what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ids.html

ids.html
Posted Aug 15, 2001
Authored by John Kozubik

Structural Versus Operational Intrusion Detection - Intrusion Detection White Paper - short and basic, comments requested.

tags | paper
SHA-256 | cfd5087f398936a2452254bff2bf5e88f99d40c2d03717f3d22bf3650b088a50

ids.html

Change Mirror Download
<table width=600>
<tr><td>

Structural Versus Operational Intrusion Detection
<p>
John Kozubik - john@kozubik.com
<p>

Introduction
<p>
As the field of intrusion detection systems (IDS) has evolved, the focus of custom, open, and commercial
solutions has been on structural, rather than operational, analysis and detection. Structural IDS will be
defined as identifying and monitoring unusual actions and objects in the network and computers
participating on the network. Some examples of these actions and objects are: failed logins, strange
packets, and attempts at access violations by otherwise authenticated users. Operational IDS will be
defined as the procedures used to identify intruders using otherwise valid credentials and presenting no
other attributes that would normally be caught by the structural IDS in place on the network.
<p>
Although structural IDS plays an important role in the continued security of a network installation, it is
crude in the sense that it does not offer methods of distinguishing between two people - both logging in at
the same physical terminal, using the same valid credentials, at the same time of day, on the same day of
the week, and accessing the same information - one of whom is a valid user, the other an intruder. Indeed,
setting alerts on failed logins, scanning and analyzing both traffic and content, and watching for deviations
in the network ?fingerprint? outside of the thresholds established by the administrators can only go so far. It
is clear that sophisticated attackers seeking sensitive information will be using social engineering
techniques to gain access, rather than using crude Denial of Service (DOS) attacks and brute forcing login
credentials.
<p>
This document will explain the differences between structural and operational IDS, will discuss the
shortcomings of structural IDS that make it necessary to employ operational IDS, and will offer a few
examples of operational IDS in practice.
<p>
Structural and Operational IDS
<p>
Structural IDS plays an important role in the security of a network installation. Those serious about
securing networks will most certainly continue to apply the practices and tools developed in this realm. It
is important to realize, however, that structural IDS is reactive, and prone to frequent and rapid
obsolescence. Structural IDS looks at network activity and user behavior. It defines a set of unacceptable
behavior, and takes action when this unacceptable behavior does take place. Further, structural IDS can be
used with thresholds in which no particular disallowed ?object? is discovered, but the statistical activity of
the users and networks violates a pre-set (and sometimes automatically evolving) threshold. Finally, some
IDS have the ability to react to the discovery of these ?objects? with more than just a simple alert in an
attempt to dynamically lock down the breach. Structural IDS is therefore reactive because some pre-
determined rule has to be broken in order to activate the system. Most administrators will not consider a
crude attempt at DOS by an unsophisticated prankster an intrusion per se, but in the classical sense, the
intrusion has already taken place by the time anyone knows about it. Structural IDS is also prone to
obsolescence because the rule set becomes outdated the moment that any computer user discovers a new
exploit or breach. Although structural IDS holds the promise of ?self-evolving? systems in which the
system can reconfigure what it looks for based on new attacks, and further synchronize itself with publicly
known databases of exploits, these techniques remain reactive, it cannot evolve until at least one attack has
already taken place. There will always be lag time between the discovery of an exploit and its inclusion on
public databases.
<p>
Both of these shortcomings are unavoidable and do not detract from the usefulness of and necessity for
structural IDS. However, operational IDS must be deployed as well so as to detect the sophisticated
intrusions that will not show up on the radar screens of the structural IDS.
<p>
A Sophisticated Intrusion Scenario
<p>
An employee working for firm X logs on to his workstation and checks his mail once or twice a day
between the hours of 8:00 AM and 5:00 PM. He very seldom mistypes his password, and usually does not
do anything else, perhaps logging off after a short period of time. The information contained in this
employees mail is sensitive, and is coveted by the competitors of firm X. An intruder eavesdrops on the
login activity of the employee. The methods are not important in this example, but they could include
high-resolution video monitoring, simple shoulder-surfing, or even TEMPEST. Later, as the employee
leaves his station, the intruder approaches the station and logs on using the correct credentials. The intruder
proceeds to log in, and compromises the information contained in the mail.
<p>
This intrusion took place within the threshold of hours of operation (otherwise the employee himself would
have been setting off alerts), it took place with correct credentials, and did not create network activity
outside of the acceptable thresholds (otherwise, again, the employee himself would have been setting off
alerts). Thus, sensitive information was compromised in such a manner that did not register as even a blip
on the radar screen of the structural IDS presumably in place.
<p>
Several methods have been previously suggested to deal with an intrusion of this manner. Most notably, on
many operating systems and applications, the legitimate user is informed the next time he accesses the
system of his last access time. This, of course, is too little too late after sensitive information has been
compromised. In addition, the use of complex authentication methods has been proposed, utilizing
everything from voiceprint analysis to number generation challenge/response systems. Although these
systems do address the need for a proactive approach to IDS (certainly alerts would be generated based on
