Problem solve Get help with specific problems with your technologies, process and projects.

Scaling intrusion detection

This tip addresses the importance of a scaling intrusion-detection system.

Suppose you have an intrusion-detection system in place. Does it scale as your Web site grows? This tip, excerpted...

from InformIT, discusses scaling over time. This material appears in Intrusion Detection, by Rebecca Gurley Bace, published by New Riders.

Consider the issues associated with scaling intrusion detection over time. Intrusions appear to the analysis engine as partially ordered sequences of events or state transitions. Therefore, to recognize suspicious activity, the intrusion-detection system must consider the event stream as a function of time. This requirement is usually not an issue when monitoring for events driven by an attack script or intrusion tool because the progression of events is rapid.

However, what if an attacker, in a deliberate attempt to defeat the intrusion-detection system, does a "slow attack" in which the steps of the attack are stretched over minutes, hours, days or longer? This situation is worrisome, both because the scarcity of attack data allows the attacker to bury the attack in the background noise of event traffic and because most systems don't keep enough event data to track across an extended time interval. Although some slow host-level attacks might be blocked by session timeout rules, (especially when augmented by integrity checkers to detect alterations in system executables), other scenarios can show up as slow attacks. An example of such a scenario is an insider attack (that is, an authorized user overstepping his or her privileges on a particular system) in which existing protections rely on anomaly-detection-based characterization of user behavior. In this scenario, the user gradually changes his or her pattern of behavior until the system allows misuse.

In current intrusion-detection systems, efficient memory utilization is critical, lest data structures grow to the extent that they overflow available memory, ultimately crashing the intrusion detection engine. Therefore, many operational intrusion detection systems limit the amount of event data they retain over time. These memory limitations constrain the time window over which the system can "see" the progress of an extended attack, enabling attackers to mount slow attacks. In fact, "slow scan" tools, which have been posted to many hacker sites, are already in common use.

Related Book

Intrusion detection
Author : Rebecca Bace
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578701856
Cover Type : Hard Cover
Pages : 368
Published : Jan 2000
Intrusion detection is a critical new area of technology within network security. An intrusion-detection system serves as a system alert for unauthorized access for networks and systems connected to the Internet. This comprehensive guide to the field of intrusion detection covers the foundations of intrusion detection and system audit. Intrusion detection provides a wealth of information, ranging from design considerations and how to evaluate and choose the optimal commercial intrusion detection products for a particular networking environment.

Was this tip useful? Let us know. Drop us a line to sound off, or go to our tips page to rate this and other tips.
This was last published in January 2001

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.