Chapter 10: Intrusion Detection: Techniques and Systems


10.1 Cybercrimes

Increasingly, crime, as we have said, is digital in nature: burglary, destruction, and thefts are perpetrated via remote system break-ins by computer hackers. Unlike the burglar of a building, cybercriminals will enter through a network port using a variety of utilities and tools for the purpose of obtaining the secret passwords and privileges designed to protect a system, so that they can destroy or steal digital property. In this chapter we will concentrate on the detection of computer system intrusions, which, in our prevailing networked environment, are becoming more common, leading to spiraling costs and massive destruction.

Of 500 organizations that responded to a recent computer crime and security survey conducted by the Computer Security Institute and the FBI, 90% detected an intrusion to their systems. The average loss due to a cybercrime is $6.6 million, up from $954,700 just five years ago. The most damaging attacks are targeted intrusions involving theft and financial fraud. Worms and viruses can also cause worldwide economic damage. Some worms, such as Code Red, enable intrusions, which can run into the billions of dollars in costs for government and corporate networks.

An intrusion is when a hacker attempts to break into or misuse a computer system, Web site, or network. Yet another way to define an intrusion is any set of actions that attempt to compromise the integrity, confidentiality, or availability of a computer resource. First, we will provide a brief overview on some of the techniques, utilities, and tools most commonly used by cybercriminals. Next, we will cover some of the preventive techniques and detection systems that have been developed, including how data mining is increasingly being used to counter these intrusions by forecasting attacks. As with the other types of crimes discussed previously, recognizing criminal patterns is the objective of the investigative data miner.

There are two types of potential intruders, the outside hacker and the inside one. Remarkably, FBI studies have revealed that 80% of intrusions and attacks come from within organizations. So, despite the fact that most security measures are put in place to protect the inside from a malevolent outside world, most intrusion attempts actually occur from within an organization. Whether the intrusion takes place from outside or within, it is important to find out how it happened to prevent any future break-ins. Computer forensics stress the need to preserve the crime scene once a break-in is discovered, which we will discuss at the end of this chapter.

Whether they attack from outside or inside, there are generally several steps taken by most hackers. Not surprising, the most common method of breaking in is via the Internet. The majority of these perpetrators use readily available tools or utilities to target computer systems and gain entry by remotely scanning for ports to achieve access, steal passwords, and eventually take control of networks, Web sites, computers, and their data.

There are several methods by which to prevent these types of cybercrimes. There are firewalls, antivirus software, and, of course there are countermeasures system administrators can take to protect their systems. There are also network-based and host-based intrusion detection systems (IDS), some of which use pattern-recognition techniques to detect and deter these types of system break-ins. However, before we get into a discussion of these data mining and intrusion detection techniques, it is important to describe the sequential steps cybercriminals have taken in the past to gain entry and take control of systems and networks.

An intrusion can occur as innocently as when an unsuspecting person opens an e-mail message or downloads an MP3 file. Free software can also harbor a stealth intruder with destructive applications hitching a ride, compromising privacy and security. Java applets downloaded with free software can transmit private information without the user's knowledge or permission. Spyware—JavaScript in an e-mail or invisible graphics (Web bugs; see Chapter 2)—downloaded or transmitted from a Web site can transmit user names and passwords without a user's knowledge, which at times is all cybercriminals want. Often a single password compromised from a user can destroy an entire system, Web site, or network.




Investigative Data Mining for Security and Criminal Detection
Investigative Data Mining for Security and Criminal Detection
ISBN: 0750676132
EAN: 2147483647
Year: 2005
Pages: 232
Authors: Jesus Mena

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net