Introduction to Classification


There are several different classifications of intrusion detection systems. Furthermore, each manufacturer determines its own classifications based on its own achievements in this area. The following few sections will cover the most common classifications of intrusion detection systems.

Classification by the Level of the Information System

As with security scanners, intrusion detection systems can also be classified by the level of information infrastructure at which security policy violations are detected.

Application and DBMS Level

Intrusion detection systems working at this level collect and analyze information from specific applications, such as DBMS systems, web servers or firewalls (for example, WebStalker Pro).

Advantages and drawbacks of systems of this class are listed in Table 6.6.

Table 6.6. Advantages and Drawbacks of Application-Level Intrusion Detection Systems

Advantages

Drawbacks


Enables you to concentrate on a specific activity that is difficult to detect using other methods (for example, improper activity by a specific user, such as fraudulent payments in the payroll system).

Application-level vulnerabilities can compromise intrusion detection at this level.

Detects attacks that are missed by tools running at lower levels.

Attacks implemented at lower levels (such as OS or network) are not covered.

Such tools allow the reduction of resource consumption by controlling a specific application rather than the whole set of programs running on the system.

 

OS Level

OS level intrusion detection systems collect and analyze information that reflects various activities taking place in the operating system on a specific host (for example, RealSecure Server Sensor or Intruder Alert). As a rule, this information is represented in the form of the OS log files. Recently, systems running at the OS-kernel level have become increasingly popular, since such systems, thanks to "diving" mechanisms, provide a more efficient method of detecting security policy violations. The LIDS intrusion detection is one example of this type of product.

Advantages and drawbacks of systems belonging to this class are outlined in Table 6.7.

Table 6.7. Advantages and Drawbacks of OS-Level Intrusion Detection Systems

Advantages

Drawbacks


Systems of this class can control access to the information resources in a form specifying which user has access to which resources.

OS vulnerabilities can compromise intrusion detection technologies at this level.

These systems create the capability to display anomalous activity by a specific user for any application.

Attacks implemented at lower or higher levels (network or application) are not covered by tools of this class.

Tracking changes of the operation modes related to possible misuse.

Starting auditing mechanisms to register all types of events in log files might require additional resources.

The ability to work in environments that use encryption.

When log files are used as data sources, they can require quite significant storage space.

Such systems are capable of working efficiently in dial-up networks.

These methods are platform-dependent.

These methods enable you to control a specific host without wasting efforts on other, less important hosts.

Expenses related to supporting the operation and management of such systems are, as a rule, significantly higher than expenses required by other systems.

100% confirmation of the success or failure of the attack.

Tools of this class are practically inapplicable for detecting attacks to routers and other network equipment.

Detects attacks missed by tools running at other levels.

If data is lacking, these systems might miss specific attacks.

The ability to performing autonomous analysis.

 

Network Level

Network-level intrusion detection systems collect information from network traffic. These systems can run on standard PCs (for example, RealSecure Network Sensor or Net-Prowler), on specialized computers (RealSecure for Nokia, Cisco IDS 4200 or AirDefense Server Appliance) or can be integrated into switches or routers (for example, Cisco IOS Firewall Feature Set or Cisco IDS blade, also known as Cisco Catalyst 6500 IDS Module). In the first two cases, the system analyzes information gathered by capturing and analyzing packets. Notice that access to network interfaces takes place in promiscuous mode.

The advantages and drawbacks of systems belonging to this class are described in Table 6.8.

Table 6.8. Advantages and Drawbacks of Network-Level Intrusion Detection Systems

Advantages

Drawbacks


Data is supplied without any special requirements for auditing mechanisms.

Attacks implemented at higher levels (OS and applications), are not covered by this category of tools.

The usage of these tools does not influence on existing data sources.

Systems of this class are not applicable in networks using link-to-link or even end-to-end data encryption.

Systems of this class can control and detect network DoS attacks (for example, SYN flood or packet storm attacks) designed to bring down network hosts.

Systems of this class are inefficient in dial-up networks.

The systems of this class can simultaneously control a large number of network hosts (as in cases with shared network media).

Systems of this class depend significantly on specific network protocols.

Relatively low operating expenses.

Contemporary approaches to network-level monitoring can not function at high speeds (for example, Gigabit Ethernet).

For the intruder, it is rather difficult to conceal traces of unauthorized activity.

 

Detection of the attack and reactions take place in real-time mode.

 

Detection of suspicious events (such as external IP addresses).

 

Detects attacks missed by the tools running at other levels.

 

Independence from the operating systems and application software used in the organization, since they interact using universal protocols.

 

Integrated Approaches

As I mentioned above, until the present time, all existing intrusion detection systems could be classified as network-based or host-based. However, the ideal solution would be a combination of these two technologies. Using this combination, the intrusion detection system agent installed at each controlled host would trace attacks directed at this host both at the application level (OS, DBMS and applications) and at the network level. This approach (hybrid IDS) has several advantages when compared to existing solutions.

First, high-speed network media would no longer represent a problem, since the agent is able to view the traffic of a specific host rather than the traffic of the entire network. Second, the packets are decrypted before they reach the application level. Finally, since the agents reside at the host that is to be controlled, dial-up networks no longer create any limitations on the usage of the intrusion detection systems.

Some intrusion detection systems combine the capabilities of tools running at the network, OS, DBMS and application-software level. This group of products includes RealSecure Server Sensor from ISS [ISS2-99], and the Centrax system from CyberSafe. These systems combine the characteristics of network sensors working in real-time mode with the advantages of the system-level sensors.

Other Criteria

There are other criteria for intrusion detection system classification, which will be covered in greater detail in Chapter 9.




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net