"Intrusion detection systems" (IDS) identify common signatures (misuse detection) abnormal behavior (anomaly detection).
The need for intrusion detection systems
The goal of intrusion detection systems is that of a dynamic backup to static corporate defenses. Companies are attracted by the lure of the Internet, but increased connectivity implies increased risk to such company data as financial records, strategic plans, trade secrets, inventions, customer lists and source code. As information technology becomes mission-critical, companies are also concerned about protecting computing resources such as compute time (CPUs), disk storage, network bandwidth and system services.
For example: a common attack faced by corporations comes from dial-up spammers trying to relay e-mail through servers to take advantage of the increased bandwidth companies use. Corporations are also concerned about legal liability resulting from hackers who bounce attacks through exploited systems.
Individuals are as much at risk as corporations. This risk can be to financial information, such as credit card numbers, passwords to pay online services or account information for online financial institutions. For example, if a hacker breaks into your home system and steals the keys to your online stock portfolio, they may be able to trade away your life's savings, and you will probably not be able to receive compensation for your losses. Intruders may also be able to view private information such as web-surfing history, medical records, love letters, wills and image collections.
Intrusion Economics
A firewall that is 99% secure is 100% vulnerable There is no such thing as secure system. Even cutting cables and turning off a machine doesn't prevent intrusions. Someone can physically break in and steal the entire system, or a janitor could accidentally plug it in. In particular, "static defenses" such as firewalls still have the weakness of human error. There is no way to prove that there isn't a bug in the configuration or implementation of the firewall. Instead of relying on what should happen, intrusion detection systems show what really does happen. They provide an essential second line of defense to the network.
Static defenses are usually aimed at outsiders. In reality, 80% of losses are due to hacking by insiders. Today's technology is far too complex to expect completely secure systems. The value provided by networks is directly related to ease of use and usability has an inverse relationship to security. The more corporations try to secure internal networks, the less valuable the networks become. Eventually, the cost of attempting total security outweighs potential loss. Intrusion detection is a cheap way to provide extra security and make up for the lack of static defenses.
What is intrusion detection?
ID is the continuous monitoring of network and system events in order to detect misuse and anomalous behaviors. Misuse detection is the easiest technique as it consists primarily of pattern matching between actual traffic and known signatures. Anomaly detection is much more theoretical, and relies upon deviation from known baseline behavior. - autonomous
- must run continously in the background, and must not depend upon care and feeding by administrators (such as visual inspection of logfiles).
- fault tolerant
- must be resistant against network faults, because intruders design network faults to foil systems.
- resist subversion
- must be hardened against attacks upon the intrusion detection system itself, otherwise provides little additional security.
- minimal impact
- an essential benefit of dynamic defense is that it doesn't add overhead to day-to-day operation, in the manner of static defense.
- pre-tailored
- must provide effective, out-of-box intrusion detection; otherwise administrators must attempt to defeat hacker intrusions themselves.
- easily tailored
- system administrators must be able to tweak system to respond to issues peculiar to that isntallation.
