How do you know if your network is under attack? You have to have some sort of intrusion-detection system operating. And once it's operating, the detection system must be able to determine whether the intrusion is benign or not. This requires the design of an analyzer, which has several functions. This tip, excerpted from Intrusion Detection by Rebecca Gurley Bace, published by New Riders, talks about some of the functions of the intrusion analyzer.
In the analysis morel, the first phase is the construction of the analysis engine. The analysis engine performs the core functions of preprocessing, classification and postprocessing. For the engine to function properly, regardless of analysis approach, it must be tailored to the environment in which it is to operate; hence this phase is necessary even in rudimentary systems where it is performed solely as part of system development.
Collect and/or Generate Event Information
The first step of constructing the analyzer is collecting event information. Depending on the analysis approach, this phase might involve collecting event information generated by a system functioning in an operational environment, or collecting event information in a laboratory environment. In some cases, the event information may be handcrafted by a developer working from a set of formal specifications.
--Misuse detection. For misuse detection, this part of the process involves gathering information about intrusions, including information about vulnerabilities, attacks, threats, specific attack tools and observed scenarios of interest. At this time, information is also gathered about typical discretionary policies, procedures and practices so that the behavioral model can accommodate organization-specific policy violations as well as problems associated with external attack.
--Anomaly detection. For anomaly detection, event information is collected from the live system itself or from a system designated as similar. This information is needed to build baseline profiles indicating "normal" user behavior.
Related book
Intrusion Detection
Author : Rebecca Bace
Publisher : Macmillan Technical Publishing
ISBN/CODE : 1578701856
Cover Type : Hard Cover
Pages : 368
Published : Jan. 2000
Summary:
Intrusion detection is a critical new area of technology within network security. An intrusion-detection system serves as a system alert for unauthorized access for networks and systems connected to the Internet. This comprehensive guide to the field of intrusion detection covers the foundations of intrusion detection and system audit. Intrusion Detection provides a wealth of information, ranging from design considerations and how to evaluate and choose the optimal commercial intrusion detection products for a particular networking environment.
