Intrusion Detection

Technology Series

Rebecca Gurley Bace

Publisher: MacMillan, 2000, 339 pages

ISBN: 1-57870-185-6

Keywords: IT Security

Last modified: July 1, 2021, 1:17 p.m.

Synopsis

With the number of intrusion and hacking incidents around the world on the rise, the importance of having dependable intrusion detection systems in place is greater than ever. Offering both a developmental and technical perspective on this crucial element of network security, Intrusion Detection covers:

  • Practical considerations for selecting and implementing intrusion detection systems
  • Methods of handling the results of analysis, and the options for responses to detected problems
  • Data sources commonly used in intrusion detection and how they influence the capabilities of all intrusion detection systems
  • Legal issues surrounding detection and monitoring that affect the design, development, and operation of intrusion detection systems

More than just an overview of the technology, Intrusion Detection presents real analysis schemes and responses, as well as a detailed discussion of the vulnerabilities inherent in many systems, and approaches to testing systems for these problems. Ideal for the network architect who has to make decisions on what intrusion detection system to implement and how to do it, this book will help you:

  • Understand the history of the technology, as well as how future changes may affect your systems
  • Guide an organization through a full acquisition lifecycle, from initial requirements definition to product deployment
  • Choose your systems' responses to detected problems and tie the results back into the site security management process
  • Assess the quality of a proposed or existing intrusion detection system design

Table of Contents

  • Introduction
    • Defining Intrusion Detection
    • By Way of Introduction
  1. The History of Intrusion Detection
    1. Audit: Setting the Stage for Intrusion Detection
      1. Differences between Financial and Security Audit
      2. Audit as a Management Tool
      3. EDP Audits and Early Computer Security
      4. Audit and Military Models of Computer Security
    2. The Birth of Intrusion Detection
      1. Anderson and the Audit Reduction Problems
      2. Denning, Neumann, and IDES
      3. A Flurry of Systems through the 1980s
      4. Integrating Host and Network-Based Intrusion Detection
      5. The Advent of Commercial Products
    3. Conclusion
  2. Concepts and Definitions
    1. An Introduction to Intrusion Detection
    2. Security Concepts
      1. A Cultural View of Computer and Network Security
      2. Practical Definition of Computer Security
      3. Formal Definition of Computer Security
      4. Trust
      5. Threat
      6. Vulnerability
      7. Security Policy
      8. Other Elements of the System Security Infrastructure
      9. How Security Problems Occur
    3. Intrusion Detection Concepts
      1. Architecture
      2. Monitoring Strategy
      3. Analysis Type
      4. Timing
      5. Goals of Detection
      6. Control Issues
      7. Determining Strategies for Intrusion Detection
    4. Conclusion
  3. Information Sources
    1. The Organization of this Chapter
      1. Which Source Is the Right Source?
      2. Enduring Questions
    2. Host-Based Information Sources
      1. Operating System Audit Trails
      2. Approaches to Structuring Audit Trails
      3. Problems with Commercial Audit Systems
      4. Pros and Cons of Operating System Audit Trails
      5. Contents of Audit Trails
      6. Audit Reduction
      7. System Logs
      8. Applications Information
      9. Target-Based Monitoring
    3. Network-Based Information Sources
      1. Why Network Sources?
      2. Network Packets
      3. TCP/IP Networks
      4. Packet Capture
      5. Network Devices
      6. Out-of-Band Information Sources
    4. Information from Other Security Products
      1. An Example of a Security Product Data Source
      2. Organization of Information Prior to Analysis
      3. Other System Components as Data Sources
    5. Conclusion
  4. Analysis Schemes
    1. Thinking About Intrusions
      1. Defining Analysis
      2. Goals
      3. Supporting Goals
      4. Detecting Intrusions
    2. A Model for Intrusion Analysis
      1. Constructing the Analyzer
      2. Performance Analysis
      3. Feedback and Refinement
    3. Techniques
      1. Misuse Detection
      2. Anomaly Detection
      3. Alternative Detection Schemes
    4. Conclusion
  5. Responses
    1. Requirements for Responses
      1. Operational Environment
      2. System Purpose and Priorities
      3. Regulatory or Statutory Requirements
      4. Conveying Expertise to Users
    2. Types of Responses
      1. Active Responses
      2. Passive Responses
    3. Covering Tracks During Investigation
      1. Fail-Safe Considerations for Response Components
      2. Handling False Alarms
      3. Archive and Report
    4. Mapping Responses to Policy
      1. Immediate
      2. Timely
      3. Long-Term — Local
      4. Long-term — Global
    5. Conclusion
  6. Vulnerability Analysis: A Special Case
    1. Vulnerability Analysis
      1. Rationale for Vulnerability Analysis
      2. COPS — An Example of Vulnerability Analysis
      3. Issues and Considerations
    2. Credentialed Approaches
      1. Definitions of Credentialed Approaches
      2. Determining Subjects for Credentialed Approaches
      3. Strategy and Optimization of Credentialed Approaches
    3. Noncredentialed Approaches
      1. Definitions of Noncredentialed Approaches
      2. Methods for Noncredentialed Vulnerability Analysis
      3. Testing by Exploit
      4. Inference Methods
      5. A Historical Note
      6. Architecture of SATAN
      7. Fail-Safe Features
      8. Issues Associated with SATAN
    4. Password-Cracking
      1. Concept of Operation
      2. Password Crackers as Vulnerability Analysis Tools
    5. Strengths and Weaknesses of Vulnerability Analysis
      1. Strengths of Credentialed Analysis Techniques
      2. Strengths of Noncredentialed Analysis Techniques
      3. Disadvantages
    6. Conclusion
  7. Technical Issues
    1. Scalability
      1. Scaling over Time
      2. Scaling over Space
      3. Case Study — GrIDS
    2. Management
      1. Network Management
      2. Sensor Control
      3. Investigative Support
      4. Performance Loads
    3. Reliability
      1. Reliability of Information Sources
      2. Reliability of Analysis Engines
      3. Reliability of Response Mechanisms
      4. Reliability of Communication Links
    4. Analysis Issues
      1. Training Sets for AI-Based Detectors
      2. False Positives/Negatives in Anomaly Detection
      3. Trends Analysis
      4. Composition of Policies
    5. Interoperability
      1. CIDF/CRISIS Effort
      2. Audit Trail Standards
    6. Integration
    7. User Interfaces
    8. Conclusion
  8. Understanding the Real-World Challenge
    1. The Roots of Security Problems
      1. Problems in Design and Development
      2. Problems in Management
      3. Problems in Trust
    2. Through a Hacker's Eyes
      1. Identifying a Victim
      2. Casing the Joint
      3. Gaining Access
      4. Executing the Attack
    3. Security versus Traditional Engineering
      1. Traditional Engineering
      2. Security Engineering
      3. Rules of thumb
    4. Rules for Intrusion Detection Systems
    5. Conclusion
  9. Legal Issues
    1. Law for Geeks
      1. Legal Systems
      2. Legislation
      3. Civil Litigation/Tort Law
      4. Complications in Applying Law to Cyberspace
    2. Rules of Evidence
      1. Types of Evidence
      2. Admissibility of Evidence
      3. Restrictions and Exceptions
      4. Provisions for Handling Evidence
      5. Rules of Evidence as Applied to System Logs and Audit Trails
    3. Laws Relating to Monitoring Activity
      1. When a System Administrator Monitors a System
      2. When Law Enforcement Agents Monitor a System
      3. Notification of Monitoring
    4. What Real Cases Have Taught Us
      1. The Mitnick Case
      2. The Rome Lab Case
      3. Lessons Learned
    5. Conclusion
  10. For Users
    1. Determining Your Requirements
      1. Your System Environments
      2. Goals and Objectives
      3. Reviewing Your Policy
      4. Requirements and Constraints
    2. Making Sense of Products
      1. Understanding the Problem Space
      2. Is the Product Scalable?
      3. How Did You Test This?
      4. Is This Product a Tool or Is It an Application?
      5. Buzzwords versus Wisdom
      6. Anticipated Life of Product
      7. Training Support
      8. Prioritized Goals of Product
      9. Product Differentiation
    3. Mapping Policy to Configurations
      1. Converting Policy to Rules
      2. Subject-Objects to Real World
      3. Monitoring Policy versus Security Policy
      4. Testing Assertions
    4. Show Time! Incident Handling and Investigation
      1. Scout's Honor
      2. Best Practices
      3. When the Balloon Goes Up
      4. Dealing with Law Enforcement
      5. Expectations
      6. Damage Control
      7. Dealing with Witch Hunts
    5. Conclusion
  11. For Strategists
    1. Building a Case for Security
      1. Assembling Information
      2. What Is the Organization Trying to Accomplish?
      3. How Does Security Fit Into Overall Business Goals?
      4. Where Does Information Security Fit Into the Corporate Risk-Management Program?
      5. What Do We Need to Secure the System?
      6. Finding Allies
      7. Overcoming Management Resistance
    2. Defining Requirements for IDS
      1. Revisiting Goals and Objectives
      2. What Are the Threats?
      3. What Are Our Limitations?
      4. Considerations in Adopting Intrusion Detection and System Monitoring
    3. Marketing Hype versus Real Solutions
      1. What Products Is Best Fitted to Us and Our Goals?
      2. How Painful Is This Product to Install?
      3. How Painful Is This Product to Run?
      4. What Are the Expectations of the Personnel?
      5. Who Was the Dream Customer for Whom This Product Was Designed?
    4. Integrating Security Into a Legacy Environment
      1. Assessing the Existing Systems
      2. Leveraging Investments in Security
      3. Dealing with "Wetware" — the Humans in the System
      4. Handling Conflicts
    5. Dealing with the Effects of Corporate Transitions
      1. Mergers and Acquisitions
      2. Strategic Partners
      3. Globalization
      4. Expansion and Contraction
      5. Going from Private to Public
    6. Conclusion
  12. For Designers
    1. Requirements
      1. Good versus Great Intrusion Detection
      2. Different Approaches to Security
      3. Policies — One Size Does Not Fit All
    2. Security Design Principles
      1. Economy of Mechanism
      2. Fail-Safe Defaults
      3. Complete Mediation
      4. Open Design
      5. Separation of Privilege
      6. Least Privilege
      7. Least Common Mechanism
      8. Psychological Acceptability
    3. Surviving the Design Process
      1. Establishing Priorities
      2. On Threat Curmudgeons
      3. Striking and Maintaining Balance
    4. Painting the Bull's Eye
      1. Gauging Success
      2. False Starts
      3. Testing Approaches
      4. Measuring Network-Based Performance
    5. Advice from the Trenches
      1. Use Good Engineering Practices
      2. Secure Sensors
      3. Pay Attention to Correct Reassembly
      4. Don't Underestimate Hardware Needs
      5. Don't Expect Trusted Sources of Attack Data
      6. Think Through Countermeasures
      7. No Support for Forensics
      8. Support Modern Security Features
    6. Conclusion
  13. Future Needs
    1. Future Trends in Society
      1. Global Villages and Marketplaces
      2. Privacy as an Economic Driver
      3. A Different Kind of War
      4. Sovereignty
    2. Future Trends in Technology
      1. Changes in the Network Fabric
      2. Open Source Software
      3. Advances in Wireless Networking
      4. Ubiquitous Computing
    3. Future Trends in Security
      1. Management
      2. Privacy-Sparing Security
      3. Information Quality versus Access Control
      4. Crypto, Crypto Everywhere…
      5. The Erosion of Perimeters
      6. Liability Transfer versus Trust Management
    4. A Vision for Intrusion Detection
      1. Capabilities
      2. Highly Distributed Architectures
      3. 911 for Security Management
      4. Ubiquitous Information Sources
      5. Silicon Guards
      6. Emphasis on Service, Not Product
    5. Conclusion
  1. Glossary
  2. Bibliography
  3. Resources
    • Books
      • Intrusion Detection and Associated Technologies
      • Security References and Textbooks
      • Information Warfare, Critical Systems, and National Policy
      • Introduction to Computer and Network Security
      • Cryptography
      • Firewalls
      • War Stories
      • Specific Application Venues
      • Cybercrime and Law Enforcement
      • For Fun
    • WWW Resources
      • Security Portals
      • Vulnerability Information Sources
      • Organizations
      • Government Sites
      • Academic Sites
      • Commercial Products, Services, and Research
      • Miscellaneous Intrusion Detection References
  4. Checklist

Reviews

Intrusion Detection

Reviewed by Roland Buresund

Disappointing *** (3 out of 10)

Last modified: May 21, 2007, 3:06 a.m.

Opinion

Yet another introduction to IDS. Well written, but not very much content. Read Amoroso instead.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required