Chapter 6: Classification of Intrusion Detection Systems

Previous page
Table of content
Next page

Overview

"A scorpion will sting because it has poison; a soldier can be brave when he can rely on his equipment. Therefore when their weapons are sharp and their armor is strong, people will readily go to battle."

Zhuge Liang, "The Way of the General."

In the previous chapter, we considered manual methods of intrusion detection, along with the application of some specialized universal automatic tools. The inefficiency of these methods was clear - they can be applied only if the automated tools can not handle the situation, or when it is necessary to perform additional analysis, and so it is necessary to discuss specialized systems designed specifically for intrusion detection.

There are several ways of detecting and defending against security policy violations. The first and the most common method is the detection of attacks that are already occurring. If we return to the main stages of attack implementation discussed in Chapter 2 (see Fig. 2.10), then, according to the suggested classifications, this method is associated with the second stage of attack implementation. This approach is used in "classic" intrusion detection systems (such as, for example, RealSecure Network Sensor or Cisco IDS 4200), firewalls (such as Check Point Firewall-1), information security and protection systems (such as SecretNet) and so on. However, the main drawback of the systems of this type lies in the fact that attacks can be repeated. Of course, they will also be detected and blocked. This process can continue indefinitely, which is inefficient and wasteful in terms of time, money and human resources. It is much more efficient and effective to prevent attacks before they are implemented. This is the basic idea of the second approach. This approach involves the detection of vulnerabilities (i.e. potential attacks) that may be used in implementing attacks. Finally, there is the third approach - detecting attacks that have already occurred and preventing them from being implemented in the future. Thus, systems for the detection of security policy violations can be classified on the bases of the stage of the attack (Fig. 6.1), as described below:

  • Systems functioning at the first stage of attack implementation and enabling the detection of information-system vulnerabilities that can be exploited by the intruder. The tools belonging to this category are known as security-assessment systems or security scanners. Internet Scanner and SATAN are examples of this type of system. Some authors argue that it is not correct to classify security scanners as intrusion detection systems. However, if we follow the classification principles described above, then it makes sense to classify them in this way.

  • Systems functioning at the second stage of attack implementation and allowing the detection of attacks during the course of their implementation, i.e., in real-time mode (or very close to real-time). These are intrusion detection systems according to classical definitions. Apart from of such systems are RealSecure Network Sensor or Okena StormWatch. Besides this, there is also a relatively new class of intrusion detection systems - deception systems, which will be covered in detail later. Examples of such systems are RealSecure Server Sensor and DTK.

  • Systems that appear at the third stage of attack implementation and detect attacks that have already been completed. These systems can be divided further into the following two classes: integrity checkers, which check the integrity of the controlled resources; and log checkers, which are intended for log-file analysis. Tripwire and RealSecure Server Sensor are two examples of these systems.

click to expand
Fig. 6.1. Classification of intrusion detection systems by attack stage

As well as the system explained above, there is another manner by which systems for the detection of security policy violations can be classified - by principles of implementation: host-based, i. e, the detection of vulnerabilities or attacks directed at a specific network host, and network-based, which are directed at the entire network or a network segment. The classification of intrusion detection systems by implementation level is shown in Fig. 6.2.

click to expand
Fig. 6.2. Classification of intrusion detection systems by implementation principle

Normally, this level is the most detailed. However, based on the classification of information-system levels introduced in Chapter 1, it is possible to define three more sublevels:

  • Intrusion detection systems at the application software level (application-based intrusion detection systems), which detect attacks on specific applications (such as Web-server). RealSecure OS Sensor and WebStalker Pro are two examples.

  • Intrusion detection systems functioning at the operating-system level (OS-based), which detect intrusions there. Examples of these systems are DirectoryAlert and ServerAlert from NetVision intended for intrusion detection in NetWare networks.

  • DBMS-based intrusion detection systems, detecting attacks at the DBMS level.

Classifying intrusion detection systems designed to detect attacks directed at the DBMS into a separate category is based on the fact that contemporary DBMS are characteristically something more than normal applications, and are closer to operating systems themselves. At the same time, intrusion detection systems (or, to be more precise, security scanners) at the DBMS level can function both locally, at the protected host, and via the network (for example, the Database Scanner). In turn, the network-level intrusion detection system can be localized to detect attacks directed at a specific host rather than at the whole network segment. RealSecure Desktop Protector represents an example of such system.

Of course, this classification can be disputed. Most specialists are of the opinion that security scanners should not be classified as intrusion detection systems. A similar situation exists for integrity control systems and log-file analyzers. Such systems help in intrusion detection, but, on the other hand, they are different from the IDS [Shipley1-00]. I do not want to argue this statement, but I would like to mention that, taking into account the steps of attack implementation, this classification is logical and reasonable.

Furthermore, even the terminology in this area has not been agreed upon yet. Each manufacturer, wishing to emphasize that its system is unique and that it outperforms all other solutions, creates a new class of intrusion detection systems. For example, this is how hybrid intrusion detection systems (such as Prelude), virtual intrusion detection systems (such as IntruShield from IntruVert), multitiered IDSs, stateful IDSs, and even specification-based IDSs have appeared.


Previous page
Table of content
Next page
Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152
Authors: A. Lukatsky, Alex Lukatsky
BUY ON AMAZON
WebLogic: The Definitive Guide
C++ GUI Programming with Qt 3
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Mastering Delphi 7
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy