No single intrusion detection technique is 100% effective. Anomaly-based products must be carefully configured to recognize normal behavior but may still generate false positives. Signature-based products do not require extensive configuration, but they cannot detect zero-day attacks.
Network behavior analysis (NBA) tip series
Network behavior analysis prevents attacks
Vendors have responded by developing products that integrate intrusion detection system techniques in a single product. Some vendors have gone further by using an ongoing analysis of normal and abnormal network behavior to create new signatures as a broader intrusion detection technique.
In an effort to further integrate intrusion detection systems, users must consider application-specific protection devices.
Application-specific network behavior analysis tools: No more Web attacks
Web applications are frequently the entry path for serious attacks. E-commerce applications, for example, access internal databases with valuable information (e.g., customer lists and credit card numbers), so they are highly targeted. As a result, Web application firewalls integrate both anomaly-based and signature-based technologies to detect frequently used attack techniques.
Typical Web application attack techniques include:
- SQL injection: The exploitation of security vulnerability in the database layer of an application.
- Cross-site scripting: Malicious attackers inject client-side script into Web applications.
- OS command injection: Attackers execute OS commands through vulnerable Web applications and can obtain data or upload malicious programs.
Application firewalls use both anomaly- and signature-based intrusion detection techniques
Web application firewalls combine anomaly-based techniques with application-specific methods. For example, requests from a specific client to an e-commerce site are normally spaced at least several seconds apart. A rapid stream of requests, several per second, is likely to indicate an attack. Similarly, most Web applications deliver a limited amount of data in response to each request. A very large response probably indicates an attack that somehow was not caught when the incoming request was scanned.
Web application firewalls also use the signature-based approach, scanning incoming requests against a periodically updated signature list.
Anti-spam as an intrusion detection system: SPF and DKIM
Anti-spam products are generally not considered intrusion detection systems, but trojans and phishing attempts do constitute serious threats to network security. Most anti-spam products are signature-based, but application-specific techniques are also used.
Newly developed spam identification techniques have been integrated over the past few years, including the deployment of two standards: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Neither technique actually detects spam; instead, they focus on ensuring email delivery from the correct sender -- without email spoofing.
SPF is an email validation system that enables administrators to register with a directory listing which hosts can send email from specific domains. The goal is to eliminate email spoofing. With DKIM, the sender can ensure the delivery of an email by placing an electronic signature on each message that can be verified by recipients.
Both standards are limited by the fact that use is optional. Not all senders include SPF or DKIM information. Many legitimate service providers have adopted one or the other protocol, so a reasonable technique is to consider any mail not utilizing one of them to be spam. The downside is that some mail could be erroneously tagged and blocked.
Anti-spam: Sender reputation as behavior analysis
Filtering based on sender reputation is a more recent addition. This technique depends on the fact that most spam comes from a limited set of sources. Anti-spam devices at customer sites compile lists of senders based on incoming email and report back to the vendor. The vendor collects and combines the customer input and then computes a reputation score for each sender.
The reputation score is based on a series of factors, including the identity of the sender's service provider, country of origin, daily email volume and inclusion of URLs known to link to infected Web pages. The vendor updates its database of senders, combining the latest reports with previous reports, periodically updating customers. Email from sources with extremely poor reputations is blocked, while email from questionable sources can be rate-limited.
Detecting abnormal network behavior in a VoIP environment
VoIP is another application that benefits from integrated anomaly and signature-based solutions. Hackers attempt to gain access to make free calls or to deny service to legitimate callers. They may also break into the system to make a large number of nuisance calls -- the voice equivalent of spam. VoIP security devices integrate methods specific to VoIP protocols plus both anomaly- and signature-based methods.
Combining prevention devices with host and workstation software
The scope, complexity and potential cost of attacks requires use of all of the techniques: anomaly-based, signature-based, and application-specific methods. The fact that attacks can enter the network without passing through an Internet connection point means that intrusion prevention devices must be installed at crucial internal locations as well as at gateways. Finally, host and workstation-based software provides an additional level of protection. Solutions are available that combine all of these components, share information among components, and together create a comprehensive, integrated defense.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.