|
What is Intrusion
Detection?
network intrusion detection systems (NIDS)
monitors packets on the network wire and attempts to
discover if a hacker/cracker is attempting to break
into a system (or cause a denial of service attack). A
typical example is a system that watches for large
number of TCP connection requests (SYN) to many
different ports on a target machine, thus discovering
if someone is attempting a TCP port scan. A NIDS may
run either on the target machine who watches its own
traffic (usually integrated with the stack and
services themselves), or on an independent machine
promiscuously watching all network traffic (hub,
router, probe). Note that a "network" IDS monitors
many machines, whereas the others monitor only a
single machine (the one they are installed on).
system integrity verifiers (SIV) or host
intrusion detection systems (HIDS) monitors system
files to find when a intruder changes them (thereby
leaving behind a backdoor). The most famous of such
systems is "Tripwire". A SIV may watch other
components as well, such as the Windows registry and
chron configuration, in order to find well known
signatures. It may also detect when a normal user
somehow acquires root/administrator level privleges.
Many existing products in this area should be
considered more "tools" than complete "systems": i.e.
something like "Tripwire" detects changes in critical
system components, but doesn't generate real-time
alerts upon an intrusion.
log file monitors (LFM) monitor log files
generated by network services. In a similar manner to
NIDS, these systems look for patterns in the log files
that suggest an intruder is attacking. A typical
example would be a parser for HTTP server log files
that looking for intruders who try well-known security
holes, such as the "phf" attack. Example: swatch
http://www.robertgraham.com/pubs/network-intrusion-detection.html
|
