Information Technology Reference
In-Depth Information
First generation intrusion detection tools are essentially misuse signature-based and
security is accomplished by iterative “penetrate and patch”. Today's focus is on de-
tecting novel intrusions. With the proliferation of the Internet and the increased power
of the attacker, short term solutions and tools not very useful and new solutions must
consider insider attacks, social engineering based break-ins and the myriad ways of
perpetrating an attack. Some of the new ideas include combining intrusion detection
with vulnerability analysis and considering recovery along with detection since detec-
tion is not fool proof.
3
Intrusion Detection Taxonomy
Debar, Dacier and Wespi gave the first taxonomy of intrusion detection systems [2].
They used Detection Method, Behavior on Detection, Audit Source Location, Detec-
tion Paradigm and User Frequency as the parameters of classification. Upadhyaya and
Kwiat introduced a variation of the taxonomy and presented it in a tutorial in IEEE
MILCOM 2002. According to this taxonomy, intrusion detection techniques and tools
are classified along four major parameters as follows: (1) Detection Methodology —
this classification uses information about attacks versus information about normal
functioning of the system; (2) Scope — host based versus network based systems; (3)
Monitor Philosophy — passive versus proactive; and (4) Monitor level — kernel level
versus user operation level. Detection methodology also depends on the reasoning
philosophy. For example, rule-based versus model-based. Host based IDS tools work
on the host, can detect masquerade, account break-in etc. whereas Network based
tools are applicable to large-scale networks and depend on information on network
packets. Passive tools are noninvasive, non-intrusive but mostly are after-the-fact and
use no communication with users whereas Proactive schemes are real-time, concur-
rent detection tools with low latency and employ user interrogation where needed.
Finally, the Kernel level tools make use of low level information and process data to
synthesize the attack scenarios whereas User operation level tools can capture user
semantics and are capable of detecting subtle intrusions.
4
Insider Attacks
An insider threat is one in which someone with an authorized access to the organiza-
tion could cause a loss to the organization if computer security went unchecked. The
perpetrators are those who work for the target organization or those having relation-
ships with the firm with some level of access. It could be employees, contractors,
business partners, customers etc. The motives could range from financial, social,
political to personal gains. There are two classes of insiders — logical insiders who
are physically outside and physical insiders who are logically outside. The misuse
could be intentional or accidental, obvious or hidden. Here are a few insider attacks
that made headlines.
•
An individual faces federal criminal charges in US District Court in Miami for
allegedly downloading a virus into his employer's computer system, crashing the
network for nearly two full days (NIPC Daily Report, Aug. 29, 2001).
