using statistical methods, the probability of false positive events (false attack notifications) is significantly higher than when using any other method.

Statistical systems can be adapted to changes in user behavior.

Statistical methods are not the most correct ones when it is necessary to process changes in user activities (for example, when a manager performs the duties of his subordinates in critical situations). This drawback can cause serious problems in organizations where such changes are frequent. As a result, false attack notifications might appear, as well as false negative events (attacks that remained unnoticed).

Statistical methods are not capable of detecting attacks performed by subjects whose pattern of typical behavior is impossible to describe.

Statistical methods prove to be inadequate when detecting attacks on the part of subjects, which initially perform unauthorized actions. Thus, the typical behavior pattern will initially include attacks.

These methods require preliminary customization (including correct threshold values for each parameter for each user).

These methods are not sensible to the event order.

Expert Systems

In contrast to anomaly detection, which is usually oriented towards monitoring of the threshold values, misuse detection methods are based on rules that describe an attack scenario. The misuse detection mechanism identifies potential attacks if user activity coincides with the rules specified for a certain attack. The most important aspect of intrusion detection systems based on this principle is the availability of complete databases of known attacks. An expert system is a system that makes a decision to classify a specific event as an attack on the basis of existing rules. These rules are created on the basis of practical experience of security professionals and stored in a special database, known as a knowledge base. In most cases, the expert system rules use so-called signatures, for which the system searches the controlled area.

Signatures are patterns matched to find attacks or cases of misuse. They can be rather simple (a string of characters for searching for a specific condition or command) or very complex (for example, a change of security status in the form of mathematical expressions, predefined sequences of actions, or a set of log-file records).

Signature analysis involves controlling the matching between system settings and activities of the user (or other system object), and comparing network traffic to the database of known attacks and vulnerabilities. Most commercial intrusion detection products perform signature analysis in comparison to the database of known attacks, which is supplied by the product vendor. Additional signatures installed by the client can also be added in the course of the system installation and configuration process.

Despite the fact that, in most cases, expert systems are employed for misuse detection, there are also methods for anomaly detection. For example, the method of predictive pattern generation assumes that future events will be predicted on the basis of an event that has already occurred. This rule can be written as follows:

This means that, if the event Π2 occurs after the event Π1, then the event Π3 will occur with a probability of 75%; the probability for the event Π4 is 20%, and the probability that the event Π5 will take place is 5%. However, you can see that this method is not free from the common drawbacks of all expert systems. For example, if a specific attack scenario is not registered in the knowledge base, this attack will be impossible to detect. Despite the fact that it is possible to overcome this drawback by defining all unknown events as attacks (this will produce a negative effect resulting in a false positive problem) or as normal events (in contrast to the previous case, this will result in a false negative problem), the problem as a whole will not be eliminated by this approach.

Seventy percent of contemporary commercial intrusion detection systems are based on methods devised by experts, while approximately 30% are statistical. Unfortunately, expert systems require constant upgrading in order to remain up-to-date. The required updates may be either ignored or applied manually (by the administrator). This, at least, will result in an expert system with reduced functionality [Cannady1-98]. In the worst-case scenario, lack of maintenance reduces the security level of the whole network and misleads users by producing a false impression of safety and security.

Systems based upon misuse detection rules are unable to detect scenarios of attacks that are take place over a long period of time. Any attack distribution (either in time or between several intruders apparently not related to one another) also complicates intrusion detection using these methods. Advantages and drawbacks of expert systems for intrusion detection are outlined in Table 4.9.

Table 4.9. Advantages and Drawbacks of Expert Systems for Intrusion Detection

Advantages

Drawbacks


Simplicity of implementation.

Inability to detect unknown attacks.

Intrusion detection systems based upon the misuse detection rules are fast.

Small modifications of the same attack make it undetectable.

Elimination of false positive alarms.

The system depends on the skills and qualifications of the specialists who support its knowledge base.

Neural Networks

This method is relatively new, and has not yet been widely adopted in intrusion detection technologies. However, some specialists and even manufacturers do use neural networks in their solutions.

There are some research works investigating the usage of neural networks in the field of intrusion detection. Artificial neural networks are potentially very useful for solving a wide range of problems covered by other contemporary approaches to intrusion detection. Artificial neural networks were declared to be alternatives to the statistical analysis components of anomaly detection systems.

Neural networks were specifically proposed for identifying typical characteristics of system users and statistically meaningful deviations from the standard working mode of the user.

Artificial neural networks are also supposed to be used when detecting computer viruses. In some works, the authors have even suggested neural networks as an approach for statistical analysis when detecting viruses in computer networks. The architecture of the neural network selected for this purpose is represented in the Self-Organizing Map ("Cohonen networks") using a single layer (level) of neurons for representing the information from a single domain in the form of a geometrically organized map. The suggested network was intended for the study of the characteristics of normal system activity, and to identify statistical deviations from normal values, which could indicate the presence of a virus.

The constantly changing nature of network attacks requires flexible protection and a security system that would be able to analyze an enormous amount of network traffic using methods that are less structured than those used in systems based on misuse detection rules. Intrusion detection systems on the basis of neural networks might solve many serious problems that exist in systems based on the rules. One of such examples is the AUBAD (Automated User Behavior Anomaly Detection) system, developed at Melbourne University in Australia, that represents an example of a system created on the basis of this principle.

The most significant disadvantage of using neural networks for intrusion detection lies in the fact that such networks, by their nature, are similar to "black boxes." In contrast to expert systems, which have predefined strict rules for event analysis, neural networks adapt this analysis in response to the "teaching" procedures performed in the network. The weight of connections and transmission functions of different network nodes does not usually play any significant role after the network achieves an acceptable level of success in event identification. Although network analysis achieves a significant probability of success, the basis of this level of precision often remains unknown. The "black box" problem is the most serious vexation in neural-network usage [Cannady1-98]. This area of the neural networks' practical usage is open for further investigation. The advantages and drawbacks of neural networks currently used in practice are outlined in Table 4.10.

Table 4.10. Advantages and Drawbacks of Neural Networks for Intrusion Detection

Advantages

Drawbacks


Capable of detecting unknown attacks.

Results often lack explanations.

Able to function in environments with a large amount of noise.

Lack of learning materials.

System retains usability when data are incomplete or corrupt.

Lack of commercial intrusion detection systems based on neural networks.

Able to predict user behavior and new attacks.

 

Combined Approaches

There are systems combining several approaches to the problem of intrusion detection. Furthermore, as well as the three main approaches discussed above, there are other approaches and methods, which will be briefly outlined in the next few sections.

The NIDES System

The NIDES system, representing the further development of the IDES system, is one of the first examples of a combined approach. This system, which was developed between 1992 and 1994 in Stanford Rescarch Institute (SRI), combines anomaly and misuse detection. As its anomaly detection component, the NIDES system uses a statistical approach determining deviation from the normal user-behavior profile, composed on the basis of more than 30 various parameters (processor workload, Input/Output operations, system errors, user commands, and so on). These profiles are periodically adapted to user behavior. The "expert" component stores scenarios of already known attacks described using the P-BEST attack-description language. The advantage of this solution includes the fact that attacks missed by the first component are detected by the second one, and vice versa. An analysis is performed in real-time mode. The NIDES system differs from the IDES by the presence of special RESOLVER component, which is responsible for joining data obtained from statistical and expert components of the system.

The EMERALD System

The EMERALD system (Event Monitoring Enabling Responses to Anomalous Live Disturbances) was also developed in SRI. However, it appeared later than the NIDES system. In contrast to NIDES, EMERALD also combines both approaches to intrusion detection and is oriented towards large, distributed corporate networks. A specific feature of this system is its capability to perform data analysis from each sensor, both separately and in any combination. It is also possible to integrate third-party tools into this system.

Other Solutions

James Kennedy from the School of Computer and Information Sciences, at Nova Southeastern University, Fort Lauderdale, Florida, proposed an interesting solution combining all three of the above-described approaches. He joined neural network technologies and the RealSecure Network Sensor from ISS. The results of these combinations were overwhelming. The intrusion detection probability reached 98%, while the probability of errors decreased to 5%.

While the solution discovered at Nova Southeastern University was used to detect intrusions in network traffic, a solution proposed at Texas University, in Austin, was used to detect attacks on the basis of analyzing commands issued by the user. This intrusion detection mechanism, based on the learning mechanism with reverse propagation, was named NNID — Neural Network Intrusion Detector. This algorithm was studied when solving the attack identification problem, and was tested experimentally in a system comprising 10 users.

The GASSATA (Genetic Algorithm for Simplified Security Audit Trail Analysis) misuse detection system was developed at the University of Rennes in France. This system is intended for analysis of events obtained from the AIX operating system log file. As a registration data mechanism, this system uses a genetic algorithm.

The AID (Adaptive Intrusion Detection) system appeared as a result of a research project conducted at Brandenburg University of Technology in Germany. This project was sponsored by the German Department of Science, Education, and Culture from 1994 to 1996. The AID system is built on client/server architecture. It is intended for the detection of suspicious activities in local area networks. The AID system obtained its input data from the operating system, translated these data into an OS-independent format and transmitted them to the management console, which then processed these data. The analysis was performed using the real-time expert system RTworks (http://www.talarian.com/rtworks.html). This analysis used the deterministic finite automates mathematical method. The first version of the AID system ran under the Solaris operating system on the Sun SPARC platform. In the course of system investigation, the researchers aimed to achieve the following:

  • Develop agents for the analysis of activities not only on the network, but also at the host level

  • Implement Windows NT support

  • Integrate the neural networks mechanism (Cohonen networks)

The NetSTAT intrusion detection system is the newest product from the STAT family developed at the University of California, Santa Barbara. This product, which was started in the early 1990s, was oriented towards the creation of real-time intrusion detection systems using the so-called transition state control. The idea of this approach was as follows. To implement the attack, the intruder had to achieve the transition of the controlled system from one state (the initial state) to another state (the compromised state). In contrast to most other host-level intrusion detection systems that analyze log files directly, systems from the STAT family have an intermediate component, known as the audit trail analyzer. This component processes log-file records and transforms them into so-called abstracts (also known as signatures). The resulting signatures determine transitions of the controlled system from one state to another. The intrusion detection system then analyzes these transitions. From this point of view, attacks are also transitions from one state to another, and, therefore, the system can compare them to the information retrieved from the log file. The main advantage of this approach is of its ability to detect an attack before the system reaches a compromised state.

The first system from the STAT family was named USTAT. It was intended for the detection of intrusions upon UNIX hosts. Its successor, the NSTAT system, was aimed at protecting a range of networked hosts rather than stand-alone hosts. The NetSTAT system is currently under development and, and in contrast to USTAT and NSTAT, is oriented towards network-level intrusion detection.

Some developers use different approaches. For example, the British company ProCheckUp (http://www.procheckup.com) provides the ProCheckNet penetration testing service, which uses Artificial Intelligence algorithms to imitate intruders. According to the manufacturer, the AI of this system is capable of bypassing a large variety of security tools. The PROMIA company (http://www.promia.com/) has chosen a different approach. After studying and analyzing the problems characteristic of most contemporary intrusion detection systems (including a large number of false positives and the inability to detect unknown attacks), the company has developed the Intelligent Agent Security Module (IASM), which uses both traditional mechanisms (comparing to a predefined pattern) and new anomaly detection technologies (neural networks and fuzzy logic). In September 2001, the Space and Naval Warfare Systems Command (SPAWAR) decided to deploy this system.




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net