intrusion_11
ICSA, Inc.
For more information, call 888-396-8348 11
An Introduction to Intrusion Detection and Assessment
About This White Paper Series
This is the first of a series of white papers on topics
relating to intrusion detection products. These
documents will help users and potential users to
become familiar with intrusion detection and
vulnerability assessment so that they can select
those products that best meet their needs.
INTRUSION DETECTION OVERVIEW
Intrusion detection is an important security tech-
nology market. According to industry estimates,
the market for intrusion detection products has
grown from $40 million in 19972 to $100 million
in 19983 . This market growth is driven by reports
of steadily increasing computer security breaches
(22% rise from 1996 to 1998, with $136 million
in associated losses, according to a leading survey4).
Intrusion detection is considered by many to be
the logical complement to network firewalls, ex-
tending the security management capabilities of
system administrators to include security audit,
monitoring, attack recognition, and response.
In this paper, we provide an overview of this secu-
rity technology, expanding the traditional view of
intrusion detection systems to include vulnerabil-
ity assessment. These technologies play a vital role
in modern system security management.
What Is Intrusion Detection?
Intrusion detection systems help computer systems
prepare for and deal with attacks. They accomplish
this goal by collecting information from a variety
of system and network sources, then analyzing
the information for symptoms of security prob-
lems. In some cases, intrusion detection systems
allow the user to specify real-time responses to
the violations.
Intrusion detection systems perform a variety of
functions:
Monitoring and analysis of user and system
activity
Auditing of system configurations and
vulnerabilities
Assessing the integrity of critical system and
data files
Recognition of activity patterns reflecting
known attacks
Statistical analysis for abnormal activity
patterns
Operating system audit trail management,
with recognition of user activity reflecting
policy violations
Some systems provide additional features,
including:
Automatic installation of vendor-provided
software patches
Installation and operation of decoy servers to
record information about intruders.
The combination of these features allows system
managers to more easily handle the monitoring,
audit, and assessment of their systems and net-
works. This ongoing assessment and audit activity
is a necessary part of sound security management
practice.
1
Source: Yankee Group
2
Source: Aberdeen Group
3
Source: Third Annual CSI/FBI Computer Crime and Security Survey, Computer Security Institute, March, 1998.