It’s common knowledge that network attacks are growing more widespread, as
well as more sophisticated, just about every day. Intrusion detection
systems (IDS) continue to get more numerous, too, but are their
capabilities keeping up? Experts point to lingering gaps in areas that
include accuracy, data interoperability, and analysis tools.
The 2002 CSI/FBI Survey underscored the pervasiveness of the network
intrusion problem. Ninety percent of respondents reported security breaches
within the past 12 months, with 39 percent admitting to 10 or more
Intrusion techniques never stop evolving, of course. The latest
attack tools range from stealthy port scanners to automated root
kits. To cite just one example, the popular port scanner nmap can now
identify over 100 different operating system releases, hiding the
source of the scan by sending out decoy packets.
Meanwhile, enterprises using existing IDS face very high false alarm rates.
“The simple approaches that most of today’s commercial ID systems use to
detect attacks are, in most cases, unreliable. Even a very low frequency of
false alarms can obscure true attack signals. Improvements in diagnostic
accuracy are critically needed,” according to a recent report by Carnegie Mellon’
s Software Engineering Institute (SEI).
Due to these inaccuracies, automated response tools really aren’t on the
radar screen yet. Some vendors, though, do support varying response levels
of manual intervention. CMDS, for instance, allows response at four
different levels: ignore the warning; increase observation; deny access;
and emergency shutdown.
RealSecure, on the other hand, permits an associated firewall to be
reconfigured by a human operator to reject traffic from a designated IP
At this point, though, commercial products can be roughly categorized in
two main ways. One level of differentiation revolves around whether the
system is designed to detect “misuse” – such as combinations of activities
within a network packet which should never legitimately occur — or
To find anomalous activity, the system needs to recognize what is “regular”
behavior on a particular network, and what is not (such as port scanning,
for instance). Some IDS use a combination of both approaches.
IDS can also be categorized as either network-based or host-based.
Decisions about products and their placement should be based on which IT
systems are most at risk at within a particular organization.
“Utilize a variety of tool types and placements. Understand what kind of
target you are. Understand clearly what your threats are,” urged George J.
Dolicker, principal consultant at Lucent Technologies, speaking at Computer
Security 2002, a conference recently held by the Metro New York chapter of
the Information System Security Association (ISSA).
Host IDS might be placed on exposed servers in the DMZ; critical servers;
RAS boxes, and authentication servers, for example, he illustrated.
Network IDS might be placed in front of the firewall, behind the firewall
in the DMZ; behind the DMZ on the intranet; on critical LAN segments; and
“between you and the extranet.”
Some sources caution, though, that placing an IDS outside of the external
firewall can bring misleading results. You’ll gain an early warning
advantage by being able to detect reconnaissance port scans. Not all scans,
however, are followed by actual attacks.
Additional tools that can come in handy range from honey pots and war
dialer traps to logs and file integrity checkers. Logs can be either
if you check them regularly, or useless if you do not,” Dollicker
Right now, though, one of the most useful tools of all is probably a good
(human) security analyst, who can make sense out of the reams of diverse
data swept up by all these various IDS systems and tools.
Open standards for sharing data between systems are still on the way. In
another recent report, Gartner Group analysts point out that vendors have
made great strides over the past year in boosting performance of their
products. Now , though,it’s time to move on to other sorts of progress,
according to the analysts.
“We predict that the advances still to come that will make IDS a more
effective enterprise security tool will be in the area of data collection,
analysis, correlation, alerting and reporting. Pattern recognition and
artificial intelligence for monitoring and identifying illicit activity are
yet to become a commonplace. Host and network IDS agents must report their
data through a common format to a central console that can present the data
in a cogent, usable interface,” the analysts add.
The industry has actually been working in these directions for the past
several years. Teresa Lunt first launched an effort called the Common
Intrusion Detection Framework (CIDF) when she was information technology
officer for DARPA. CIDF later spun off from DARPA as an independent entity.
Some of the ideas discussed within DARPA then spurred the creation of the
IETF’s Intrusion Detection Working Group (IDWG). By now, the working group,
has submitted requirements, language, and transport documents to the IETF
for consideration as RFCs.
Researchers do keep exploring new approaches to intrusion detection. For
instance, the DARPA-funded EMERALD (Event Monitoring Enabling Responses to
Anomalous Live Disturbances) Project has been building an intrusion
analysis system for large, highly distributed networks which is based on
the expert system shell P-BEST.
EMERALD is also using and extending CIDF, with the goal of being able to
correlate intrusion reports and discern large-scale patterns of attack,
while also “infering the intent of adversaries.” An evaluation edition of
EMERALD’s eXpert-BSM system for Solaris 1.4 is currently available for
download from the Web.