CS406: Information Security

As defined by Heady et al., an intrusion is any set of actions that attempt to comprise the integrity, confidentiality, or availability of a resource.

Intrusion leads to violations of the security policies of a computer system, such as unauthorized access to private information, malicious break-in into a computer system, or rendering a system unreliable or unusable.

A full-blown network security system should include the following subsystems:

• Intrusion Detection Subsystem: Distinguishes a potential intrusion from a valid network operation.
• Protection Subsystem: Protects the network and security system itself from being compromised by network intrusions.
• Reaction Subsystem: This part either traces down the origin of an intrusion or fights back the hackers.

A simple firewall can no longer provide enough security as in the past. Today's corporations are drafting intricate security policies whose enforcement requires the use of multiple systems, both proactive and reactive (and often multi-layered and highly redundant). The premise behind intrusion detection systems is simple: Deploy a set of agents to inspect network traffic and look for the signatures of known network attacks. However, the evolution of network computing and the awesome availability of the Internet has complicated this concept somewhat. With the advent of Distributed Denial of Service (DDOS) attacks, which are often launched from hundreds of separate sources, the traffic source no longer provides reliable temporal clues that an attack is in progress. Worse yet, the task of responding to such attacks is further complicated by the diversity of the source systems, and especially by the geographically distributed nature of most attacks.

Intrusion detection techniques while often regarded as grossly experimental, the field of intrusion detection has matured a great deal to the point where it has secured a space in the network defense landscape alongside firewalls and virus protection systems. While the actual implementations tend to be fairly complex, and often proprietary, the concept behind intrusion detection is a surprisingly simple one: Inspect all network activity (both inbound and outbound) and identify suspicious patterns that could be evidence of a network or system attack.

1. CHARACTERISTICS OF GOOD INTRUSION DETECTION SYSTEM

An intrusion detection system should address the following issues, regardless of what mechanism it is based on:

• It must run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box". That is, its internal workings should be examinable from outside.
• It must be fault-tolerant in the sense that it must survive a system crash and not have its knowledge-base rebuilt at restart.
• On a similar note to the above, it must resist subversion. The system can monitor itself to ensure that it has not been subverted.
• It must impose minimal overhead on the system. A system that slows a computer to a crawl will simply not be used.
• It must observe deviations from normal behavior.
• It must be easily tailored to the system in question. Every system has a different usage pattern, and the defense mechanism should adapt easily to these patterns.
• It must cope with changing system behavior over time as new applications are being added. The system profile will change over time, and the IDS must be able to adapt.
• Finally, it must be difficult to fool.