Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
To find and neutralize
Material posted: -Publication date: 21-06-2003

Intrusion detection is a widely discussed topic in the popular literature, the press releases for IT companies and in academic journals and newsletters on information security. In his works, the experts note that the main task of the intrusion detection (OWLS) is to prevent or greatly mitigate the damage caused by "hacking" or intrusion into the information system resources (primarily resources systems critical applications, from normal operation which depends largely on the sustainable development of the company's business) by identifying suspicious actions of the offender at an early stage.

This determines the attention that is paid to intrusion detection systems in recent years. However, the most modern systems of this class are very expensive products, so the potential buyer it is important to know that he buys for the money that the manufacturer of the intrusion detection system has requested for his product.

In that case, if you have decided that to protect the system you need to use the intrusion detection system, we need as closely as possible to approach the question of its acquisition and deployment. Careful planning, phased deployment and specialized training of staff must be present among the steps to be taken to reduce the costs of deploying expensive, high maintenance cost, maximize benefits protect the organization and return of investment.

This article is aimed primarily at potential buyers of intrusion detection systems. It provides basic information about the systems of this class that should help organizations avoid common mistakes in purchasing, deploying, and maintaining intrusion detection systems. The article is prepared on materials information technology Laboratory National Institute of standards, USA[1] (Information Technology Laboratory of the National Institute of Standards and Technology, NIST ITL) – one of the recognized leaders in the field of information security. The article covered the following issues:

  • the definition of "intrusion detection";
  • the reasons that cause to purchase the intrusion detection system;
  • types of intrusion detection systems;
  • algorithms of monitoring data;
  • algorithms for the analysis of invasion;
  • the intrusion detection system, which automatically respond to attacks;
  • tools that complement the intrusion detection system;
  • limitations of intrusion detection systems;
  • the deployment of intrusion detection systems, and
  • future systems of this class.


1. The definition of "intrusion Detection"

NIST experts give the following definition of this concept. Intrusion detection is the process of detecting unauthorized use of or attacks on an individual computer or computer network. In turn, the intrusion detection system is software or hardware-software systems designed to detect such unauthorized use. OWLS can detect attempts to compromise the confidentiality, integrity and availability of information resources as an individual computer and your network.

As a rule, it is assumed that the invasion may be initiated by an external adversary from the Internet,authorized in the system by a user who has misused his powers and data, and an unauthorized user who attempts to gain unauthorized privileges in the system.


2. The reasons that cause to buy OWLS

Today intrusion detection become necessary additions to infrastructure information protection the company. The question of whether the OWLS for the professionals of information protection was not worth it, however, questions arise, and what kind of system is right for your system information? In addition, a significant price of such products makes careful approach to the substantiation of necessity of its use. There are at least three serious reason to buy OWLS: the ability to detect attacks and other security violations that cannot be prevented; to prevent the enemy to explore the network and be able to document the intrusion into the information system of the organization.

2.1. Detecting attacks that cannot be prevented

The opponent is prepared using known techniques, can penetrate many networks. This often happens when a vulnerability in a network, which has become known, is not eliminated in the shortest possible time. For example, in many systems, created several years ago, operating systems just can't be modified because of the tog that their manufacturer no longer accompanies. In modern systems administrators do not have enough time to install all necessary patches in a large number of computers of a large organization. In addition, as a rule, it is very difficult to correctly display the security policy adopted in the organization, all the access control mechanisms. This leads to the fact that authorized users often can perform unauthorized actions. In addition, users can also ask network services and protocols that will be used by the enemy to organize the attack.

Ideally of course it is possible to identify all vulnerabilities of the system, but in practice this is hardly possible. Therefore, the best approach to protecting the network may be to use OWLS for detecting tampering of the enemy in using the drawback that due to the peculiarities of construction of the system was impossible to eliminate. It's better to know that the system is attacked, and organize damage repair, than not to know that the system has penetrated a stranger.

2.2. Preventing the enemy to explore the network

The computer or the network without OWLS give the enemy time to leisurely explore all the architectural features of the system, searching for vulnerabilities with impunity of such actions. Even if there is a single vulnerability in such a network, a determined opponent, eventually, find it and successfully use it.

The same network, but with the set of OWLS is a much more serious challenge to the hacker is the cracker. Although the enemy can continue to explore the network for vulnerabilities, OWLS detect these attempts, and will take steps to block these attempts and can notify the system administrator about the need to take appropriate action.

2.3. Documenting the invasion

The investigation on the fact of the invasion and subsequent modernization of the system of protection implies that the exact and the evidence established the fact that the network was investigated by the enemy to identify vulnerabilities or that it was successfully attacked. In addition, it is important to know the frequency and characteristics of attacks, to understand what measures of protection are adequate.

OWLS can detect the number, characteristics and parameters of the implemented intrusion of a malicious user of the system and from foreign enemies, providing, thus, a legitimate basis for justifying budget expenditures for defense information.

The use of OWLS for this task is important because a significant number of managers mistakenly believe that anyone (outsiders or insiders) are not interested in the possibility of intrusion into their network.


3. Types of intrusion detection systems

Today, there are several different types of OWLS, different algorithms of monitoring data and approaches to their analysis. Each type of system correspond to certain features of the use, advantages and disadvantages. As a rule, OWLS can monitor events at three different levels: network, individual computer and the application. OWLS can analyze these events using two techniques: signature detection and anomaly detection. Some OWLS also have the ability to automatically respond to detected attacks. Next, we briefly consider the features of each type of intrusion detection systems.

3.1. Approaches to the monitoring data

One of the ways of classification of OWLS is based on understanding that she is actually in control. Some OWLS are in control of all network traffic and analyze network packets to identify those that characterize a particular class of attack. Other OWLS are deployed on individual computers, they control the operating system to identify signs of intrusion. The rest, as a rule, the control of the individual application.

OWLS protecting a network segment

This class OWLS currently most common in commercial products. This system detects attacks by capturing and analyzing network packets. Operating with network traffic only OWLS of this class can cover large amounts of information. The OWLS in this class usually consists of multiple specialized servers, which analyze network traffic in different network segments and pass messages about a possible attack on a centralized management console. As no other app run on the same servers as the OWLS, they can be protected from attack, including special means. Many of them can operate in "stealth"mode that makes it extremely difficult for the attacker to detect the presence and determine their location in the network.


  • well located a few OWLS of this class can monitor a large network;
  • the deployment of OWLS this class has a minor impact on the existing network. Like OWLS, as a rule, usually passive devices that intercept network traffic without loading the network service flows. Thus, it is enough to slightly modify the network to expand OWLS in this class, and with a minimum cost of installation.
  • The OWLS in this class can be quite protected from attacks on itself, it is also possible to make individual components invisible to attackers.


  • OWLS protecting a network segment that can have serious problems when you try to control all packets in a large or busy network, so they may not be able to recognize the attack, which began at the time the network is busy. Some developers try to solve this problem, fully realizing OWLS based on the hardware that much faster. The need to quickly analyze packets also forces developers to attempt to detect attacks with minimal cost of computing resources, which seriously reduces the efficiency of detection;
  • many of the advantages of OWL this class can not be implemented in modern switched networks. Switches divide the network into a number of small segments (usually one high speed Ethernet channel to the server) and provide dedicated links between servers operated by the same switch. Most switches do not provide a universal control ports that reduce the regulatory range of the sensor OWLS. The switches that provide ports management, often a particular port may not reflect all traffic passing through the switch;
  • OWLS protecting a network segment that cannot analyze encrypted information. It is becoming an increasingly serious problem, as the use of encryption is becoming popular as companies and forwards;
  • most OWLS this class did not report whether the attack was successful. They report that the attack was initiated. After discovering the attack, administrators must manually investigate each attacked server to determine whether this server has been infiltrated by intruder.

OWLS protecting a single server

OWLS protecting a single server, working, analyzing the activity of the processes on a particular server on which they are installed. In addition, they gather information about the server that they control. This allows OWLS to analyze the actions on the server with a high degree of detail and accurately determine who performs malicious actions in the operating system of the server.

Some OWLS of this class have the opportunity to manage a group of servers, centralized preparing reports about possible attacks, which are summarized in the administrator console, protection. Others generate messages that are compatible with network management systems.


  • OWLS protecting a single server, can detect attacks that are not detectable OWLS protecting a network segment, as they have the data localized to a particular server;
  • The OWLS in this class can operate on a network that uses data encryption when information is in the clear on the server before sending it to the user;
  • The OWLS in this class can operate in switched networks.


  • the collection mechanisms must usually be installed and maintained on each server to be monitored;
  • as part of the systems are constantly attacked on your home computer. this class can be attacked and blocked prepared by the enemy;
  • The OWLS in this class cannot control the situation in the entire network, as OWLS only sees the network packets that are received by the server on which it is installed;
  • The OWLS in this class often have difficulties in detecting and countering attacks with denial of service;
  • The OWLS in this class use computing resources of the server that they control, thereby reducing the efficiency.

OWLS-based application security

OWLS-based secure application control events that are manifested within an individual application. Often OWLS in this class detects attack by analyzing the system logs of the application. Having the opportunity to communicate directly with the application through a service interface, and, having a large stock of applied knowledge about the application. this class will have a more detailed view of suspicious activity in the application.


  • OWLS-based protection application can monitor activity with a very high granularity, which often allows them to trace unauthorized activity to individual users;
  • The OWLS in this class can often work in encrypted environments, since they interact with the app, which itself performs this encryption.


The OWLS in this class may be more vulnerable than OWLS on the basis of protecting individual servers to attack, which resulted in the intrusion detection system will be disabled by the enemy, as they work as a simple application on the server that they control.

Some experts said that the distinction between OWL-based application security and OWLS on the basis of protecting individual servers are not always clearly visible, so both of these classes will be attributed to the intrusion detection systems based on protecting individual servers.

3.2. Approaches to the analysis of events

Today there are two main approaches to analyzing events to detect attacks: signature detection and anomaly detection. The detection signature is a rather old technique used by most commercial systems; however, the anomaly is admittedly a new and promising area that is today the subject of many studies and is used in a limited number of commercial OWLS.

OWLS on the basis of signatures

The approach to intrusion detection based on signature detects the activity that matches a predefined set of events that uniquely describe a known attack. Thus, SOVIET-based signatures should be pre-programmed to detect each known attack. This technique is extremely effective and is the primary method used in commercial software.


OWLS on the basis of the signatures are very effective at detecting attacks without generating a significant number of false alarms.


  • OWLS on the basis of signatures should be pre-programmed to detect each attack and thus must be constantly modified by the signatures of new attacks;
  • in many OWLS in this class themselves narrowly defined signatures that prevent them from detecting variants of the traditional attacks, the signature which differs slightly from those available in the database system.

OWLS on the basis of detection of anomalies

OWLS by identifying anomalies detects attacks by identifying unusual behaviour (anomalies) on the server or on the network. The principle of their operation is based on the fact that attackers behave differently than "normal" users and thus can be detected by systems that identify these differences. OWLS by identifying anomalies establishes a baseline of normal behavior, profiling specific users or network connections and then statistically detects the cases when the monitored activity deviates from the norm.

Sorry, currently OWLS in this class are still often produces a large number of false positives. However, despite this weakness, researchers assert that OWLS on the basis of detection of anomalies is capable of detecting attacks never before observed, in contrast to OWLS-based signatures that rely on the results of the analysis of past attacks. Some commercial PSBS implement limited forms of anomaly detection, however, few, if any, rely solely on this technology. However, anomaly detection remains an active area of research in the coming years in this area can result in serious breakouts.


OWLS by identifying anomalies detect unusual behavior and thus have the ability to detect attacks without having to be pre-programmed.


  • algorithms to detect anomalies typically produce a large number of false positives, also be armed due to the unpredictable nature of users and networks;
  • algorithms for detecting anomalies often require extensive “training samples” on the basis of system reports with the results of the intrusion to identify normal patterns of behavior.

3.3. OWLS that automatically respond to attacks

Since man is the administrator are not always available in a time when there was an assault, some OWLS can be configured to automatically respond to attacks. The simplest form of automated response - the notification of the administrator. After discovering the attack, the OWLS might send an e-mail or pager to the administrator a letter with a brief description of the event. A more active response can stop the advance of the attack and then block further attempts of the attackers. As a rule, OWLS do not possess the ability to block the actions of a specific person, but instead they can block specific IP addresses from which works forward.

It is very difficult to automatically stop a prepared and well-informed infringer, but OWLS can often keep experienced attackers or to stop the hackers-beginners with the following features:

  • gap TCP connections, inserting reset packets into the attacker connection with the recipient of the attack;
  • reconfiguration of routers and firewalls with the aim to block packets from IP addresses of the attacker;
  • reconfiguring routers and firewalls to block the protocols used by the attackers, and
  • in critical situations, reconfigurarea routers and firewalls to sever all current connections using specific network interfaces.

A more aggressive way to respond to the attacker provides the opportunity to take some offensive action against the attacker, but also to actively attempt to obtain information about the server of the attacker. However, this answer could be very dangerous for organizations, as it is likely to be illegal and will cause damage to innocent Internet users.

Of course, it is dangerous to allow OWLS to automatically start a similar answer, but the strategy is limited automated "retaliation" are sometimes used for systems of critical applications. However advised to work out all the legal issues in the use of such options.


4. Tools, complementary OWLS

There are several tools that complement and OWLS are often referred to by developers as full-fledged OWLS, as they perform similar functions. The following discussion describes these tools and how they can expand the ability to detect the intrusion.

4.1. System Honey Pot and Padded Cell

Several new additions to the product line intrusion detection have been recently presented in the market of information security systems. It is important to understand how these programs differ from traditional OWLS.

Honey pots (Honey Pots) - system-bait, trying to lure the attacker away from critical systems. Such systems are filled with information that is quite valuable, but was made specifically for this system, and which does not refer to the legitimate user. Thus, when access to the "honey pot" is found, there is a high probability that this is an attack.

Monitors, and recorders intrusion on "the honey pot" detect unauthorized actions and gather information about the actions of the attacker. The purpose of the "honey pot" is to redirect the attacker from accessing critical systems collect information about attacker's activity and encourage the attacker to stay in the system long enough to allow time administrators be well prepared to answer.

System "Psychiatric ward" (Padded Cell) implement a slightly different approach. Instead of trying to attract attackers with the help of real data, Padded Cell waiting for normal OWLS will detect the intrusion. After that, the striker is transmitted to a special server system Padded Cell. The striker himself may not realize that something was wrong, but he is now in a simulated environment where no harm can not be applied. Like the "honey pot", this simulated environment can be filled with real data to convince the attacker that the attack is going according to plan.

Padded Cell systems offer unique opportunities to control the actions of the attacker. Experts in the field of OWLS successfully used Padded Cell and Honey Potс system of the late 80-ies of the last century, but until recently no commercial products of these systems were not available.


  • the striker can be dismissed from the target system, he can't hurt;
  • administrators have time to decide how to respond to the enemy;
  • an attacker may be easily controlled, and the results can be used to improve the system of protection;
  • the system is based on the "Honey Pot"can be effective in identifying malicious persons acting as authorized users.


  • Honey Pot and Padded Cell have not quite revealed themselves to become widespread protection technologies;
  • experienced striker, once rejected in a system of bait, maybe next time to launch a more hostile attack against the systems of the organization;
  • the necessary high level of training for administrators and safety managers to use these systems;
  • legal value of the use of such devices is still poorly defined.

4.2. Tools vulnerability assessment

Tools vulnerability assessment determines are vulnerable in the moment, the network or separate server to known attacks. Because this activity relates to the actual detection of attacks, these tools are referred to sometimes as tools to detect the intrusion. They are divided into two classes: passive and active.

Passive tools vulnerability assessment looking at the data on the server on which they constantly are, to identify hazardous configurations, settings, versions of software, for which it is known that they contain vulnerabilities and weak passwords.

Active assessment tools reside on the server and browsing the entire network in search of vulnerabilities in your servers. The tool can identify specific versions of software and determine the presence or absence of associated with the protection of the patches (patches and updates). The active assessment tool compares this information with the library version numbers, known as threat and determines whether the servers vulnerable to known attacks.


5. Restrictions OWLS

Existing intrusion detection have limitations you should be aware of before the purchase and deployment of OWLS. Among them are the following:

  • despite the claims of developers, most OWLS do not scale as well as most enterprise solutions. The problem includes the lack of flexibility and integration capabilities with other tools of protection and complex network management systems, the inability of OWLS to assess and visualize corporate threats, as well as the inability of professional organizations to assess a large number of alarms generated by hundreds or thousands of sensors OWLS;
  • many OWLS produce a large number of false positives, which waste the time of administrators and can even be initialized in case of automatic reply to such a false alarm;
  • while almost all OWLS for sale as "real-time", in conditions of high network activity, the reaction of the OWLS can take a few minutes to generate a message and initiate an automatic response to an attack;
  • OWLS usually can't detect newly developed attacks or variants of existing attacks. This is a serious problem as 30-40 new computer attacks are registered every month. The attacker can simply wait for the emergence of a new method of attack and then to quickly penetrate the target network;
  • automatic replies OWLS are often ineffective against sophisticated attacks. They usually stop the hacker-newbie, but, improperly configured, it may damage the normal operation of the network by interrupting legitimate network traffic;
  • OWLS should be serviced by qualified personnel in order to get the maximum benefit and understand the importance of OWLS finds;
  • service OWLS and the control may require significant resource personnel;
  • many OWLS are not fault-tolerant - they are not protected from attack or sabotage;
  • many OWLS do not have functions that allow you to define a coordinated attack;
  • OWLS cannot be used in isolation, it needs to be part of the structure of information protection in the organization.


