Although intrusion detection is rapidly becoming a standard component
in security management infrastructures, it is still a young technology. Many
issues stand in the way of optimizing the performance of intrusion detection,
especially as it evolves with the network landscape it's charged with monitoring
and protecting. In this chapter, we will discuss some of these issues, along
with strategies that might rectify them.
As the reach of computer networking
increases, monitoring large mission-critical networks (such as those belonging
to major Internet service providers [ISPs] or backbone providers) becomes
a gargantuan feat. As the threat environment becomes more hostile and customers
demand more secure network connectivity, monitoring also becomes more vital
to these organizations.
Scalability refers to how well a particular solution
to a problem works when the size of the problem grows. Several challenges
are associated with scaling intrusion detection approaches to large complex
networks. Given the traditional approaches to performing network audit and
intrusion detection, the issues in scalability extend across different dimensions.
Weconsider the two most common issues, scaling over time and scaling over
Consider the issues associated with scaling intrusion detection over time. Intrusions,
you may recall from Chapter 4, “Analysis Schemes,”
appear to the analysis engine as partially ordered sequences of events or
state transitions. Therefore, to recognize suspicious activity, the intrusion
detection system must consider the event stream as a function of time. This
requirement is usually not an issue when monitoring for events driven by an
attack script or intrusion tool because
the progression of events is rapid.
However, what if an attacker, in a deliberate attempt to defeat the
intrusion detection system, does a “slow attack” in which the
steps of the attack are stretched over minutes, hours, days, or longer? This
situation is worrisome, both because the scarcity of attack data allows the
attacker to bury the attack in the background noise of event traffic and because
most systems don't keep enough event data to track across an extended time
Although some slow host-level attacks might be blocked by session timeout
rules, (especially when augmented by integrity checkers to detect alterations
in system executables), other scenarios can show up as slow attacks. An example
of such a scenario is an insider attack (that is, an authorized user overstepping
his or her privileges on a particular system) in which existing protections
rely on anomaly-detection-based characterization of user behavior. In this
scenario, the user gradually changes his or her pattern of behavior until
the system allows misuse.
In current intrusion detection systems, efficient memory utilization
is critical, lest data structures grow to the extent that they overflow available
memory, ultimately crashing the intrusion detection engine. Therefore, many
operational intrusion detection systems limit the amount of event data they
retain over time. These memory limitations constrain the time window over
which the system can “see” the progress of an extended attack,
enabling attacks to mount slow attacks. In fact, “slow scan”
tools, which have been posted to many hacker sites, are already in common
The other aspect of intrusion detection scalability
is how well it works when the network monitored increases from hundreds of
hosts to thousands or even millions of hosts. As networked systems become
ubiquitous, this scenario is common in large organizations. The issues associated
with this scalability translate into a plethora of other issues covered elsewhere
in this chapter.
For instance, how can an intrusion detection system track attacks that
are traversing a large global network, utilizing a variety of communications
media, so that link speeds vary, thereby distorting the time sequence of monitored
information? Certain large networks must contend with significant clock
skew (that is, the differential between individual system clocks)
when no central time server is available.
Another such situation exists in designs that utilize hierarchical intrusion
detection architectures to organize monitoring systems into reporting or control
tree structures. These require a means of aggregating the monitoring results
at various points in the tree, allowing some regional reduction of data.
Finally, issues are associated with displaying
the results of large, network-wide intrusion detection systems so network
managers can interpret them. There may be a need to overlay these results
on information from a network management system.
One approach to dealing with scaling
intrusion detection to large networks comes from a research project sponsored
by the Defense Advanced Research Projects Agency (DARPA).
The Graph-Based Intrusion Detection System (GrIDS)
project at University of California, Davis, uses a hierarchical aggregation
scheme to scale to larger networks. By allowing a significant reduction of
activity information at each level of the hierarchy, the approach addresses
one of the management obstacles to scalability: the reluctance of domain administrators
to exchange activity information collected within their domains.
GrIDS constructs activity graphs of network hosts and activities, which allow
it to recognize attacks whose hallmarks involve movement across networks.
Two examples are a “sweep” attack, or vulnerability scan, and
a “worm” attack. An example of a sweep is the freeware ISS tool
or SATAN; an example of a worm is the Internet worm of 1988, which spread
to thousands of systems on the Internet, resulting in massive denial of service.1
GrIDS is designed to accept input
from a variety of intrusion detection systems, constructing graphs, which
are passed up the hierarchy, with a function that collapses the graphs into
coarser resolution at each level. The graph engine is driven by a rulebase,
which allows security administrators to specify how graphs can combine, which
graphs represent “bad” activity, and which action to take when
bad activity is recognized. A policy language is included to specify the conditions
under which intrusion triggers should be reported. The system is dynamically
reconfigurable, so it accommodates changes in network structureand configuration.
Although GrIDS does not deal with scalability over time, it represents a
promising strategy for scaling intrusion detection systems across huge networks
One of the primary architects of OpenCable, Michael
Adams, explains the key concepts of this initiative in his book
Broadband, Second Edition
by George Abe
Introduces the topics surrounding high-speed networks
to the home. It is written for anyone seeking a broad-based familiarity
with the issues of residential broadband (RBB) including product
developers, engineers, network designers, business people, professionals
in legal and regulatory positions, and industry analysts.