Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
The intrusion detection system
Material posted: -Publication date: 23-09-2004

Today intrusion detection become necessary additions to infrastructure information protection the company. The question of whether the intrusion detection system (OWLS), for the professionals of information protection was not worth it, however they come up against the problem of choosing such a system for a particular organization. In addition, the high cost of such products makes a more careful approach to the justification of their use.

This article provides basic information about the systems of this class that should help organizations avoid common mistakes in purchasing, deploying, and maintaining intrusion detection systems.

Types of intrusion detection systems

Today, there are several different types of OWLS, different algorithms of monitoring data and approaches to their analysis. Each type of system correspond to certain features of the use, advantages and disadvantages.

One of the ways of classification of OWLS is based on understanding what they actually control. Some monitor all network traffic and analyze network packets, while others are deployed on separate computers and control the operating system to identify signs of invasion, and others, as a rule, the control of the individual application.


This class OWLS currently most common in commercial products. The system usually consists of multiple specialized servers, which analyze network traffic in different network segments and pass messages about a possible attack on a centralized management console. No other app do not work on servers used by OWLS, so they can be protected from attack, including special means. Many of them can operate in "stealth"mode that makes detection of the attackers and identify their location in the network.


• a few well placed systems can monitor a large network;

• the deployment has a minor impact on the existing network. Like OWLS, usually passive devices that intercept network traffic without impacting network service flows;

• the system can be very secure against attacks to itself, besides its individual nodes can be made invisible to attackers.


• not able to recognize the attack, which began at the time the network is busy. Some developers try to solve this problem by implementing OWL based on the hardware with higher speed. In addition, the need to rapidly analyze the packets forces the developers to detect the attack with minimal cost of computing resources, which seriously reduces the efficiency of detection;

• many of the advantages of OWLS small segments (usually one high speed Ethernet channel to the server) and provide dedicated links between servers operated by the same switch. Most switches do not provide universal control ports, which reduces the controlling range of the sensor OWLS. In such switches a single port often may not reflect all traffic passing through the switch;

• not able to analyze encrypted information;

• report initiated the attack without analyzing the degree of penetration.


These systems operate by analyzing the activity of the processes on a particular server on which it is installed; gather information about the server controlled by them. This allows OWLS to analyze the actions on the server with a high degree of detail and accurately determine who performs malicious actions in the operating system of the server.

Some OWLS of this class have the opportunity to manage a group of servers, centralized preparing reports about possible attacks, which are summarized in the administrator console, protection. Others generate messages that are compatible with network management systems.


• find attacks that are not detected OWLS protecting a network segment, as they have the data localized to a particular server;

• work in a network that uses
data encryption when information is in the clear on the server before sending it to the user;

• operate in switched networks.


• information-gathering mechanisms should be installed and maintained on each server to be monitored;

• can be attacked and blocked prepared by the enemy;

• not able to control the situation in the whole network as "seen" only network packets received by the server on which they are installed;

• difficulties in detecting and countering attacks with denial of service;

• use the computing resources of the server which is controlled, thereby reducing its effectiveness.


These systems monitor events that are manifested within individual applications, and often detect attacks during the analysis of system logs applications. The opportunity to communicate directly with the application through a service interface, and a large stock of applied knowledge of the application allow the OWLS of this class to provide a more detailed view of suspicious activity in the application.


• control the activity with a very high degree of detail that allows them to trace unauthorized activity to individual users;

• able to work in encrypted environments, at the expense of vzaemodia application on the server controlled by them.

Some experts note that the distinction between systems based on the protection of applications and systems on the basis of protecting individual servers are not always clearly defined, so both classes will be attributed to the intrusion detection systems based on protecting individual servers.
Approaches to the analysis of events.

Currently there are two major approaches to event analysis: detection of signatures and detect anomalies.


The approach to intrusion detection based on signature detects the activity that matches a predefined set of events that uniquely describe a known attack. Consequently, systems based on signatures should be pre-programmed to detect each known attack. This technique is extremely effective and is the primary method used in commercial software.


• very effective at detecting attacks without generating a significant number of false alarms.


• system based on signatures should be pre-programmed to detect each attack and constantly modified by the signatures of new attacks;

• choose signatures in many systems of this class are defined quite narrowly, making it difficult to identify variants of the traditional attacks, the signature which differs slightly from their base.


Such systems find attacks by identifying unusual behaviour (anomalies) on the server or on the network. The principle of their operation is based on the fact that attackers do not behave like "normal" users, and can be detected by systems that identify these differences. System based on detecting anomalies establish a baseline of normal behavior, profiling specific users or network connections and detect the deviation of the controlled operation.

