HostedDB - Dedicated UNIX Servers
intrusion_27 ICSA, Inc. For more information, call 888-396-8348                 27 An Introduction to Intrusion Detection and Assessment •  Therefore, there is virtually no possibility of actively countering incidents as they happen in an attempt to minimize damage. •  The aggregation of information for batch-mode analysis consumes more disk storage on the analysis system. This can result in huge amounts of data for enterprise networks. Real Time Real time systems provide information collection, analysis, and reporting (with possible responses) on a continuous basis. The term “real-time” is used here as in process-control systems; that is, the detection process happens quickly enough to hinder the attack. Note that while this definition applies to systems that take milliseconds to per- form analysis, it can also describe systems that are slower. Real-time systems provide a variety of real-time alarms (many support off-site alarming mechanisms such as e-mail, pagers, and telephone messaging), as well as automatic responses to attacks. Typical responses range from simple notification to increasing the sensitivity of the monitoring, terminating the network connection from the source of the attack or changing system settings to limit damage. Advantages: •  Depending on the speed of the analysis, attacks may be detected quickly enough to allow system administrators to interrupt them; •  Depending on the speed and sensitivity of the analysis, system administrators may be able to perform incident handling (leading to recov- ery of system operations) more quickly; •  In cases that occur on systems where legal remedies are available, system administrators may be able to collect information that allows more effective identification and prosecution of intruders. Disadvantages: • They tend to consume more memory and processing resource on the analysis system than post facto systems; • There are serious legal issues associated with automated responses that attempt to harm the attacking systems, a feature associated with some real-time systems; • Configuration of real-time systems is critical; a badly formed signature can generate so many false alarms that a real attack goes unnoticed. Location of Analysis As in sensors, analysis functions can reside at host- level, at network-level, or both. Performing analysis strictly at the host level has the advantage of minimizing network load. However, it has the disadvantage of not allowing the detection of broad scale attacks targeting a network of machines (for instance, an attacker sequentially hopping through a network performing brute force password guessing against each host). Consolidating raw data and performing analysis strictly at the network level (in the case of systems with sensors at both host and network levels) offer the capability to detect attacks that involve more than one host on the network. The disad- vantage to this approach is that the network load associated with transferring raw host-level infor- mation to the analysis engine can be crippling. As in sensor placement, the optimal strategy for performing analysis of logs is one in which analy- sis is done at both host and network levels. The analysis done at the host level can be simple or extensive depending on the nature of the sensor