6. The deployment of OWLS

The technology of intrusion detection is a necessary addition to the security infrastructure of information every large organization. However, given the weaknesses inherent in some of today's programs, and the relatively limited level of most system administrators, you just need careful planning and preparation of all activities for the acquisition and deployment of the system, simulation of possible situations, a comprehensive testing and specialized training for effective use of OWLS.

Thus, in particular, the NIST experts suggest to perform a full requirements analysis, carefully selecting the strategy for intrusion detection and technical solution which is compatible with the network infrastructure of the organization, policy, and the availability of the necessary resources. You might want to practice joint deployment of OWLS multiple organizations or separate divisions of one organization to gain experience in the deployment, and also to establish what resources are necessary for the operation and maintenance of such systems.

There is wide variation in the resource requirements for each type of OWLS. OWLS require substantial training and regular interaction of professionals involved in its maintenance. The organization should have an appropriate protection policy, plans and procedures in place so that staff knew how to respond to all kinds of anxieties that OWLS initiated.

The NIST experts recommended the consideration of the combination of OWLS-based protection network segment and OWLS on the basis of protecting individual servers in the enterprise. First, it is advisable to deploy the SOVIET on the basis of protecting a network segment, as they are usually the most simple in installation and maintenance. After that it is possible to additionally strengthen the system of protection through the deployment of OWL-based protection for individual servers to protect the most important and critical servers of the company.

"Honey pots" should be used reasonably and only organizations with highly skilled technical staff who wish to experiment with advanced protection technologies.

Padded Cell is not currently available except for some research prototypes.


6.1. The deployment of OWL-based protection network segment

Today, practiced are a number of options for the deployment of OWL-based network protection, each of them has its own advantages:

1. The location of the OWLS: behind external firewalls (firewalls).

Advantage: the system sees attacks that penetrate through the defensive perimeter from the outside world.

2. Location: in front of the external firewall.

Advantage: proves that attacks from the Internet are regularly conducted against the network.

3. Location: On a support network channels.

 Advantage: Detects unauthorized activity within the network and monitoring the large volume of network traffic.

4. Location: On critical subnets: detection of attacks on critical resources.


6.2. The deployment of OWLS on the basis of protecting individual servers

OWLS on the basis of protecting individual servers can provide an additional layer of protection, once an organization has deployed SOVIET-based network security. However, this can take a long time to install this OWLS class on all servers in the enterprise. Therefore, it is often preferable to start the installation of these OWLS only on critical servers. Such a construction of the protection system will reduce the total cost of deployment and enable personnel to focus on alarms generated from the most important servers in the network.

Once the operation and maintenance of OWLS on the basis of protecting individual servers will become routine and will be perfectly mastered by the staff, the organization, which attach particular importance to the protection of information, may consider the installation of such OWLS on most of their servers. In this case it is advisable to buy systems that are easy to use centralized management and informing the security administrator about the facts of possible intrusions that will simplify the management of a significant number of the company's servers.


7. Future OWLS

Research in the field of OWLS become active after 1985, but large-scale commercial use OWLS did not begin until 1996. Today the market of intrusion detection is actively growing. According to IDC, in 1998, sales tools OWLS reached 100 million USD, in 2001 – 350 million, and in 2002 already 443,5 million dollars! According to some estimates, this market segment should continue to grow and will soon exceed half a billion dollars! From this chronology it is clear that, while active research in the field of OWLS will increase and the advertising of these products, but these systems are still at an early stage of development

Some OWLS have received negative advertising due to the large number of false positives, lack of universality and lack of integration with network management systems of the enterprise. However, trends in the development of this direction means of information protection allows to assume that in the near future a significant number of problems associated with the functionality of the OWLS will be allowed.


8. For more information

The acquisition, deployment and maintenance of modern complex task. Fortunately, today there are many excellent resources both in the form of books and online resources and seminars, which allows to introduce audiences to the technology OWLS.

Several free resources on OWLS available on the Internet:

  1. A brief overview of OWLS and their capabilities is given in the book “introduction to the evaluation of intrusion detection system for network management and protection” (
  2. Review commercial systems of OWLS, which makes it easy to compare their features dedicated to the work of “an Overview of intrusion detection systems” published by Los Alamos national Laboratory, USA (
  3. Information on computer attacks can be found in the may issue ITL Bulletin NIST “Computer attacks: what they are and how to protect against them” (

[1] ITL Bulletins, Nov. 1999

Tags: security , threat

RELATED MATERIALS: Defence and security