Host Intrusion Detection System Administrator's Guide Release 3.1
Overview
Importance of Intrusion Detection
Chapter 1
8
What Is Intrusion Detection?
Intrusion detection can be summarized quite simply: After you have put up the barbed
wire fence, an intrusion detection system is like adding closed circuit TV cameras so that
security guards can monitor your facilities to forestall an attack.
Intrusion detection is the art and science of detecting illegal and improper use of
computing resources by unauthorized people, before such misuse results in excessive
damage. This detection system constantly monitors critical systems and data to protect
them from attacks.
An intrusion detection system (IDS) monitors user and system activity to detect patterns
of misuse that may correspond to security violations. The monitoring is automatic and
constant on all the systems on which the IDS is deployed. It imposes a low overhead on
the systems and network so as not to disrupt your business activities. In addition, an
IDS can monitor a server machine, a whole network, or even an application (such as a
database or web server).
Before attacking your systems, an attacker needs to identify potential vulnerabilities
that can be exploited to subvert your system’s security. A vulnerability is a feature of the
implementation, or operation of a computer system or network that leaves it open to
subversion by an unauthorized (or authorized) user. Having identified a vulnerability to
exploit, the attacker will then create an attack script, which is often just a shell script or
simple program that performs a series of fixed steps to exploit the vulnerability. Often
the script that the attacker needs has already been written and is available on a web
page in which case the attacker’s job is much easier.
Despite the multitude of attacks that are known and reported, there may be small
variations on a theme. In several situations, attackers use shell scripts used in previous
attack. What follows is usually a flood of attacks that exhibit common patterns and
follow similar steps. Given an attack, we can codify it, to express it in terms that an
intrusion detection system can operate with. HP-UX HIDS uses the concept of a
“detection template” to express some fundamental aspect of an attack that makes it
different from legitimate behavior while permitting detection.
The amount of information that flows through a typical corporate intranet and the level
of activity on most corporate servers make it impossible for any one person to continually
monitor them by hand. Traditional network management and system monitoring tools
do not address the issue of helping to ensure that systems are not misused and abused.
Nor can they help detect theft of a company’s critical data from important servers. The
potential impact of computer-based crime is significant to most corporations: their entire
intellectual property often resides on server machines. A tool that could detect
security-related threats and attacks as they occur would significantly ease the burden
that most network administrators face.