Lawrence R. Halme firstname.lastname@example.org
R. Kenneth Bauer email@example.com
Arca Systems, Inc.
2540 North First St., Suite 301
San Jose, CA 95131-1016
Efforts to combat computer system intrusions have historically included preventive design, configuration, and operation techniques to make intrusion difficult. Acknowledging that by bowing to functionality concerns and budgetary constraints theseefforts will be imperfect, the concept was suggested to detect intrusions by analyzing collected audit data. The study of anomaly detection was prefaced by the postulate that it would be possible to distinguish between a masquerader and a legitimate user by identifying deviation from historical system usage [AND80]. It was hoped that an audit analysis approach would be useful to identify not only crackers who had acquired identification and authentication information to permit masquerading as legitimate users, but also legitimate users who were performing unauthorized activity (misfeasors). Clandestine users able to bypass the security mechanisms were another identified problem, but considered more difficult to detect since they could influence system auditing.
Early hands-on experimentation confirmed that user work patterns could be distinguished using existing audit trails [HAL86]. Techniques were debated to make auditing, which was originally designed primarily for accounting purposes, more useful to security analysis. A model was developed which theorized much of the framework for a general-purpose intrusion detection system [DEN87]. Intrusion detection researchers split into two camps -- those seeking attack signatures in the audit data which announce known misuse (e.g., MIDAS [SEB88]), and those seeking evidence of usage which is anomalous from historical norms (e.g., IDES [LUN88a]). The complementary combination of these approaches into an investigative tool with autonomous response to particularly threatening deviance was suggested [HAL88]. Survey papers attest to the dramatic growth in the number of research efforts investigating different anomaly and misuse detection approaches ([LUN88b], [TIS90]).
The early Nineties saw test and commercial installation and operation of a number of IDSís including SRI's IDES and NIDES, Haystack Laboratory Inc.'s Haystack and Stalker, and the Air Force's Distributed Intrusion Detection System (DIDS). Emphasis broadened to include integration of audit sources from multiple heterogeneous platforms, and platform portability. Distributed intrusion detection is the focus of work at the University of California at Davis [HEBE92] and at the Air Force [DIDS91]. Intrusion detection continues to be an active field of research.
Although much has been learned from these research-driven efforts, their focus has been on developing optimized techniques to detect intrusions. Less thought has been given to creating an operational view of complementary anti-intrusion approaches. Computer and Internet misuse has become a frequent topic of todayís mainstream media, and the demand for anti-intrusion technology is exploding. However, intrusion detection products are as yet esoteric and not well integrated to work together with complementary approaches such as intrusion preventing firewalls. The taxonomy we present in this paper seeks to give perspective and aid understanding. It provides the basis for the formulation of a systematic and comprehensive anti-intrusion approach categorization and promotes multiple approach solutions.
Over the past fifteen years a great deal of emphasis has been placed on detection as the most fruitful area for research and development to combat intrusive activity (both from external crackers as well as insiders abusing their privileges). Less considered have been other complementary anti-intrusion techniques which can play valuable roles. As work environments become more interconnected and exposed, service providers will need increasingly to rely on a wide range of anti-intrusion techniques, not just IDS's. This paper organizes these techniques (illustrated in Figure 1) into the Anti-Intrusion Taxonomy (AINT). The "filtering" of successful intrusions is graphically depicted by the narrowing of the successful intrusion attempt band.
The following text describes the six anti-intrusion approaches. We also provide an analogous real-world illustration of each approach as applied to combating the possibility of having your wallet stolen walking down an urban street. Sections follow which elaborate how these approaches apply to computer systems under the AINT.
Intrusion Prevention techniques (enforced internally or externally to the system) seek to preclude or at least severely handicap the likelihood of success of a particular intrusion. These techniques help ensure that a system is so well conceived, designed, implemented, configured, and operated that the opportunity for intrusions is minimal. Because built-in prevention seeks to make it impossible for an intrusion to occur on the target system, it may be considered the strongest anti-intrusion technique. Ideally, this approach would prevent all intrusions, negating the need for detection and consequent reaction techniques. Nevertheless, in a real world system this technique alone proves untenable and unlikely to be implemented without some remaining exploitable faults and dependence on configuration/maintenance. Add-on prevention measures augmenting the defenses of an existing system include vulnerability scanning tools and network firewalls.
Intrusion Preemption techniques strike offensively prior to an intrusion attempt to lessen the likelihood of a particular intrusion occurring later. This approach includes such techniques as education of users, promoting legislation to help eliminate an environment conducive to intrusion, taking early action against a user who appears increasingly to be straying from the straight-and-narrow, and infiltrating the cracker community to learn more about techniques and motivation. Rather than the reactive defenses offered by detection and countermeasures, preemption refers to proactive action against the source of as yet unlaunched intrusions. Unchecked use of these techniques can pose civil liberty questions.
Intrusion Deterrence seeks to make any likely reward from an intrusion attempt appear more troublesome than it is worth. Deterrents encourage an attacker to move on to another system with a more promising cost-benefit outlook. This approach includes devaluating the apparent system worth through camouflage, and raising the perceived risk of being caught by displaying warnings, heightening paranoia of active monitoring, and establishing obstacles against undesired usage. Intrusion deterrents differ from intrusion prevention mechanisms in that they are weaker reminder/discomfort mechanisms rather than serious attempts to preclude an intrusion.
