Tip

Scaling intrusion detection



Suppose you have an intrusion-detection system in place. Does it scale as your Web site grows? This tip, excerpted from InformIT, discusses scaling over time. This material appears in

    Requires Free Membership to View

Intrusion Detection, by Rebecca Gurley Bace, published by New Riders.


Consider the issues associated with scaling intrusion detection over time. Intrusions appear to the analysis engine as partially ordered sequences of events or state transitions. Therefore, to recognize suspicious activity, the intrusion-detection system must consider the event stream as a function of time. This requirement is usually not an issue when monitoring for events driven by an attack script or intrusion tool because the progression of events is rapid.

However, what if an attacker, in a deliberate attempt to defeat the intrusion-detection system, does a "slow attack" in which the steps of the attack are stretched over minutes, hours, days or longer? This situation is worrisome, both because the scarcity of attack data allows the attacker to bury the attack in the background noise of event traffic and because most systems don't keep enough event data to track across an extended time interval. Although some slow host-level attacks might be blocked by session timeout rules, (especially when augmented by integrity checkers to detect alterations in system executables), other scenarios can show up as slow attacks. An example of such a scenario is an insider attack (that is, an authorized user overstepping his or her privileges on a particular system) in which existing protections rely on anomaly-detection-based characterization of user behavior. In this scenario, the user gradually changes his or her pattern of behavior until the system allows misuse.

In current intrusion-detection systems, efficient memory utilization is critical, lest data structures grow to the extent that they overflow available memory, ultimately crashing the intrusion detection engine. Therefore, many operational intrusion detection systems limit the amount of event data they retain over time. These memory limitations constrain the time window over which the system can "see" the progress of an extended attack, enabling attackers to mount slow attacks. In fact, "slow scan" tools, which have been posted to many hacker sites, are already in common use.


Related Book

Intrusion detection
Author : Rebecca Bace
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578701856
Cover Type : Hard Cover
Pages : 368
Published : Jan 2000
Summary:
Intrusion detection is a critical new area of technology within network security. An intrusion-detection system serves as a system alert for unauthorized access for networks and systems connected to the Internet. This comprehensive guide to the field of intrusion detection covers the foundations of intrusion detection and system audit. Intrusion detection provides a wealth of information, ranging from design considerations and how to evaluate and choose the optimal commercial intrusion detection products for a particular networking environment.

Was this tip useful? Let us know. Drop us a line to sound off, or go to our tips page to rate this and other tips.

This was first published in January 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.