Get the picture
- By Dan J. Ryan
- Apr 30, 2001
Three basic processes are used to safeguard information: protection, detection and correction. Detection is essential because it is impossible to achieve perfect protection with current technology. Detection spans the gamut, from detection of weaknesses through vulnerability analy-ses to penetration testing to help uncover security flaws. Between those extremes are some new, and not so new, technolo--gies lumped together as "intrusion-detection systems."
One of the oldest and most widely used methods of intrusion detection is auditing the information transactions on the system or network and analyzing the audit logs for evidence of suspicious activities. The data is collected by the various network components — workstations, hosts, servers, routers, etc. — and forwarded to a central audit reduction system for processing.
Most analysis of audit logs occurs later, off-line and, because it involves daunting quantities of data, is best accomplished with the help of automated analytic support tools. Unfortunately, there are no standards for formatting audit logs or for analyzing the data, so creating, operating and managing theaudit-reduction system is challenging.
More recent developments in the field have led to new technologies that complement auditing tools. Those tools look at the network traffic directly, facilitating near-real-time analysis by searching for signatures of malicious behavior in the traffic.
Packet sniffers, which can be located at routers and firewalls to maximize exposure, are used to collect packets for analysis. The tools often check the traffic for specified strings of characters in what is called a "dirty-word search."
The tools may also look for specific actions that constitute suspicious or potentially dangerous activities — log-ons at root level, access to or changes to high-value files or databases and so forth — or known attack activity patterns. Since new attacks appear daily, keeping current the data-bases of attack signatures is a serious problem.
An organization can use statistical profiling to create baseline traffic information, against which an intrusion- detection system can check for unusual patterns. Such profiling requires time and effort to create and maintain. It is also important to be aware of and detect cumulative changes that could signal an insider "training" the system to be blind to planned attacks.
Ultimately, organizations setting up intrusion-detection systems look for what security officers call situational awareness.
This state indicates that the basic security infrastructure has been designed and installed, with appropriate data-bases of attack signatures and profiles available. As a result, security tools quickly and effectively detect actual or probable attacks and alert a security team so that they can respond. That team then has the ability to retain the information so they can trace, apprehend and prosecute the attackers.
Ryan is an attorney, businessman and member of the George Washington University faculty.