HostedDB - Dedicated UNIX Servers
intrusion_24 ICSA, Inc. For more information, call 888-396-8348                 24 An Introduction to Intrusion Detection and Assessment • In some cases, automatically respond to detected activity, and • Report the outcome of the detection process. Descriptors for Intrusion Detection Systems Features and Functions Monitoring Approach Application-based Application-based intrusion detection sensors col- lect information at the application level. Examples of application-level include logs generated by database management software, web servers, or firewalls. With the proliferation of Web-based electric commerce, security will increasingly focus on interactions between users and application programs and data. Advantages of application-level monitoring: •  This approach allows targeting of finer- grained activities on the system (e.g. one can monitor for a user utilizing a particular appli- cation feature.) Disadvantages: •  Applications-layer vulnerabilities can under- mine the integrity of application-based moni- toring and detection approaches. Host-based Host-based intrusion detection agents (also called sensors) collect information reflecting the activity that occurs on a particular system. This information is sometimes in the form of operating-system audit trails. It can also include system logs, other logs generated by operating system processes, and contents of system objects not reflected in the standard operating system audit and logging mechanisms. Advantages: •  Systems can monitor information access in terms of “who accessed what” •  Systems can map problem activities to a specific user id •  Systems can track behavior changes associated with misuse •  Systems can operate in encrypted environments •  Systems can operate in switched network environments •  Systems can distribute the load associated with monitoring across available hosts on large networks, thereby cutting deployment costs Disadvantages: •  Network activity is not visible to host-based detectors •  Running audit mechanisms can incur additional resource overhead •  When audit trails are used as data sources, they can take up significant storage •  Operating system vulnerabilities can undermine the integrity of host-based agents and analyzers •  Host-based agents must be more platform- specific, which adds to deployment costs •  Management and deployment costs associated with host-based systems are usually greater than in other approaches Target-Based Approaches Integrity analysis (see section 3.2.4.3) enables one to implement a focused and effective monitoring strategy for systems in which data integrity and process integrity are of primary concern. This ap- proach monitors specific files, system objects and