Cisco Knowledge Suite Cisco SystemsCisco Press

Cutting Edge
Core Reference
Guided Learning
Networking Architecture
Internet Protocols (IP)
Network Protocols
Transport and Application Protocols
Desktop Protocols
Security and Troubleshooting
Network Resources and Management
Integrated Services

Technical Issues


< Back Contents Next >

Technical Issues


7.1. -



7.2. -



7.3. -



7.4. -

Analysis Issues


7.5. -



7.6. -



7.7. -

User Interfaces


7.8. -





Save to MyCKS

Intrusion Detection

From: Intrusion Detection
Author: Rebecca Bace
Publisher: MTP
More Information

7. Technical Issues

Although intrusion detection is rapidly becoming a standard component in security management infrastructures, it is still a young technology. Many issues stand in the way of optimizing the performance of intrusion detection, especially as it evolves with the network landscape it's charged with monitoring and protecting. In this chapter, we will discuss some of these issues, along with strategies that might rectify them.

7.1. Scalability

As the reach of computer networking increases, monitoring large mission-critical networks (such as those belonging to major Internet service providers [ISPs] or backbone providers) becomes a gargantuan feat. As the threat environment becomes more hostile and customers demand more secure network connectivity, monitoring also becomes more vital to these organizations.

Scalability refers to how well a particular solution to a problem works when the size of the problem grows. Several challenges are associated with scaling intrusion detection approaches to large complex networks. Given the traditional approaches to performing network audit and intrusion detection, the issues in scalability extend across different dimensions. Weconsider the two most common issues, scaling over time and scaling over space.

7.1.1. Scaling over Time

Consider the issues associated with scaling intrusion detection over time. Intrusions, you may recall from Chapter 4, “Analysis Schemes,” appear to the analysis engine as partially ordered sequences of events or state transitions. Therefore, to recognize suspicious activity, the intrusion detection system must consider the event stream as a function of time. This requirement is usually not an issue when monitoring for events driven by an attack script or intrusion tool because the progression of events is rapid.

However, what if an attacker, in a deliberate attempt to defeat the intrusion detection system, does a “slow attack” in which the steps of the attack are stretched over minutes, hours, days, or longer? This situation is worrisome, both because the scarcity of attack data allows the attacker to bury the attack in the background noise of event traffic and because most systems don't keep enough event data to track across an extended time interval.

Although some slow host-level attacks might be blocked by session timeout rules, (especially when augmented by integrity checkers to detect alterations in system executables), other scenarios can show up as slow attacks. An example of such a scenario is an insider attack (that is, an authorized user overstepping his or her privileges on a particular system) in which existing protections rely on anomaly-detection-based characterization of user behavior. In this scenario, the user gradually changes his or her pattern of behavior until the system allows misuse.

In current intrusion detection systems, efficient memory utilization is critical, lest data structures grow to the extent that they overflow available memory, ultimately crashing the intrusion detection engine. Therefore, many operational intrusion detection systems limit the amount of event data they retain over time. These memory limitations constrain the time window over which the system can “see” the progress of an extended attack, enabling attacks to mount slow attacks. In fact, “slow scan” tools, which have been posted to many hacker sites, are already in common use.

7.1.2. Scaling over Space

The other aspect of intrusion detection scalability is how well it works when the network monitored increases from hundreds of hosts to thousands or even millions of hosts. As networked systems become ubiquitous, this scenario is common in large organizations. The issues associated with this scalability translate into a plethora of other issues covered elsewhere in this chapter.

For instance, how can an intrusion detection system track attacks that are traversing a large global network, utilizing a variety of communications media, so that link speeds vary, thereby distorting the time sequence of monitored information? Certain large networks must contend with significant clock skew (that is, the differential between individual system clocks) when no central time server is available.

Another such situation exists in designs that utilize hierarchical intrusion detection architectures to organize monitoring systems into reporting or control tree structures. These require a means of aggregating the monitoring results at various points in the tree, allowing some regional reduction of data.

Finally, issues are associated with displaying the results of large, network-wide intrusion detection systems so network managers can interpret them. There may be a need to overlay these results on information from a network management system.

7.1.3. Case Study--GrIDS

One approach to dealing with scaling intrusion detection to large networks comes from a research project sponsored by the Defense Advanced Research Projects Agency (DARPA). The Graph-Based Intrusion Detection System (GrIDS) project at University of California, Davis, uses a hierarchical aggregation scheme to scale to larger networks. By allowing a significant reduction of activity information at each level of the hierarchy, the approach addresses one of the management obstacles to scalability: the reluctance of domain administrators to exchange activity information collected within their domains.

GrIDS constructs activity graphs of network hosts and activities, which allow it to recognize attacks whose hallmarks involve movement across networks. Two examples are a “sweep” attack, or vulnerability scan, and a “worm” attack. An example of a sweep is the freeware ISS tool or SATAN; an example of a worm is the Internet worm of 1988, which spread to thousands of systems on the Internet, resulting in massive denial of service.1

GrIDS is designed to accept input from a variety of intrusion detection systems, constructing graphs, which are passed up the hierarchy, with a function that collapses the graphs into coarser resolution at each level. The graph engine is driven by a rulebase, which allows security administrators to specify how graphs can combine, which graphs represent “bad” activity, and which action to take when bad activity is recognized. A policy language is included to specify the conditions under which intrusion triggers should be reported. The system is dynamically reconfigurable, so it accommodates changes in network structureand configuration.

Although GrIDS does not deal with scalability over time, it represents a promising strategy for scaling intrusion detection systems across huge networks of interest.2


< Back Contents Next >

Save to MyCKS


Breaking News

One of the primary architects of OpenCable, Michael Adams, explains the key concepts of this initiative in his book OpenCable Architecture.

Expert Advice

Ralph Droms, Ph.D., author of The DHCP Handbook and chair of the IETF Dynamic Host Configuration Working Group, guides you to his top picks for reliable DHCP-related information.

Just Published

Residential Broadband, Second Edition
by George Abe

Introduces the topics surrounding high-speed networks to the home. It is written for anyone seeking a broad-based familiarity with the issues of residential broadband (RBB) including product developers, engineers, network designers, business people, professionals in legal and regulatory positions, and industry analysts.


From the Brains at InformIT


Contact Us


Copyright, Terms & Conditions


Privacy Policy


© Copyright 2000 InformIT. All rights reserved.