Host Intrusion Detection System Administrator's Guide Release 3.0
Overview
Why Do You Need Intrusion Detection?
Chapter 1
7
Where Does Intrusion Detection Fit In?
The amount of information that flows through a typical corporate intranet and the level
of activity on most corporate servers make it impossible for any one person to continually
monitor them by hand. Traditional network management and system monitoring tools
do not address the issue of helping to ensure that systems are not misused and abused.
Nor can they help detect theft of a company’s critical data from important servers. The
potential impact of computer-based crime is significant to most corporations: their entire
intellectual property often resides on server machines. A tool that could detect
security-related threats and attacks as they occur would significantly ease the burden
that most network administrators face.
What Is Intrusion Detection?
Intrusion detection can be summarized quite simply: After you have put up the barbed
wire fence, an intrusion detection system is like adding closed circuit TV cameras so that
security guards can monitor your facilities to forestall an attack.
Intrusion detection is the art and science of detecting illegal and improper use of
computing resources by unauthorized outsiders and authorized employees, before such
misuse results in excessive damage. It does this by providing continuous monitoring of
critical systems and data.
An intrusion detection system (IDS) monitors user and system activity to detect patterns
of misuse that may correspond to security violations. The monitoring is automatic and
constant on all the systems on which the IDS is deployed. It imposes a low overhead on
the systems and network so as not to disrupt your business activities. In addition, an
IDS can monitor a server machine, a whole network, or even an application (such as a
database or web server).
Before attacking your systems, an attacker needs to identify potential vulnerabilities
that can be exploited to subvert your system’s security. A vulnerability is a feature of the
design, implementation, or operation of a computer system or network that leaves it
open to subversion by an unauthorized (or authorized) user. Having identified a
vulnerability to exploit, the attacker will then create an attack script, which is often just
a shell script or simple program that performs a series of fixed steps to exploit the
vulnerability. Often the script that the attacker needs has already been written and is
available on a web page in which case the attacker’s job is much easier.
Despite the multitude of attacks that are known and reported, you may be surprised to
learn that most of them are merely variations on a theme. Once one attacker identifies a
weakness and releases an attack script for it, many others are inspired by his work and
find similar weaknesses in other pieces of software. What follows is usually a flood of
attacks that exhibit common patterns and follow similar steps. Given an attack, we can
codify it, to express it in terms that an intrusion detection system can operate with.
HP-UX HIDS uses the concept of a “detection template” to express some fundamental
aspect of an attack that makes it different from legitimate behavior while permitting
detection.