Get the picture

Three basic processes are used to safeguard information: protection, detection and correction. Detection is essential because it is impossible to achieve perfect protection with current technology. Detection spans the gamut, from detection of weaknesses through vulnerability analy-ses to penetration testing to help uncover security flaws. Between those extremes are some new, and not so new, technolo--gies lumped together as "intrusion-detection systems."

One of the oldest and most widely used methods of intrusion detection is auditing the information transactions on the system or network and analyzing the audit logs for evidence of suspicious activities. The data is collected by the various network components — workstations, hosts, servers, routers, etc. — and forwarded to a central audit reduction system for processing.

Most analysis of audit logs occurs later, off-line and, because it involves daunting quantities of data, is best accomplished with the help of automated analytic support tools. Unfortunately, there are no standards for formatting audit logs or for analyzing the data, so creating, operating and managing theaudit-reduction system is challenging.

More recent developments in the field have led to new technologies that complement auditing tools. Those tools look at the network traffic directly, facilitating near-real-time analysis by searching for signatures of malicious behavior in the traffic.

Packet sniffers, which can be located at routers and firewalls to maximize exposure, are used to collect packets for analysis. The tools often check the traffic for specified strings of characters in what is called a "dirty-word search."

The tools may also look for specific actions that constitute suspicious or potentially dangerous activities — log-ons at root level, access to or changes to high-value files or databases and so forth — or known attack activity patterns. Since new attacks appear daily, keeping current the data-bases of attack signatures is a serious problem.

An organization can use statistical profiling to create baseline traffic information, against which an intrusion- detection system can check for unusual patterns. Such profiling requires time and effort to create and maintain. It is also important to be aware of and detect cumulative changes that could signal an insider "training" the system to be blind to planned attacks.

Ultimately, organizations setting up intrusion-detection systems look for what security officers call situational awareness.

This state indicates that the basic security infrastructure has been designed and installed, with appropriate data-bases of attack signatures and profiles available. As a result, security tools quickly and effectively detect actual or probable attacks and alert a security team so that they can respond. That team then has the ability to retain the information so they can trace, apprehend and prosecute the attackers.

Ryan is an attorney, businessman and member of the George Washington University faculty.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected