Cert Releases Report on Intrusion Detection

Cert (www.cert.org), a security research lab at Carnegie Mellon University (www.cmu.edu) generated a comprehensive report titled "State of the Practice Intrusion Detection Technologies." The paper details current technologies and procedures for intrusion detection (ID) on organizational networks. It details both the efforts of the government and third-party vendors to detect and track malicious intrusions.

Security technology, or more appropriately intrusion technology, changes at an a fast pace. Crackers and vendors continuously change their techniques in reaction to each other. "We had a hard time keeping up with the information as we were writing," admits Alan Christie, an author of the report.

"Technology is changing quickly, and intrusions are changing quickly," Christie says, suggesting the gaps in current ID systems are part of the nature of security, rather than inadequate models or techniques. "The field is relatively immature," he says.

ID systems rely on an attack signature to identify an unwanted intrusion. Malicious users frequently leave data trails that are not found during normal network use. The security system includes a database that is used to identify these attack signatures. When an attack signature is detected, the software alerts administrators to a potential attack.

A difficulty in developing a reliable ID system is creating software sophisticated enough to distinguish between an attack signature and benign network use. False alarms can desensitize users to potential attacks.

Additionally, intrusion methods constantly change. Even the most sophisticated software will be unable to detect an undocumented attack signature. ID software must be updated for new attack types. "Technology is changing quickly and intrusions are changing quickly," Christie says.

Third-party vendors of ID software differ from the government and others creating software. The third-party vendors are primarily interested in protecting networks, rather than tracking violators. The techniques employed by governmental agencies, while sophisticated, are often inadequate or inappropriate for the enterprise.

The Cert report contrasts network ID software with desktop anti-virus software. The authors consider anti-virus a mature market, with proven methods for detecting and remedying virus situations. Although virus attacks are as dynamic as intrusions, anti-virus tools are more effective since their algorithms have matured.

The distributed denial of service attacks this past February highlighted the need for better ID systems: The attackers are believed to possess only fairly elementary computer knowledge. While previous computer attackers generally had high skill levels, these attackers simply placed scripts onto host computers. Anyone with the ambition can launch one of these attacks. "Really low skill levels are breaking into this arena," Christie says.