Unfortunately, to date, systems of this class are still often produce large amounts of false positives. However, despite this, the researchers say they could detect an attack, previously unnoticed, unlike OWLS on the basis of signatures that rely on the results of the analysis of past attacks. Some commercial PSBS implement limited forms of anomaly detection, however, only a few rely solely on this technology. However, the anomaly remains an area of active research, and in the near future it is possible serious breakthroughs.


• detect the attack without having to be pre-programmed.


• produce large number of false positives, also be armed due to the unpredictable behavior of characters.

OWLS, automatically respond to attacks

The person-the administrator is not always available at the time of the attacks on the system, so some OWLS may be configured to automatically respond to them. The simplest form of automated response – the notification of the administrator. After discovering the attack OWLS might send an e-mail or pager to the administrator a letter with a brief description of the event. A more active response can stop the advance of the attack and block further attempts of the attackers. As a rule, OWLS do not possess the ability to block the actions of a specific person, but can block specific IP addresses from which works forward.


• breaking the TCP connections with the introduction of reset packets into the attacker connection with the recipient of the attack;

• reconfiguration of routers and firewalls with the aim to block packets from IP addresses of the attacker;

• reconfiguring routers and firewalls to block the protocols used by the attackers;

• in critical situations, reconfigurarea routers and firewalls. this class is able to disconnect all current connections using specific network interfaces.

A more aggressive way to respond to the attacker provides for the possibility of offensive action against the attacker, as well as getting information about the server of the attacker. However, this answer could be very dangerous for organizations, as it is likely to be illegal and will cause damage to innocent Internet users.

Tools, complementary OWLS

Sushestvuet several tools that complement and OWLS are often referred to by developers as full-fledged OWLS, because they perform similar functions.


"Pots of honey" (Honey Pots) – system-the"bait", trying to "seduce" the attacker before he reaches the mission-critical applications.

Monitors, and recorders intrusion on "the honey pot" detect unauthorized actions and gather information about the actions of the attacker. System "Psychiatric ward" (Padded Cell) implement a slightly different approach. Without attracting attackers real data, Padded Cell waiting for normal OWLS will detect the intrusion. After that, the striker is transmitted to a special server system Padded Cell. Like the "honey pot", this simulated environment can be filled with real data to convince the attacker that the attack is going according to plan.


• striker may be rejected from the target system, which he is not able to corrupt;

• administrators have extra time to decide how to respond to the enemy;

• an attacker may be easily controlled, and the results of them as authorized users.


• experienced striker, once rejected in the system-"the bait" the next time might take a more hostile attack against the systems of the organization;

• required high level of training of administrators and heads of security services;

• legal value of the use of such devices is still poorly defined.

Tools vulnerability assessment

Tools vulnerability assessment are divided into two classes: passive and active.

Passive browsing data on the server where you are constantly, in order to identify the dangerous configuration settings, software versions known to contain vulnerabilities and weak passwords.

Active tools analyze the entire network in search of vulnerabilities in your servers by comparing the received information with the library version numbers FOR known as threat, and determine whether servers are vulnerable to known attacks.

The deployment of OWLS

The use of intrusion detection systems requires good preparation and regular interaction of professionals involved in their support. The organization should have an appropriate protection policy, plans and procedures in place that staff knew how to respond to all alarms that initiate OWL.

The NIST experts recommended to consider the combination of OWLS-based protection network segment. After that it is possible to additionally strengthen the system of protection through the deployment of OWL-based protection for individual servers.

Honey Pots should be used reasonably and only organizations with highly skilled technical staff who have opportunities to experiment with advanced protection technologies.

Except for certain
research prototypes, Padded Cell currently not available.

Currently, several variants of the deployment (location) of OWLS on the basis of network security:

• behind external network protection (firewall) – detect attacks coming through the defensive perimeter network from the outside world;

• front external firewalls proves that attacks from the Internet against the network are taken regularly;

• support network TV – detect unauthorized activity within the network and monitoring a large amount of network traffic;

• in the critical subnet – detection of attacks on critical resources.

Future OWLS

Research in the field of OWLS intensified after 1985, but large-scale commercial use OWLS did not begin until 1996. According to IDC, in 1998, sales tools OWLS reached 100 million, in 2001-m – 350 million, while in 2002 already 443,5 million.! X for some positives, the lack of universality and lack of integration with network management systems of the enterprise. However, the analysis of tendencies of development of this direction means of information protection allows to assume that in the near future most of the problems associated with the functionality of the OWLS will be allowed.

The article is prepared on materials
Information technology laboratory National Institute of standards USA.


Tags: Russia , USA , threat

RELATED MATERIALS: Defence and security