Suppose you have an intrusion-detection system in place. Does it scale as your Web site grows? This tip, excerpted
from InformIT, discusses scaling over time. This material appears in Intrusion Detection, by Rebecca Gurley Bace, published by New Riders.
Consider the issues associated with scaling intrusion detection over time. Intrusions appear to the analysis engine as partially ordered sequences of events or state transitions. Therefore, to recognize suspicious activity, the intrusion-detection system must consider the event stream as a function of time. This requirement is usually not an issue when monitoring for events driven by an attack script or intrusion tool because the progression of events is rapid.
However, what if an attacker, in a deliberate attempt to defeat the intrusion-detection system, does a "slow attack" in which the steps of the attack are stretched over minutes, hours, days or longer? This situation is worrisome, both because the scarcity of attack data allows the attacker to bury the attack in the background noise of event traffic and because most systems don't keep enough event data to track across an extended time interval. Although some slow host-level attacks might be blocked by session timeout rules, (especially when augmented by integrity checkers to detect alterations in system executables), other scenarios can show up as slow attacks. An example of such a scenario is an insider attack (that is, an authorized user overstepping his or her privileges on a particular system) in which existing protections rely on anomaly-detection-based characterization of user behavior. In this scenario, the user gradually changes his or her pattern of behavior until the system allows misuse.
In current intrusion-detection systems, efficient memory utilization is critical, lest data structures grow to the extent that they overflow available memory, ultimately crashing the intrusion detection engine. Therefore, many operational intrusion detection systems limit the amount of event data they retain over time. These memory limitations constrain the time window over which the system can "see" the progress of an extended attack, enabling attackers to mount slow attacks. In fact, "slow scan" tools, which have been posted to many hacker sites, are already in common use.
Related BookIntrusion detection
Author : Rebecca Bace
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578701856
Cover Type : Hard Cover
Pages : 368
Published : Jan 2000
Intrusion detection is a critical new area of technology within network security. An intrusion-detection system serves as a system alert for unauthorized access for networks and systems connected to the Internet. This comprehensive guide to the field of intrusion detection covers the foundations of intrusion detection and system audit. Intrusion detection provides a wealth of information, ranging from design considerations and how to evaluate and choose the optimal commercial intrusion detection products for a particular networking environment. Was this tip useful? Let us know. Drop us a line to sound off, or go to our tips page to rate this and other tips.