intrusion_27
ICSA, Inc.
For more information, call 888-396-8348 27
An Introduction to Intrusion Detection and Assessment
Therefore, there is virtually no possibility of
actively countering incidents as they happen in
an attempt to minimize damage.
The aggregation of information for batch-mode
analysis consumes more disk storage on the
analysis system. This can result in huge amounts
of data for enterprise networks.
Real Time
Real time systems provide information collection,
analysis, and reporting (with possible responses)
on a continuous basis. The term real-time is
used here as in process-control systems; that is,
the detection process happens quickly enough to
hinder the attack. Note that while this definition
applies to systems that take milliseconds to per-
form analysis, it can also describe systems that are
slower. Real-time systems provide a variety of
real-time alarms (many support off-site alarming
mechanisms such as e-mail, pagers, and telephone
messaging), as well as automatic responses to attacks.
Typical responses range from simple notification
to increasing the sensitivity of the monitoring,
terminating the network connection from the
source of the attack or changing system settings
to limit damage.
Advantages:
Depending on the speed of the analysis, attacks
may be detected quickly enough to allow system
administrators to interrupt them;
Depending on the speed and sensitivity of the
analysis, system administrators may be able
to perform incident handling (leading to recov-
ery of system operations) more quickly;
In cases that occur on systems where legal
remedies are available, system administrators
may be able to collect information that allows
more effective identification and prosecution
of intruders.
Disadvantages:
They tend to consume more memory and
processing resource on the analysis system
than post facto systems;
There are serious legal issues associated with
automated responses that attempt to harm the
attacking systems, a feature associated with
some real-time systems;
Configuration of real-time systems is critical;
a badly formed signature can generate so many
false alarms that a real attack goes unnoticed.
Location of Analysis
As in sensors, analysis functions can reside at host-
level, at network-level, or both. Performing
analysis strictly at the host level has the advantage
of minimizing network load. However, it has
the disadvantage of not allowing the detection
of broad scale attacks targeting a network of
machines (for instance, an attacker sequentially
hopping through a network performing brute
force password guessing against each host).
Consolidating raw data and performing analysis
strictly at the network level (in the case of systems
with sensors at both host and network levels)
offer the capability to detect attacks that involve
more than one host on the network. The disad-
vantage to this approach is that the network load
associated with transferring raw host-level infor-
mation to the analysis engine can be crippling.
As in sensor placement, the optimal strategy for
performing analysis of logs is one in which analy-
sis is done at both host and network levels. The
analysis done at the host level can be simple or
extensive depending on the nature of the sensor