Intrusion Detection Methodologies

1. The "business problem": Keeping the bad guys out
Internet and internal network attacks on corporate enterprises seem inescapable in today’s computing
environment. Most companies admit to having been attacked over the past year. While the most costly attacks
have been from the inside, external attacks from hackers and competitors are rising dramatically. How do you
know when you’re under attack? Chances are you can already create enough audit trail data, but who has time
to look at it?
Intrusion Detection tools solve this problem by automatically discovering and responding to attacks. This paper
investigates the need for Intrusion Detection, discusses lessons learned from early Intrusion Detection efforts,
and explores the different types of Intrusion Detection tools available. The paper compares and contrasts the
three common methodologies used for Intrusion Detection and discusses the advantages and disadvantages
inherent to various architectures.
2. "Why Intrusion Detection?"
The 1997 annual Ernst & Young security survey indicated that 46% of the respondents considered intrusions a
major concern. This rose dramatically from 16% in 1996. U.S. government penetration tests at the Department of
Defense over the last two years showed that less than 4% of the systems broken into were able to detect the
attack. Even more disturbing, less than 1% took any response.
Taking advantage of "Free Stuff"
A few years ago, hacking took a lot of time and study. While expert hackers still abound, the Internet has entered
a new era. Using almost any search engine, average Internet users can quickly find information describing how
to break into systems; for example, simply searching for key words like hacking, password cracking, and Internet
security. Thousands of sites publish step-by-step instructions as to how to break into Windows NT systems, Web
Servers, UNIX systems, etc. The sites often include tools that automate the hacking process. In many cases the
tools have easy to use graphical interfaces. For instance, a tool called "crack" automatically attempts to guess
UNIX passwords. A similar tool called L0phtcrack breaks Windows NT passwords. A software probe called
SATAN discovers vulnerable systems in a network and reports on the specific holes that can be exploited.
What does all this mean? Almost anyone with the motivation to break into systems can quickly obtain the
technology to do so without having to become an expert hacker.
Attacks come from both the inside and the outside. As the survey in the following chart illustrates, disgruntled
employees actually represent a larger threat and typically cause more damage than hacker attacks. An effective
Intrusion Detection solution should detect attacks from both inside and outside the network.
More computers than people
With the explosion of Internet connectivity and the pervasive access every day users have to both internal and
external networks, experts have seen a tremendous rise in attacks and corporate and government networks. At
the same time the complexity of our enterprises has increased rapidly. Many organizations report that they have
more computer systems than users. Add to this the diversity of operating system platforms, routers, network
protocols, applications, web servers, databases, etc., and we can quickly see why trying to spot an attack
becomes extremely difficult. Without sophisticated tools, it’s nearly impossible.
Nevertheless, nearly every organization wants to know when they are under attack. Enter Intrusion Detection
technology. Intrusion Detection tools automatically detect attacks and threats and ideally provide some type of
response.
3. Early Intrusion Detection Efforts
n the early 1980s, conventional wisdom dictated that the best way to detect intrusions was to create logs or audit
trails of all security relevant activity. As a result most operating systems, databases, routers, and mission-critical
applications generate audit trails. The original idea was that a security administrator would review the audit logs
looking for suspicious events. This seemed like a fine idea when companies only had a few systems and a few
users.
The industry quickly realized that no one had time to read all that audit trail data. So a few enterprising
developers built query and reporting programs to help analyze the audit trail in an attempt to find trouble spots.
For example, in 1984, Clyde Digital Systems developed a product called AUDIT, which automatically searches
through OpenVMS audit trails looking for suspicious events (incidentally, that product is still in use today). In
1987, a U.S. Government-funded project called IDES at Stanford Research Institute read audit trails and created
profiles of normal use patterns for users and then reported deviations.
Having "the answer" without solving the problem equals no answer at all
Intrusion Detection efforts throughout the 1980’s and early 90’s tended to focus on post-event audit trail analysis.
Most companies, however, did not make use of such tools. Unfortunately, as the number of users, systems,
applications, and databases grew, so did the audit trails now grow so large that they actually can cause denial of
service problems from using up too much disk space. Many production environments routinely turn off audit trails
to avoid disruptions to production systems.
So the current situation at most sites is that they plan to rely on audit trails to detect intrusions, but without
staffing to review the audit trails, these sites turn off the audit trails to improve productivity. No wonder most
attacks go undetected. Nobody’s looking.
4. Intrusion Detection—Essential Functionality
The term "Intrusion Detection" implies discovering attacks and threats throughout an enterprise, and responding
to those discoveries. Some of the automated responses typically include notifying a security administrator via a
console, e-mail, pager; stopping the offending session; shutting the system down; turning off down Internet links;
disabling users; or executing a predefined command procedure.
Clearly Defined: "Intrusion Detection" is more than just a coded application
An effective Intrusion Detection system needs to limit false positives—incorrectly identifying an attack when there
is none. At the same time it needs to be effective at catching attacks. Figuratively speaking, Intrusion Detection is
like a surveillance camera and alarm system all rolled into one. False alarms are distracting and reduce the
effectiveness of an Intrusion Detection system. Failing to catch a break-in reduces its value even further. To
detect new types of attacks an Intrusion Detection tool must have a way to be quickly updated. This is
particularly challenging since updates of attack detection scenarios need to be more frequent than typical
product release upgrade cycles of three to nine months. In fact, to be effective probably requires updating the
software to new detection procedures on a regular basis.
