State of the Practice of Intrusion Detection Technologies

Preface

Because most deployed computer systems are vulnerable to an ever increasing threat of attack, intrusion detection (ID) is a rapidly developing field. Intrusion detection is an important technology business sector as well as an active area of research. Vendors make many claims for their products in the commercial marketplace so separating hype from reality can be a major challenge.

A goal of this report is to provide an unbiased assessment of publicly available ID technology. We hope this will help those who purchase and use ID technology to gain a realistic understanding of its capabilities and limitations. The report raises issues that we believe are important for ID system developers to address as they formulate product strategies. The report also points out relevant issues for the research community as they formulate research directions and allocate funds.

This report does not emphasize current Department of Defense (DoD), Air Force (AF), and Defense Information Assurance Program initiatives in intrusion detection systems and technologies. Many of these efforts are specific to the DoD and involve proprietary products, systems, and documentation. In addition, we believe that the DoD and AF are well informed on the ID-related initiatives they are sponsoring. They are supported by other federally funded research and development centers (FFRDCs) (such as MITRE) in this area. Thanks to the Air Force Information Warfare Center (AFIWC), we have included a brief description of Government Off-the-Shelf (GOTS) ID efforts in Section 2.1.4. Our general approach was to analyze publicly available sources that could be of potential use to the DoD and to the general consumer, vendor, and research communities.

Section 1 of the report provides an overview of ID technology from the perspective of the CERT® Coordination Center (CERT/CC).¹ The rapid growth in intrusion activity is fueling an increasing need for ID technology. This section provides context by citing examples that demonstrate how vulnerable networks and systems have become. It is followed by a review of the elements of attacks from the perspective of the attacker and of the victim. To convey how challenging it is to detect intruders, the dimensions of ID technology are characterized. Finally, this section reviews some of the challenges that confront the field of intrusion detection.

Section 2 provides an in-depth look at the current state of ID technology. The section starts with a review of research, commercial, and publicly available tools, and then examines the rate at which industry is adopting commercial products.

We describe some informal experiments we performed with a variety of commercial and research ID tools. Finally, we present what we believe are the some benefits and shortcomings of the current generation of ID tools.

Section 3 reviews a wide range of issues that need to be confronted if ID systems are to become an effective technology and suggests some solutions. Much of the vendor literature conveys a perception that if one installs an IDS, one no longer has to worry about undetected intrusions. Unfortunately, this is not the case. The issues are broad-ranging and include external pressures from attackers, human factors, and limitations in the current technology. While technology may solve part of the intrusion detection problem, it is likely to be ineffective unless it fits within the organization's business objectives and operations.

Section 4 suggests practices that an organization should adopt if they want to derive the greatest benefit from an IDS.

Section 5 provides recommendations for the intrusion detection sponsor, user, vendor, and research communities.

The appendices provide supporting information in several areas.

Appendix A defines terms as they are used in this report. Terminology is not applied consistently given the immaturity of the ID field so having a set of definitions is important.

Appendix B provides a list of references.

Appendix C defines acronyms used in this report.

Appendix D contains a review of selected ID technology literature, providing supporting detail for Section 2.1.

Appendix E identifies organizations and standards relevant to intrusion detection.

Appendix F provides a candidate set of criteria that can be used in selecting an intrusion detection system.

All sources (Appendix D) and related efforts (Appendix E) reviewed in preparation of this report are current as of January, 2000.

It is important to note that the scope of this report is also defined by what it does not address:

• a detailed technical explanation of intrusion detection principles and how the technology works
  

• operational issues associated with installing, deploying, and managing an IDS, other than as briefly described in Section 4
  

• threat management, including
  
  • the incorporation of IDS management within CSIRTs (computer security incident response teams)
    
  • the role of IDS in threat management, such as defining alarm severity, monitoring, alerting, and policy-based actions
    
  • the role of the IDS administrator (such as converting IDS logs into forensic evidence)
    
  • the devel-opment of event response procedures
    
  • the recommendation of enterprise-wide policies based on threats
    

• physical security including physical intrusion detection and intrusion detection systems
  

This report contains many Web references. The intrusion detection field changes rapidly and much information is posted first (and often only) on the Web. Many of these references either become out of date, are modified, or disappear altogether from the original site. During the development of this report, this was a problem. Consequently, we have downloaded a majority of the references into an electronic repository that we can access in the event Web pages are subsequently modified or removed from their original location. This is a somewhat unusual approach but, given the increasing dominance of the Web, we believe that it will become more prevalent.

As a cautionary note, we strongly urge you not to rely on Web references cited in this report (or any other report that is more than three months old) for detailed IDS product information unless you verify that the data is correct. This caution is extended to reports on details about attacks and how these attacks mani-fest themselves through various monitoring mechanisms.  

 

 

 

 

 

1

CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. In response to the attack of the Morris worm in 1988, the Defense Advanced Research Projects Agency (DARPA) decided to create the CERT® Coordination Center (CERT/CC) at the Software Engineering Institute (SEI). The SEI was charged with establishing a capability to quickly and effectively coordinate communication among experts during security emergencies in order to prevent future incidents and building awareness of security issues across the Internet community. Since its inception in 1988, the CERT/CC has responded to more than 20,000 security incidents that have affected over 400,000 sites in the Department of Defense (DoD), other federal agencies, and the private sector. For more information, refer to the CERT/CC Web site at http://www.cert.org.

 

 

---

[Title Page]     [Abstract]     [Figures]     [Acknowledgments]     [Executive Summary]     [Preface]     [Section 1]     [Section 2]     [Section 3]     [Section 4]     [Section 5]     [Appendix A]     [Appendix B]     [Appendix C]     [Appendix D]     [Appendix E]     [Appendix F]     [DTIC page]     [PDF file]  

 

© 2008 Carnegie Mellon University

Terms of Use | Privacy Statement