Kuda idiosz, IDS - What is going on with the IDS?
Куда идёш, ИДС?
For non-Russian speakers I would like to translate the title as "What is going with the IDS?" The choice of Russian is not accidental - this is to pay homage to the originator of the most efficient (in my opinion) heuristic antivirus scanner. Another reason is because I see certain similarities between antivirus scanners and IDS scanners as they evolve and I believe that sooner or later a revolutionary technology will take the network intrusion technology well into the future.
While looking through commercial offers for IDS products one may get the impression that in the near future, it will no longer be necessary to have an experienced administrator or security guru to monitor and maintain IT security systems. Already, the administrator's role is seen as "a monkey with nothing better to do than push a flashing button". Such a perception may be explained in terms of increasingly "intelligent" IDS solutions. Many of them are based on neural networks and are capable of learning what is the normal behaviour of a private network, what goes beyond the standard and what remains within acceptable limits. However, from the start I would like to calm down what are surely unjustified fears of the network administrators reading this article. At present, no intelligent security system is able to replace an administrator in his job. This is mainly because even the most sophisticated intrusion detection systems cannot provide an exhaustive correlation of related events and even though certain IDSes weed out security related events, they generate too many errors which may be enough to defeat the entire purpose of the IDS.
Today, two types of IDS are available on the market. One that relies on analysis of each incoming packet whether it matches specific attack signatures or not, while another is based on the specific behavior of networks and users. The first solution's drawback is that although efficient, it can only deal with attacks that are already recognized and in its repertoire of attack signatures. Therefore, these types of systems must be updated to remain effective and they are vulnerable to new types of attacks that have not yet been identified. The "intelligent" IDS approaches have built-in neural network components and are believed to be able to detect new types of attacks provided that the attack behavior is "sufficiently aberrant". This rule also applies to known attack patterns. The trend is to provide an integrated solution that combines both types of products to alleviate the problem of well-known attack pattern limitations with "intelligent" IDSes.
Poor correlation of events is another weakness of the intrusion detection system. Imagine if someone is planning to break into your network. To do so, he starts by scanning the network, proceeding very carefully, looking for possible IDS-based protection. Then, the attacker scans your Web server for a few days and to "spoof" the attack, he sends a single packet every few hours while continuously browsing your Web pages on this server at the same time. For most, if not all, IDSes such a situation will be considered a normal activity and the attacker's scanner packets would remain undetected (because of an apparent lack of correlation). A knowledgeable and experienced administrator, however, would be able to detect that at regular periods someone is browsing the same Web sites and from time to time is sending "anomalous" packets.
Yet another problem could be created by an apparently normal series of events evenly distributed in time, that could pose a very serious threat to the system - a denial of service (DoS) attack. This is a well-known type of attack and each robust IDS should detect it efficiently, but one may never know if it is going to be absolutely perfect.
See tomorrow's trends of IDS today
The immediate future of intrusion detection systems is expected not to bring a considerable quality progress, although a few promising projects are planned. Instead, there are visible signs, that future solutions will merge all IDS software with firewall, anti-virus or network management technologies in a complete cooperative system. Note, that new viruses increasingly evolve not only to infect and destruct operating systems but also to penetrate networks, often, especially to infect a local server and from there, to search for further victims to attack. Let us consider, for example, the Nimda worm that recently wreaked havoc on computers worldwide. It is quite clear that an IT system should be protected not only against a targeted action of a human being but also against an uncontrollable action from a software program. What does this mean? An anti-network attack may not only come from people but also from a program and therefore an IDS must become an antivirus monitoring tool. The next implication is that IDS solutions should become more integrated with firewalls - a firewall must be aware that an incoming packet contains a suspicious payload and should block its ability to intrude (a caveat is that not all firewalls notice the inside of packets). For better consistency and quality, the network management approach seems to be worth implementing. One of the network breach detection elements is the reasoning on audit records collected from various machines (primarily servers). So, it is important to have a well-expanded environment to pool and manage efforts of network servers or devices. Certain solutions that are currently available on the market match this required feature, for example a commercial Unicenter TNG (http://www.cai.com) - Unfortunately I am unaware of its free downloadable equivalent and would appreciate if anyone has information about such a version. In this case, please contact me - surely a greater audience will be interested in this. Personally, I consider a freeware utility named Snort (http://www.snort.org) as a very valuable tool, although privy of shiny embellishments and working on signature searching principle only, it enables the administrator to precisely setup everything he would need and even to implement, to a certain extent, network access site signatures. Naturally, this necessitates a very carefully planned security policy in terms of accessing Web resources. Upcoming products such as EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances) seem to be promising enough. For more information, see http://www.sdl.sri.com/emerald/index.html. Its originators have proposed a hierarchical layer network control with information collected directly from the system under protection using a mechanism such as network packet capturing, audit reports or SNMP traps. The system architecture is hoping not to be bound with any specific mode of information collection. More interesting is the system's mechanism of processing for a system under protection, so called resource object that gathers data derived from various activities such as audit report files or IDS probes and others. This is to allow further correlation of information on the connection to be established by having more data available. The system has a modular library of methods and configurations. The event analysis systems are the next interesting components. They make correlation and analysis of events as mentioned in the context of the previously discussed module. Any abnormal behavior of the protected system is detectable by a signature pattern creation mechanism using statistic patterns (the NIDS project has been used for investigations of this mechanism) and signature scanners designed to detect known attack patterns. For more information, refer to the manufacturer's Web site.
As I underlined earlier, I can see certain similarities in the evolving antivirus scanners and IDSes. Historically, the first antivirus scanners were virus signature database-based scanners, then there was a short period when several different methods were followed and finally, IDS designers turned to a heuristic approach. This is the method that operates under the assertion that attacks can be characterized into well known behavior patterns that are qualified as abnormal, to detect unknown but active viruses. There are scanners to activate the code of a suspicious program in an isolated space (using a so-called "virtual machine") and to analyze if such code is not attempting to perform these distinct activities. Such a concept looks promising if applied to network resources. Surely, it could be the best solution to rely on - letting an unknown connection enter an isolated space to evaluate whether the connection initiator is a common user or an intruder. This is simple to perform during an antivirus scanning session in a local system but becomes difficult when it is performed on the network. The main problem is associated with the switching rate and with the need for determining what is a normal connection, and what is an intrusion. Therefore a user would have to gain access to the resource and if so, real resources would have to appear in an isolated space which is a foolish idea. However this is very likely to promote a fast growth of heuristic systems designed to provide security for private networks. There are already IDS approaches using heuristic techniques that will explode in popularity with growing use of artificial intelligence to strengthen their performance.
- Edward Amoroso, Wykrywanie Intruzow (in Polish), Read Me, Warszawa 1999.
- Matthew Strebe, Charles Perkins, Firewalls ściany ogniowe (in Polish), Mikom, Warszawa 2000.
- Information on http://www.sdl.sri.com.
- Information on http://www.cai.com.