Antivirus approaches
Virus scanning and virus prevention techniques are normally used to prevent viruses from compromising valuable network resources.Virus scanners
Virus scanners use pattern-matching algorithms that can scan for many different signatures at the same time. These algorithms include scanning capabilities that detect known and unknown worms and Trojan horses. These products scan hard disks for viruses and, if any are found, remove or quarantine them. Antivirus software also performs auto-update functions that automatically download signatures of new viruses into the virus-scanning database.Virus prevention
Virus prevention software usually resides in memory and monitors system activity, or filters incoming executable programs and specific file types. When an illegal virus accesses a program or boot sector, the system is halted and the user is prompted to remove that particular type of malicious code.Intrusion detection and response
Intrusion detection and response is the task of monitoring systems for evidence of intrusions or inappropriate usage and responding to this evidence. Response includes notifying the appropriate parties to take action to determine the extent of the severity of an incident and to remediate the incident’s effects. ID, therefore, isthe detection of inappropriate, incorrect, or anomalous activity.
An intrusion detection and response capability has two primary components:
- Creation and maintenance of intrusion detection systems (IDSs) and processes for host and network monitoring and event notification
- Creation of a computer incident response team (CIRT) for the following tasks:
- Analysis of an event notification
- Response to an incident if the analysis warrants it
- Escalation path procedures
- Resolution, post-incident follow-up, and reporting to the appropriate parties.
Various types of IDSs exist. The most common approaches to ID are statistical anomaly detection (also known as behavior-based) and signature-based (also known as knowledge-based or pattern-matching) detection. Intrusion detection systems that operate on a specific host and detect malicious activity on that host only are called host-based ID systems. ID systems that operate on network segments and analyze that segment’s traffic are called network-based ID systems. Because there are pros and cons of each, an effective IDS should use a combination of both network- and host-based IDSs. A truly effective IDS will detect common attacks as they occur, which includes distributed attacks.
Network-based IDSs
Network-based IDSs reside on a discrete network segment and monitor the traffic on that segment. They usually consist of a network appliance with a network interface card (NIC) that is operating in promiscuous mode and is intercepting and analyzing the network packets in real time.A network-based IDS involves looking at the packets on the network as they pass by some sensor. The sensor can only see the packets that happen to be carried on that particular network segment. Network traffic on other segments and traffic on other means of communication (such as phone lines) can’t be monitored properly by a network-based IDS.
Packets are identified to be of interest if they match a signature.
Three primary types of signatures are as follows:
- String signatures: —String signatures look for a text string that indicates a possible attack.
- Port signatures: —Port signatures watch for connection attempts to well known, frequently attacked ports.
- Header condition signatures: —Header signatures watch for dangerous or illogical combinations in packet headers.
A network-based IDS usually provides reliable, real-time information without consuming network or host resources. A network-based IDS is passive when acquiring data and review packets and headers. It can also detect DoS attacks. Furthermore, because this IDS is monitoring an attack in real time, it can respond to an attack in progress to limit damage.
One problem with a network-based IDS system is that it will not detect attacks against a host made by an intruder who is logged in at the host’s terminal. If a network IDS along with some additional support mechanism determines that an attack is being mounted against a host, it is usually not capable of determining the type or effectiveness of the attack being launched.
Host-based IDSs
Host-based IDSs use small programs (intelligent agents) that reside on a host computer. They monitor the operating system detecting inappropriate activity, writing to log files, and triggering alarms. Host-based systems look for activity only on the host computer; they do not monitor the entire network segment.A host-based IDS can review the system and event logs to detect an attack on the host and to determine whether the attack was successful. Detection capabilities of host-based IDSs are limited by the incompleteness of most host audit log capabilities.
In particular, host-based IDSs have the following characteristics:
- They monitor accesses and changes to critical system files and changes in user privileges.
- They detect trusted insider attacks better than a network-based IDS.
- They are relatively effective for detecting attacks from the outside.
- They can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine, including dial-in attempts or other non–network-related communication ports.
An IDS detects an attack through one of two conceptual approaches: a signaturebasedIDS or a statistical anomaly-based IDS. These two mechanisms are also referred to as knowledge-based and behavior-based IDS, respectively.
Signature-based IDSs
In a signature-based IDS or knowledge-based IDS, signatures or attributes that characterize an attack are stored for reference. Then, when data about events is acquired from host audit logs or from network packet monitoring, this data is compared with the attack signature database. If there is a match, a response is initiated. This method is more common than using behavior-based IDSs. Signature-based IDSs are characterized by low false alarm rates (or positives) and, generally, are standardized and understandable by security personnel.A weakness of the signature-based IDS approach is the failure to characterize slow attacks that extend over a long period of time. To identify these types of attacks, large amounts of information must be held for extended time periods. Another issue with signature-based IDSs is that only attack signatures that are stored in their database are detected.
Additional disadvantages of signature-based IDSs include the following:
- The IDS is resource-intensive. The knowledge database continually needs maintenance and updating with new vulnerabilities and environments to remain accurate.
- Because knowledge about attacks is very focused (dependent on the operating system, version, platform, and application), new, unique, or original attacks often go unnoticed.
IDS issues
Many issues confront the effective use of an IDS. These include the following:- Increases in the types of intruder goals, intruder abilities, tool sophistication, and diversity, as well as the use of more complex, subtle, and new attack scenarios
- The use of encrypted messages to transport malicious information
- The need to inter-operate and correlate data across infrastructure environments ith diverse technologies and policies
- Ever-increasing network traffic
- The lack of widely accepted IDS terminology and conceptual structures
- Volatility in the IDS marketplace, which makes the purchase and maintenance
of IDS's difficult. - Risks inherent in taking inappropriate automated response actions
- Attacks on the IDSs themselves
- Unacceptably high levels of false positives and false negatives, making it difficult to determine true positives
- The lack of objective IDS evaluation and test information.
- The fact that most computing infrastructures are not designed to operate securely.
- Limited network traffic visibility resulting from switched local area networks (faster networks preclude effective real-time analysis of all traffic on large pipes)