As shown here, the field of intrusion detection is still in its infancy. In addition, as hackers evolve , IDSs must attempt to keep pace. Table 14.1 lists future trends that pose threats to IDSs, and potential solutions.
Table 14.1. Potential Solutions to Future Difficulties in IDSs
The following sections will examine each of these growing problems, along with a potential solution.
IPsec is becoming a popular standard for securing data over a network. IPsec is a set of security standards designed by the Internet Engineering Task Force (IETF) to provide end-to-end protection of private data. Implementing this standard enables an enterprise to transport data across an untrustworthy network such as the Internet while preventing hackers from corrupting, stealing, or spoofing private communication.
By securing packets at the network layer, IPsec provides application-transparent encryption services for IP network traffic, as well as other access protections for secure networking. For example, IPsec can provide for end-to-end security from client-to-server, server-to-server, and client-to-client configurations.
Unfortunately for IDSs, IPsec becomes a dual-edged sword. On the one hand, IPsec enables users to securely log into their corporate network from home using a VPN. On the other hand, IPsec encrypts traffic, thus rendering promiscuous-mode IDSs useless. Therefore, if a hacker compromises a remote user 's machine, he will have a secure tunnel through which to hack the corporate network!
To account for IPsec, future IDSs will need to be embedded throughout each level of a host's TCP/IP stack. This will enable the IDS to watch data as it is unencapsulated and processed through each layer of the stack, and to analyze the decrypted payload at higher levels.
Strict Anomaly Detection
Another growing problem is that as both the speed and complexity of attacks continue to increase, IDSs are struggling to keep pace. One answer to this dilemma might be the growing use of strict anomaly detection . This means that every abnormality, no matter how minor, is considered a true positive alarm.
Again, such a method would require that the IDS move onto individual hosts , rather than the network as a whole. An individual host should have a more predictable traffic pattern as opposed to the entire network. Each critical host would have an IDS that detects every anomaly. Then the administrator can make rules (exceptions) for acceptable variations in behavior. In this way, IDSs monitor behavior in much the same way that firewalls monitor traffic.
How would you design an IDS that performs host-based, strict anomaly detection? In this case, you're dealing with individual hosts that are somewhat isolated by firewalls and routers, so you can customize your IDS for each unique host. Because you're dealing with only the host, you know that any packets received are destined for that specific host. You can then set your sensitivity very high to look for any abnormality.
For example, at the packet level, the host-based anomaly detector would scan packets as they are processed up the stack. You could ask the IDS to monitor any of the following:
Similarly, at the application level, you can ask the anomaly detector to scan for unusual fluctuations in the following system characteristics:
When any abnormality is detected , an alert will be sent to the centralized console. This method has high sensitivity, but unfortunately generates a great deal of data. This problem is dealt with in the next section.
Host Versus Network-Based IDS
The increasing use of switched networks hinders IDSs that monitor the network using promiscuous-mode passive protocol analysis. It is therefore becoming more difficult to monitor multiple hosts simultaneously . There have been attempts to rectify this by using spanning (spy) ports to monitor multiple ports on a switch, but to date such solutions have been ineffective . In addition, the growing use of encrypted traffic foils passive analysis off the wire. Thus, IDSs are moving more towards host-based monitoring.
Geometric Display of Data
As bandwidth and attack complexity increases , it is becoming more difficult to generate meaningful alerts. The amount of alert data generated by IDSs can quickly overwhelm human operators. Unfortunately, excessive filtering of data for human use can severely limit its effectiveness.
One solution to this problem is the geometric display of data. Humans understand geometric shapes intuitively, so this is often the easiest way to present massive amounts of data. When an operator senses an anomaly in the graphical display, she can later drill down manually to investigate the problem.