intrusion_37
ICSA, Inc.
For more information, call 888-396-8348 37
An Introduction to Intrusion Detection and Assessment
or undesired activity. Common data sources include
(but are not limited to) raw network packets, oper-
ating system audit logs, application audit logs,
and system-generated checksum data.
EVENT - A notification from an analyzer to the
security administrator a signature has triggered.
An event typically contains information about
the activity that triggered the signature, as well as
the specifics of the occurrence.
FILE ASSESSMENT - A technology in which message
digest hashing algorithms are used to render files
and directories tamper evident.
INCIDENT HANDLING - The part of the Security
Management Process concerning the investigation
and resolution of security incidents that occur and
are detected. Also known as INCIDENT RESPONSE.
INTRUSION DETECTION - The technology concerned
with monitoring computer systems in order to
recognize signs of intrusions or policy violations.
MANAGER - The ID component from which the
security administrator manages the various com-
ponents of the ID system. Management functions
typically include (but are not limited to) sensor
configuration, analyzer configuration, event noti-
fication management, data consolidation, and
reporting.
MESSAGE DIGEST ALGORITHMS Specialized cryp-
tographic algorithms that are used to render files
tamper-evident. The nature of message digest
algorithms dictates that if an input data file is
changed in any way, the checksum that is calculated
from that data file value calculated will change.
Furthermore, a small change in the input data file
will result in a large difference in the result.
RESPONSE - The actions that an analyzer takes
when a signature is triggered. Sending an event
notification to the security administrator is a very
common response. Other responses include (but
are not limited to) logging the activity, recording
the raw data (from the data source) that caused
the signature to trigger, terminating a network,
user, or application session, or altering network or
system access controls.
SCANNING - The technology concerned with scan-
ning computer systems and networks in order
to find security vulnerabilities. Also known as
VULNERABILITY ASSESSMENT.
SECURITY ADMINISTRATOR - The human with respon-
sibility for the successful deployment and opera-
tion of the intrusion detection system. This person
may ultimately charged with responsibility for
the defense of the network. In some organizations,
the security administrator is associated with the
network or systems administration groups. In
other organizations, its an independent position.
SENSOR - The ID component that periodically
collects data from the data source. Also known as
AGENT.*
SIGNATURE - A rule used by the analyzer to identify
interesting activity to the security administrator.
Signatures are the mechanism by which ID sys-
tems detect intrusions.
SYSTEM LOG - The log of system events and ac-
tivities, generated by a system process. The system
log is typically at a greater degree of abstraction
than the operating system audit log.
VULNERABILITY ASSESSMENT - The technology
concerned with scanning computer systems and
networks in order to find security vulnerabilities.
Also known as SCANNING.
* In many existing ID systems, the sensor and the
analyzer are part of the same component.