Intrusion Detection Systems: Threats, Taxonomy, Tuning

Date01 March 1998
DOIhttps://doi.org/10.1108/eb025861
Pages49-51
Published date01 March 1998
AuthorRichard E. Overill
Subject MatterAccounting & finance
Journal of Financial Crime Vol. 6 No. 1 Computer Crime
COMPUTER CRIME
Intrusion Detection Systems: Threats, Taxonomy,
Tuning
Richard E. Overill
THREATS
An intrusion is defined as any set of actions that
attempts to compromise the integrity, the confi-
dentiality, or the availability of
a
resource.1 Follow-
ing the pioneering work of Anderson in 19802 it
has been recognised that while computer systems
and networks need to be protected from unau-
thorised external access, using firewalls for
example, it is not possible to provide an uncondi-
tional guarantee of invulnerability to intrusion.
There are a number of reasons for this. One is the
extreme diversity of intrusions observed, for
example password stealing and cracking, masquer-
ade and sniffer attacks, subversion of security con-
trols (via trapdoors, Trojans etc), denial of service
attacks, and malicious codes (viruses, worms, Tro-
jans,
logic bombs etc).3 Another reason is that over
70 per cent of attacks on networks are believed to
be internal in origin.4
Thus while the traditional information security
approach of Protect, Detect, React is still relevant,
the impossibility of providing guaranteed protec-
tion for information systems in a networked
environment increases the importance of detection
in order that appropriate reactive measures can be
implemented. Detection is a crucial element both
in terms of information security for individual net-
works and also in terms of the development of an
Indicators and Warnings system for detecting a
large scale attack on a network of
networks.
Intrus-
ion Detection Systems (IDS) are therefore becom-
ing an increasingly important tool, all the more so
in the light of a DISA study showing that 96 per
cent of systems managers are unaware that they
have suffered an intrusion.5
At the core of any IDS is a method for analysing
the behaviour of users to detect anomalies or
misuse. A number of methods have been applied
to this problem, and these methods form the basis
of
a
classified scheme or taxonomy.
TAXONOMY
It is convenient to divide IDS into ADS (Anomaly
Detection Systems) and MDS (Misuse Detection
Systems). ADS are based on the assumption that
there exists a normal activity profile for a system,
and that any statistically significant deviation from
this profile represents the occurrence of an intrus-
ion. Since an ADS assumes that any anomalous
activity is necessarily intrusive, it may flag non-
intrusive anomalous activities and miss non-anom-
alous intrusive activities. MDS on the other hand
are based on the assumption that it is possible to
represent individual known attack strategies as pat-
terns or signatures which can be looked for. An
MDS (like many anti-virus programs) is ineffective
against hitherto unknown intrusion strategies and
hence needs regular updating. Since an MDS looks
for individual patterns or signatures it is possible
Page 49

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT