intrusion_29
ICSA, Inc.
For more information, call 888-396-8348 29
An Introduction to Intrusion Detection and Assessment
ager assumes the duties of a subordinate in an
emergency). This rigidity can be a problem in
organizations where change is frequent. This
can result in both false alarms and false nega-
tives (missed attacks).
Integrity analysis
Integrity analysis focuses on whether some aspect
of a file or object has been altered. This often in-
cludes file and directory attributes, content and
data streams. Integrity analysis often utilizes
strong cryptographic mechanisms, called message
digest (or hash) algorithms, which can recognize
even subtle changes.
Advantages:
Any successful attack where files were altered,
network packet grabbers were left behind, or
rootkits were deployed will be detected regard-
less of whether or not the attack was detected
by signature or statistical analysis.
Disadvantages:
Because current implementations tend to work
in batch mode, they are not conducive to
real-time response.
Responses to Detection of Misuse or
Attack
Some network-based intrusion detection systems
permit one to specify a desired reaction to a de-
tected problem. This feature has captured the
imagination of many in the security management
arena, especially as the frequency of denial-of-
service attacks (saturation of system resources) has
increased.
Alter the Environment
A typical response to a detected network attack is
to take steps to alter the environment of the system
under attack. This alteration can consist of termi-
nating the connection used by the attacker and
reconfiguring network devices to block further
access to the site from the same source address.
The response mechanisms are intended to allow
system administrators to take an active role
within their authority to minimize damage asso-
ciated with a detected attack.
Although it is a popular topic of discussion, striking
back by attacking the source is ill advised at this
point. TCP/IP, the basis for Internet communi-
cations, allows spoofing of packet source address-
ing; therefore, retaliation against the putative
source of an attack might in fact damage an inno-
cent party whose IP address had been forged for
the attack.
Another valuable feature of intrusion detection
systems is to drill down into information sources
by setting agents and audit mechanisms to collect
more information about the connection in ques-
tion. This can also include collecting information
that allows playback of attacks. This response
allows the system administrator to collect infor-
mation that supports more accurate judgements
about the intent of the attacker. It also allows
collection of information that might assist law
enforcement or other investigators in identifying
those responsible for the attack.
Validation
Knowledgeable attackers will often attempt to
target the intrusion detection sensors or the
analysis engine. In this case, a validation response,
in which the sensors and/or analysis engine are
queried in order to determine whether they con-
tinue to work properly, is suitable.
Real Time Notification
Finally, most real-time systems allow a system
administrator to select a variety of alarm mecha-
nisms to notify responsible parties of detected
attacks. The alarms can notify key personnel by e-
mail or pager messages sent instantaneously with
information about the problem. A message to the