SWATting the problem of keeping current on new attacks
AXENT’s Information Security SWAT Team illustrates one way to address this challenge of rapid deployment of
new attack scenarios. The SWAT team researches new attack techniques and security threats and tests them in
the lab. It develops new Intrusion Detection scenarios in response and publishes both a description of the attack
and the scenarios on an Internet web site, www.axent.com/swat/swat.htm. Customers can download and quickly
deploy new Intrusion Detection scenarios every week or two.
5. What is a "Network?"
Although this may seem strange, but let’s clearly define the term "network." Why? Many intrusion detection
products on the market claim to be network-based, when in fact, they are only link-based packet-sniffers and
analyzers. Remembering basic geometry, a network is an assembly of "nodes" and "links." You might have seen
the following illustration used to define the term "network."
In the example, to meet our basic definition of a network, the illustration required single points, connected by
individual lines. The points, we described as "nodes" and the lines connecting between these nodes we referred
to as "links." (Individual links can connect multiple nodes as shown by the middle link in the picture, which
connects three nodes. Ethernet is an example of a network link that can connect multiple nodes to a single
segment.)
In the Intrusion Detection industry, much attention has been focused on the individual links, or on the individual
nodes (some times referred to as "hosts"). The following section examines the various methods that the leading
vendors consider as their solution to "Network-wide Security."
6. Types of Intrusion Detection Tools
As recently as the last couple of years a number of Intrusion Detection products have appeared on the market.
The Intrusion Detection market is relatively new, but growing fast. Based on their underlying methodologies,
today’s Intrusion Detection products fall into three basic categories:
An example, of a manager/agent real-time Intrusion Detection architecture is AXENT’s OmniGuard/Intruder Alert.
Intruder Alert runs across Windows NT, UNIX, and NetWare (more than 50 operating system versions). It also
monitors audit trails from Cisco routers, webservers, and various firewalls.
Intruder Alert’s manager/agent architecture offers the following advantages:
Manages Intrusion Detection from a central console, while still monitoring activity throughout the entire
network.
l
Relies on the devices themselves for first-level packet monitoring. Events that manage to slip through the
device’s capabilities to catch them are then evaluated by Intruder Alert.
l
Correlates suspicious activity as it occurs in multiple locations in the network. For example, an intruder
may use a hacker program to attempt to guess the root password on a hundred UNIX systems at the
same time.
l
Quickly updates the various agents in the network with new attack scenarios. The vendor could publish
these scenarios on the web so that customers could then download them and rapidly deploy them
throughout the enterprise.
l
Detects intrusions even if network connections are encrypted or if attackers use direct dial-up
connections.
l
Logs critical security activity on manager systems. This makes it difficult for hackers to cover their tracks
since activity is logged on another system in the network, not just a local audit trail. It also centralizes and
facilitates audit trail management.
l
7. Comparison of Detection Methods
The chart below shows a brief comparison of the basic features of the various methods of Intrusion Detection.
The final section of the chart shows what types of security threats and attacks each method can detect. A check
mark means that it can detect and respond. A "d" means it can only detect, but that it can’t provide an immediate Attack from inappropriate IP address Ö Ö
Illegal "Root" grabbing Ö Ö
Critical file tampering d Ö Ö
Trojan horse detection d Ö Ö
Browsing files (snooping) d Ö Ö
Snooping across multiple systems Ö
Response Types
Alert central console Ö Ö
Send e-mail Ö Ö Ö
Send message to pager Ö Ö Ö
Disable intruder’s user account Ö Ö
Terminate network access Ö Ö
Terminate intruder’s session Ö Ö Ö
Shutdown system Ö Ö
Terminate intruder’s user process Ö Ö
Generate SNMP Trap Ö Ö Ö
Record event on security server Ö Ö
Execute command procedure Ö Ö Ö
The previous chart clearly shows that while all Intrusion Detection methodologies are useful, manager/agent
real-time activity monitoring has the most flexible architecture. It can pick up information from routers, firewalls,
and other sources to detect many different kinds of attacks.
8. Conclusion
Intrusion detection is critical in today’s complex enterprises. Attempting to manually review audit trails is
hopelessly time-consuming and a losing battle given the number of systems and different types of audit trails.
Today’s enterprises need automated Intrusion Detection tools. These tools fall into three categories, post-event
audit trail analysis, real-time packet analysis, and real-time activity monitoring.
All three types of Intrusion Detection methods have merit, although post-event monitoring lacks the capability for
immediate response to avoid or reduce damage. Real-time packet analysis is interesting for detecting certain
low-level packet attacks, but is too far from the system—and does not effectively solve the network-wide
Intrusion Detection problem alone. Real-time activity monitoring that considers both host and link activity seems the appropriate solution for Intrusion Detection.
A manager/agent architecture provides the ability to monitor intrusions network-wide and to perform audit trail analysis and management as well as real-time Intrusion Detection. This covers both the first and third methods.Hooking packet analysis into a manager/agent architecture is really just a special case of adding a new type of agent to the manager/agent product.
As Intrusion Detection moves into the future we expect to see specific products that span all three types of types of Intrusion Detection. Because of the enabling infrastructure they already possess, products with a manager/agent architecture, like Intruder Alert, are most likely to adequately focus on all three of the Intrusion
Detection methodologies.