Advanced
We recommend Computer
System Security--An Overview as prerequisite reading for
this technology description.
In the mid to late 1960s, as time sharing systems emerged,
controlling access to computer resources became a concern. In the
1970s, the Department of Defense (DoD) Ware Report pointed out the
need for computer security [Ware
79]. In the mid to late 1970s, a number of systems were
designed and implemented using security kernel architectures. In the
late 1970s, Tiger Teams began to evaluate the security of various
systems. In 1983, the Department of Defense Trusted Computer
System Evaluation Criteria - the "orange book" - was published
and provided a set of criteria for evaluating computer security
control effectiveness [DoD
85]. Research in this area continued through the 1980s, but
many facets of computer security control remained a largely manual
process. For example, the Internet Worm program of 1988 - which
infected thousands of machines and disrupted normal activities for
several days- was detected primarily through manual means
[Spafford
88]. Today, there are primarily four approaches to achieving
a secure computing environment [Kemmerer
94]:
- the use of special procedures - such as password selection and
use, access control, and manual review of output products- for
working with a system
- the inclusion of additional functions or mechanisms in the
system
- the use of assurance techniques - such as penetration
analysis, formal specification and verification, and covert
channel analysis - to increase one's confidence in the security of
a system
- the use of intrusion detection systems (IDSs)
The fourth approach, intrusion detection, is an emerging
technology that seeks to automate the detection and elimination of
intrusions. IDSs seek to increase the security
and hence the availability,
integrity,
and confidentiality
of computer systems by eliminating unauthorized system/data
access.
Intrusion detection systems (IDSs) are predicated on the
assumption that an intruder can be detected through an examination of
various parameters such as network traffic, CPU utilization, I/O
utilization, user location, and various file activities
[Lunt
93]. System monitors or daemons convert observed parameters
into chronologically sorted records of system activities. Called
"audit trails," these records are analyzed by IDSs for unusual or
suspect behavior. IDS approaches include
IDSs designed to protect networks typically monitor network
activity, while IDSs designed for single hosts typically monitor
operating system activity.
Although IDSs are likely to increase the
security
of computer systems, the collection and processing of audit data will
degrade system performance. Note that an IDS can be used to augment
crypto-based security systems- which cannot defend against cracked
passwords or lost or stolen keys- and to detect the abuse of
privileges by authorized users [Mukherjee
94]. User authentication systems can be used to augment IDS
systems.
Prototypes of several intrusion detection systems have been
developed, and some intrusion detection systems have been deployed on
an experimental basis in operational systems. At least one
network-based IDS - the Network Security Monitor (NSM) - successfully
detected an attack in which an intruder exploited known security
flaws to gain access to systems distributed over seven sites, three
states, and two countries [Mukherjee
94]. However, additional work is required to determine
appropriate levels of auditing, to strengthen the representation of
intrusion attempts, and to extend the concept of intrusion detection
to arbitrarily large networks [Lunt
93, Mukherjee
94].
Audit trail analysis can be conducted either offline (after the
fact) or in real time. Although offline analysis permits greater
depth of coverage while shifting the processing of audit information
to non-peak times, it can only detect intrusions after the fact.
Real-time IDSs can potentially catch intrusion attempts before the
system state is compromised, but real-time IDSs must run concurrently
with other system applications and will therefore negatively affect
throughput.
In addition to the costs associated with creating and analyzing audit
trails, IDS systems cannot detect all intrusion attempts, primarily
because only known intrusion scenarios can be represented. An
intrusion attempt made using a scenario not represented by an IDS
system may be successful, and some intrusion attempts have succeeded
in either turning off the audit daemon or in modifying the audit data
prior to its being processed by an IDS.
Although most IDSs are designed to support multiple operating
systems, audit data collected by monitoring operating system activity
will be operating system specific [Mukherjee
94]; this type of data may therefore need to be converted
into a standard form before it can be processed by an IDS.
For these reasons, many IDS systems are designed as assistants to
human computer security monitors.
System or network auditing tools and techniques are necessary
enablers for this technology. Depending on the type of IDS, expert
systems technology may also be needed.
This technology is classified under the following categories.
Select a category for a list of related topics.
|
Name of technology
|
Intrusion Detection
|
|
Application category
|
System
Security (AP.2.4.3)
|
|
Quality measures category
|
Security
(QM.2.1.5)
|
|
Computing reviews category
|
Operating Systems Security and Protection
(D.4.6)
Computer-Communication Networks Security and Protection
(C.2.0)
Security and Protection (K.6.5)
|
|
[DoD 85]
|
Department of Defense (DoD) Trusted
Computer System Evaluation Criteria (TCSEC) (DoD
5200.28-STD 1985). Fort Meade, MD: Department of Defense,
1985. Also available WWW
<URL:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html>
(1985).
|
|
[Kemmerer 94]
|
Kemmerer, Richard A. "Computer Security,"
1153-1164. Encyclopedia of Software Engineering.
New York, NY: John Wiley and Sons, 1994.
|
|
[Lunt 93]
|
Lunt, Teresa F. "A Survey of Intrusion
Detection Techniques." Computers and Security 12, 4
(June 1993): 405-418.
|
|
[Mukherjee 94]
|
Mukherjee, Biswanath, L.; Heberlein,
Todd; & Levitt, Karl N. "Network Intrusion Detection."
IEEE Network 8, 3 (May/June 1994):
26-41.
|
|
[Smaha 88]
|
Smaha, Stephen E. "Haystack: An Intrusion
Detection System," 37-44. Proceedings of the Fourth
Aerospace Computer Security Applications Conference.
Orlando, Florida, December 12-16, 1988. Washington, DC: IEEE
Computer Society Press, 1989.
|
|
[Sundaram 96]
|
Sundaram, Aurobindo. An Introduction
to Intrusion Detection [online]. Available
WWW
<URL:
http://www.acm.org/crossroads/xrds2-4/xrds2-4.html>
(1996).
|
|
[Spafford 88]
|
Spafford, Eugene H. The Internet Worm
Program: An Analysis (CSD-TR-823). West Lafayette, IN:
Purdue University, 1988.
|
|
[Ware 79]
|
Ware, W. H. Security Controls for
Computer Systems: Report of Defense Science Board, Task
Force on Computer Security. Santa Monica, CA: The Rand
Corporation, 1979.
|
Mark Gerken, Air Force Rome Laboratory
10 Jan 97 (original)