Intrusion Deflection dupes an intruder into believing that he has succeeded in accessing system resources, whereas instead he has been attracted or shunted to a specially prepared, controlled environment for observation (i.e., a "playpen" or "jail"). Controlled monitoring of an unaware intruder spreading out his bag of tricks is an excellent source of attack information without undue risk to the "real" system [STO89]. Some system enforced deflection techniques may be considered a special type of countermeasure, but the concept also includes techniques which do not require the protected system to have ever been accessed by the intruder (e.g., "lightening-rod systems").
Intrusion Detection encompasses those techniques that seek to discriminate intrusion attempts from normal system usage and alert the SSO. Typically, system audit data is processed for signatures of known attacks, anomalous behavior, and/or specific outcomes of interest. Intrusion detection, and particularly profiling, is generally predicated upon the ability to access and analyze audit data of sufficient quality and quantity. If detection is accomplished in near real-time, and the SSO is available, he could act to interrupt the intrusion. Because of this necessity for a human to be available to intervene, Intrusion Detection is not as strong an approach as Intrusion Countermeasures as it is more likely that intrusion efforts will complete before manual efforts can interrupt the attack. Intrusion Detection may be accomplished after the fact (as in postmortem audit analysis), in near-real time (supporting SSO intervention or interaction with the intruder, such as network trace-back to point of origin), or in real time (in support of automated countermeasures).
Anomaly Detection compares observed activity against expected normal usage profiles which may be developed for users, groups of users, applications, or system resource usage. Audit event records which fall outside the definition of normal behavior are considered anomalies.
Misuse detection essentially checks for "activity that's bad" with comparison to abstracted descriptions of undesired activity. This approach attempts to draft rules describing known undesired usage (based on past penetrations or activity which is theorized would exploit known weaknesses) rather than describing historical "normal" usage. Rules may be written to recognize a single auditable event that in and of itself represents a threat to system security, or a sequence of events that represent a prolonged penetration scenario. The effectiveness of provided misuse detection rules is dependent upon how knowledgeable the developers (or subsequently SSOís) are about vulnerabilities. Misuse detection may be implemented by developing expert system rules, model based reasoning or state transition analysis systems, or neural nets.
Hybrid Detectors adopt some complementary combination of the misuse and anomaly detection approaches run in parallel or serially. Activity which is flagged as anomalous may not be noticed by a misuse detector monitoring against descriptions of known undesirable activity. For example, simple browsing for files that include the string "nuclear" may not threaten the security or integrity of the system but it would be useful information for an SSO to review if it was anomalous activity for a particular account. Likewise, an administrator account may often demonstrate access to sensitive files and have a profile to permit this, but it would useful for this access to still be checked against known misuse signatures. There has been a fairly strong consensus in the anti-intrusion community that effective and mature intrusion detection tools need to combine both misuse and anomaly detection. There is increasing operational field evidence that anomaly detection is useful, but requires well briefed SSOs at each site to configure and tune the detector against a high rate of false positives. Anomaly detection systems are not turnkey and require sophisticated support at least until profiles have stabilized.
Intrusions may be detected by the continuous active monitoring of key "system health" factors such as performance and an account's use of key system resources. This technique is more flexible and sophisticated than Static Configuration Checkers, as such a tool would be run continuously as a background process. It concentrates on identifying suspicious changes in system-wide activity measures and system resource usage. An example is to monitor network protocol usage over time, looking for ports experiencing unexpected traffic increases. Work needs to be done to develop and tune system-wide measures, and to understand the significance of identified variations.
Intrusion Countermeasures empower a system with the ability to take autonomous action to react to a perceived intrusion attempt. This approach seeks to address the limitation of intrusion detection mechanisms which must rely on the constant attention of an SSO. Most computing environments do not have the resources to devote an SSO to full-time intrusion detection monitoring, and certainly not for 24 hours a day, seven days a week. Further, a human SSO will not be able to react at machine processing speeds if an attack is automated -- the recent IP spoofing attack attributed to Kevin Mitnick was largely automated and completed in less than eight minutes [SHI95]. Entrusted with proper authorization, a system will have much greater likelihood of interrupting an intrusion in progress, but runs the risk of falsely reacting against valid usage. What must be prevented is the case where a user is doing something unusual or suspicious, but for honest reasons, and is wrongfully burdened by a misfiring countermeasure. The concern that a General Brassknuckles will be enraged by being rudely locked out of the system because he runs over the allowed page count for printouts, merely reflects an avoidable, overly aggressive countermeasure configuration.
Two primary intrusion countermeasure techniques are autonomously acting IDS's and alarmed system resources. Although the former may be considered simply giving intrusion detection techniques teeth, the latter will react to suspicious actions on the system without ever processing audit data to perform "detection".
ICE offers a number of advantages over manually reviewed IDSís. A system can be protected without requiring an SSO to be constantly present, and able and willing to make instant, on-the-spot complex decisions. ICE offers non-distracted, unbiased, around-the-clock response to even automated attacks. Because ICE suffers from the same discrimination and profile management issues as intrusion detection mechanisms, but with potentially no human intervention, care must be taken that service is not disrupted at a critical time by engineered denial of service attacks.
This paper has established a comprehensive anti-intrusion taxonomy by working top-down at a theoretical level, and bottom-up by surveying implemented approaches and those discussed in the referenced literature. Exercising the taxonomy against real life analogies firmed and increased intuitive grasp of the concepts. New anti-intrusion techniques will continue to be developed in this rapidly evolving field of research which may expand our taxonomy. This taxonomy will serve as a useful tool to catalog and assess the anti-intrusion techniques used by a particular anti-intrusion system implementation. It is hoped that our technique organization will provide new insight to the anti-intrusion research community. The authors are active workers in the field and would be pleased to correspond regarding additions or modifications.