the improper use of these tools) it does not solve the problem created when the above scenario is
augmented with a gun. These mechanisms are simply ways of enlarging a password. Traditionally there is
simply a text password, which can in turn be augmented with a retina scan, and a voiceprint, and a thumb
scan. Even using all of these systems in parallel does not create qualitative improvement in the ability of
the system to identify attackers, but rather only a quantitative one. An intruder can just as easily threaten
with death or bodily harm the holder of a password as they can the holder of a password, a number
generation card, a retina, and a voiceprint. It is clear that the structural IDS in place would still not
recognize this ?gun to the head? approach as an attack.
<p>
Operational IDS as a Solution
<p>
To recognize an otherwise authenticated user who does not present any deviation from the acceptable
thresholds established in a structural IDS, operational IDS is needed. It is important to note that operational
IDS, as defined here, is not an algorithm or a software package or an architecture. Rather, it is a paradigm
shift in which the users of IDS stop adding more and more brute force to their reactive measures and their
passwords, but look at how users will actually be using sensitive resources, and how intruders will be using
them in the same way that would be undetectable. How can we force an intruder to reveal themselves?
How can we implement a system of authentication that will not be noticed by an attacker - a system of
authentication that the attacker does not even recognize as a system of authentication? The answers to
these questions are not found by analyzing traffic or scouring exploit databases. The answers are found
With common sense and taking creative approaches to detecting intrusions. This is certainly very vague,
and does not serve to illustrate the point very well - therefore a (simple) example is called upon.
<p>
All employees at firm X use their workstations frequently throughout the day to check mail. Their mail
contains sensitive information that their competitors covet. Further, the employees of this firm are
completely loyal, but would aid an attacker if their life was at stake. These employees have been given
three pieces of information:
<p>
1. A list of 10 commonly used commands, with arguments, that they are to choose from random every
time they log in and execute within 10 seconds of logging in. The commands on the list could contain
things like ?ps -ef | grep (process)? or ?grep susan /var/mail/(username)?.
<p>
2. The knowledge that if they do not enter one of these commands within 10 seconds, a lot of annoying
things are going to happen for them and for the IS department.
<p>
3. The knowledge that nobody outside of the completely loyal employees has any knowledge whatsoever
of this list, its conditions, or its use. Further, they are told that this is very sensitive information
(remember that they are completely loyal employees).
<p>
Now, employee X, as in the first example, logs on to his workstation and checks his mail once or twice a
day between the hours of 8:00 AM and 5:00 PM. He very seldom mistypes his password, and usually does
not do anything else, perhaps logging off after a short period of time. In addition, he chooses one of the
commands on the list and executes them within ten seconds of logging on. An intruder eavesdrops on this
employee in some fashion (see the first example) and not only witnesses the use of the login credentials,
but witnesses the user check their mail spool for a message from their wife, and witnesses the user proceed
to do this and that mundane activity that they always do and then log off.
<p>
The normal method of intrusion, in which a standard password is used, is foiled by this system of
operational intrusion detection - the attacker in this example will have no reason to waste time grepping
mail for ?susan?. After ten seconds, the workstation will stop responding, or better still, will hang
convincingly or will send dummy data and screen information. In an abnormal intrusion, with elaborate
passwords (number generators, thumb prints, retina scans), where a threat of violence will be involved, this
system also foils the attacker. The employee knows that the outside world does not know of the 10-second
command set, and does not volunteer information about it, further, the attacker still has no conception of
this elaborate system of challenge/response (the challenge being the computer allowing the login, the
response being one of the 10 commands). The attacker may still decide to pull the trigger in spite of their
(seemingly) successful login, but at least the data is safe.
<p>
Analysis
<p>
Certainly the above example is crude, but it serves to show how a thoughtful system of operational IDS can
foil even the most sophisticated attackers. Other examples might include a hidden microphone at the
workstation, and a system in which every employee is taken aside and instructed to say a unique, innocuous
phrase within 10 seconds of logging on ?let?s get to work?, or ?oh heck, I forgot?.?. Unlike traditional
voice-print analysis which simply lengthens the password the user is using, this system could remain
unnoticed by an intruder, and even when force is used, if the employee can be convinced that the attacker
has no knowledge of this system, they will not volunteer it. The attacker, again, will think they have been
authenticated, when in reality the data they are seeing is fake and human security is on the way.
<p>
Conclusion
<p>
The traditional, structural methods of IDS play an important role in the security of a network installation.
As has been shown, however, sophisticated attacks that do not violate their ruleset will be successful.
Some mechanisms (last login, for instance) will eventually alert the users (if they can be counted on to
follow responsible procedures), but only after the fact. Security managers must look farther than strange
packets and failed logins if they are to successfully ward off sophisticated attackers. This involves
examining the human behavior involved and finding operational mechanisms that will identify intruders
that otherwise do not show any characteristics of being an intruder.
</td></tr></table>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close