intrusion_24
ICSA, Inc.
For more information, call 888-396-8348 24
An Introduction to Intrusion Detection and Assessment
In some cases, automatically respond to
detected activity, and
Report the outcome of the detection process.
Descriptors for Intrusion Detection
Systems Features and Functions
Monitoring Approach
Application-based
Application-based intrusion detection sensors col-
lect information at the application level. Examples
of application-level include logs generated by
database management software, web servers, or
firewalls. With the proliferation of Web-based
electric commerce, security will increasingly focus
on interactions between users and application
programs and data.
Advantages of application-level monitoring:
This approach allows targeting of finer-
grained activities on the system (e.g. one can
monitor for a user utilizing a particular appli-
cation feature.)
Disadvantages:
Applications-layer vulnerabilities can under-
mine the integrity of application-based moni-
toring and detection approaches.
Host-based
Host-based intrusion detection agents (also called
sensors) collect information reflecting the activity
that occurs on a particular system. This information
is sometimes in the form of operating-system
audit trails. It can also include system logs, other
logs generated by operating system processes, and
contents of system objects not reflected in the
standard operating system audit and logging
mechanisms.
Advantages:
Systems can monitor information access in
terms of who accessed what
Systems can map problem activities to a specific
user id
Systems can track behavior changes associated
with misuse
Systems can operate in encrypted environments
Systems can operate in switched network
environments
Systems can distribute the load associated
with monitoring across available hosts on
large networks, thereby cutting deployment
costs
Disadvantages:
Network activity is not visible to host-based
detectors
Running audit mechanisms can incur additional
resource overhead
When audit trails are used as data sources,
they can take up significant storage
Operating system vulnerabilities can undermine
the integrity of host-based agents and analyzers
Host-based agents must be more platform-
specific, which adds to deployment costs
Management and deployment costs associated
with host-based systems are usually greater
than in other approaches
Target-Based Approaches
Integrity analysis (see section 3.2.4.3) enables one
to implement a focused and effective monitoring
strategy for systems in which data integrity and
process integrity are of primary concern. This ap-
proach monitors specific files, system objects and