HostedDB - Dedicated UNIX Servers
intrusion_29 ICSA, Inc. For more information, call 888-396-8348                 29 An Introduction to Intrusion Detection and Assessment ager assumes the duties of a subordinate in an emergency). This rigidity can be a problem in organizations where change is frequent. This can result in both false alarms and false nega- tives (missed attacks). Integrity analysis Integrity analysis focuses on whether some aspect of a file or object has been altered. This often in- cludes file and directory attributes, content and data streams. Integrity analysis often utilizes strong cryptographic mechanisms, called message digest (or hash) algorithms, which can recognize even subtle changes. Advantages: •  Any successful attack where files were altered, network packet grabbers were left behind, or rootkits were deployed will be detected regard- less of whether or not the attack was detected by signature or statistical analysis. Disadvantages: •  Because current implementations tend to work in batch mode, they are not conducive to real-time response. Responses to Detection of Misuse or Attack Some network-based intrusion detection systems permit one to specify a desired reaction to a de- tected problem. This feature has captured the imagination of many in the security management arena, especially as the frequency of denial-of- service attacks (saturation of system resources) has increased. Alter the Environment A typical response to a detected network attack is to take steps to alter the environment of the system under attack. This alteration can consist of termi- nating the connection used by the attacker and reconfiguring network devices to block further access to the site from the same source address. The response mechanisms are intended to allow system administrators to take an active role within their authority to minimize damage asso- ciated with a detected attack. Although it is a popular topic of discussion, striking back by attacking the source is ill advised at this point. TCP/IP, the basis for Internet communi- cations, allows spoofing of packet source address- ing; therefore, retaliation against the putative source of an attack might in fact damage an inno- cent party whose IP address had been forged for the attack. Another valuable feature of intrusion detection systems is to drill down into information sources by setting agents and audit mechanisms to collect more information about the connection in ques- tion. This can also include collecting information that allows playback of attacks. This response allows the system administrator to collect infor- mation that supports more accurate judgements about the intent of the attacker. It also allows collection of information that might assist law enforcement or other investigators in identifying those responsible for the attack. Validation Knowledgeable attackers will often attempt to target the intrusion detection sensors or the analysis engine. In this case, a validation response, in which the sensors and/or analysis engine are queried in order to determine whether they con- tinue to work properly, is suitable. Real Time Notification Finally, most real-time systems allow a system administrator to select a variety of alarm mecha- nisms to notify responsible parties of detected attacks. The alarms can notify key personnel by e- mail or pager messages sent instantaneously with information about the problem. A message to the