Tip

Constructing an intrusion analyzer

How do you know if your network is under attack? You have to have some sort of intrusion-detection system operating. And once it's operating, the detection system must be able to determine whether the intrusion is benign or not. This requires the design of an analyzer, which has several functions. This tip, excerpted from

    Requires Free Membership to View

Intrusion Detection by Rebecca Gurley Bace, published by New Riders, talks about some of the functions of the intrusion analyzer.

In the analysis morel, the first phase is the construction of the analysis engine. The analysis engine performs the core functions of preprocessing, classification and postprocessing. For the engine to function properly, regardless of analysis approach, it must be tailored to the environment in which it is to operate; hence this phase is necessary even in rudimentary systems where it is performed solely as part of system development.

Collect and/or Generate Event Information

The first step of constructing the analyzer is collecting event information. Depending on the analysis approach, this phase might involve collecting event information generated by a system functioning in an operational environment, or collecting event information in a laboratory environment. In some cases, the event information may be handcrafted by a developer working from a set of formal specifications.

--Misuse detection. For misuse detection, this part of the process involves gathering information about intrusions, including information about vulnerabilities, attacks, threats, specific attack tools and observed scenarios of interest. At this time, information is also gathered about typical discretionary policies, procedures and practices so that the behavioral model can accommodate organization-specific policy violations as well as problems associated with external attack.

--Anomaly detection. For anomaly detection, event information is collected from the live system itself or from a system designated as similar. This information is needed to build baseline profiles indicating "normal" user behavior.


Related book

Intrusion Detection
Author : Rebecca Bace
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578701856
Cover Type : Hard Cover
Pages : 368
Published : Jan. 2000
Summary:
Intrusion detection is a critical new area of technology within network security. An intrusion-detection system serves as a system alert for unauthorized access for networks and systems connected to the Internet. This comprehensive guide to the field of intrusion detection covers the foundations of intrusion detection and system audit. Intrusion Detection provides a wealth of information, ranging from design considerations and how to evaluate and choose the optimal commercial intrusion detection products for a particular networking environment.


This was first published in November 2000

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.