Modern business information systems face a variety of threats. Roberts (2005) analyzed CSI/FBI computer crime survey results and determined the most significant threats to be viruses, unauthorized access, theft of intellectual property, fraud, and denial of service (Roberts, 2005). Roberts also found that most companies (96% – 97%) utilize anti-virus and firewalls while only 72% have intrusion detection systems and 35% intrusion prevention systems (Roberts, 2005). Lin (2006) examines the financial impact of cyber-crime based on the 2005 CSI/FBI survey results – as Figure 1 shows, businesses face substantial financial impact from cyber-crime,
Figure 1 Lin’s Analysis of 2005 CSI/FBI Cyber-crime Survey
Clearly, cyber-crime and computer and network abuse constitute a significant financial risk to businesses. Goodall, Lutters, and Komodi further report on the costs and risks associated with the digital world and e-business,
The problem of network security is a practical and pressing concern; a report calculated that the cost to organizations for each security breach is nearly $14 million per incident (Hall, 2007). Perhaps more troubling than the financial cost to organizations is a new form of cyber warfare; the nation of Estonia sustained a prolonged electronic attack on government web sites, requiring a digital quarantine, cutting off all access to the outside world (Kirk, 2007). (Goodall, Lutters, and Komodi, 2009, p. 93)
In addition to cyber-crime, Filipek (2006) explains that chief information officers are also concerned about insider threats, “66 percent of IT executives perceive insider threats to be an emerging danger to corporate security” (Filipek, 2006). Lin (2006) analyzes 2005 CSI/FBI survey data to determine that, “system security incidents were committed by insiders about as often as by outsiders” (Lin, 2006, p. 65).
One of the keys to providing a secure computing environment is rapidly detecting and responding to threats. In an ideal world, systems would not be vulnerable to denial of service attacks, access controls would prevent all unauthorized uses of a system, and intrusion detection systems would be unnecessary. Unfortunately, systems have vulnerabilities, access controls are imperfect, and IDS’ are a needed supplement to other security measures. Intrusion detection systems (IDS) seek to identify malicious network traffic. IDS’ provide detection and notification of attacks in progress or already past. Intrusion prevention systems (IPS) advance IDS technology with the ability to dynamically adjust network and systems configurations to block malicious traffic as it is detected.
Several challenges face IDS/IPS technology. The criminals that produce and utilize malicious software are strongly motivated by greed or revenge. Advanced denial of service attacks attempt to detect and evade IDS/IPS. The category of malicious software known as the Advanced Persistent Threat (APT) utilizes stealth and encryption to evade defensive systems. In addition, increasing network bandwidth is a challenge for systems that must process large volumes of data in real-time. As Gonzalez, Paxson, and Weaver (2007) state, “stateful, in-depth, inline traffic analysis for intrusion detection and prevention is growing increasingly more difficult as the data rates of modern networks rise” (Gonzalez, Paxson, and Weaver, 2007).
A review of the literature on intrusion detection systems provides insight into the current and future state of an important information systems security technology.
Types of Intrusion Detection
Methods of Detecting Intrusions
Dorothy Denning is generally credited with the seminal research article on intrusion detection systems. Denning’s 1987 article, “An Intrusion-Detection Model,” presented the first model for a real-time IDS utilizing expert systems (Denning, 1987). Denning describes the motivation and necessity of an intrusion detection system,
The development of a real-time intrusion-detection system is motivated by four factors: 1) most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for usual, technical and economic reasons;
2) existing systems with known flaws are not easily replaced by systems that are mores secure – mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons;
3) developing systems that are absolutely secure is extremely difficult, if not generally impossible; and
4) even the most secure systems are vulnerable to abuses by insiders who misuse their privileges (Denning, 1987, p. 222).
A key hypothesis in Denning’s research and in the concept of intrusion detection systems in general is that system abuse generates abnormalities that are detectable. Denning’s expert systems model of an IDS is the reference that modern IDS’ utilize. The general operation of an intrusion detection system is as, “a rule-based pattern matching system” (Denning, 1987, p. 223). The IDS analyzes system and network activity data according to configuration rules and statistical models and seeks to identify abnormal events.
Intrusion detection systems generally use some combination of three recognized methods for detecting intrusions: signature-based, anomaly-based, and state-ful protocol analysis (Scarfone and Mell, 2007).
Signature-based Intrusion Detection
Scarfone and Mell describe signature-based intrusion detection systems as simple to implement, but also limited in capability,
Signature-based detection is the simplest detection method because it just compares the current unit of activity, such as a packet or a log entry, to a list of signatures using string comparison operations. Signature-based detection technologies have little understanding of many network or application protocols and cannot track and understand the state of complex communications (Scarfone and Mell, 2007, p. 2-4)
Because the signatures are based on fixed binary strings, malicious software developers often implement code to dynamically modify and adapt to ensure that the signature is not a match. The same technique is also used to evade anti-virus scanners, which are primarily signature-based. In addition, signature-based intrusion detection systems lack an understanding of complex communications and state, which are important for fully understanding the threat posed by an alert.
Anomaly-based Intrusion Detection
The Denning model of an IDS relies primarily on anomaly-based detection (Denning, 1987). Scarfone and Mell explain that anomaly-based detection, “is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations” (Fan, et al., 2004; Scarfone and Mell, 2007, p. 2-4). The key advantage of anomaly-based detection for intrusion detection is the ability to recognize and respond to previously unknown attacks. Anomaly-based detection relies on a profile of normal system and network behavior developed during a training period. Once the normal profile is established, the system goes into production and utilizes a statistical model to compare data captured against the trained profile. Denning’s 1987 IDS model utilizes several statistical tests, including a multivariate model, a Markov process model and a time-series model, to evaluate whether or not an activity is abnormal (Denning, 1987).
As Scarfone and Mell explain, a common problem occurs when intrusion detection systems are exposed to malicious traffic during the training period, which effectively trains the expert system to recognized malicious data as normal. Other challenges with anomaly-based systems identified by Scarfone and Mell are false positives rates related to difficulty training the IDS on all activity that is genuinely normal and difficulty determining why an alert occurred related to the complexity of the IDS (Scarfone and Mell, 2007).
Stateful Protocol Analysis
Stateful protocol analysis, also known as deep packet inspection when applied to networks, is a resource intensive approach to intrusion detection that, “relies on vendor-developed universal profiles that specify how particular protocols should and should not be used” (Scarfone and Mell, 2007, p. 2-5). Stateful protocol analysis provides important capabilities for understanding and responding to attacks. For example,
Stateful protocol analysis can identify unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command without first issuing a command upon which it is dependent. Another state tracking feature of stateful protocol analysis is that for protocols that perform authentication, the IDPS can keep track of the authenticator used for each session, and record the authenticator used for suspicious activity (Scarfone and Mell, 2007, p. 2-6).
In addition, stateful protocol analysis can detect variations in command length, minimum and maximum values for attributes, and other potential anomalies that might be missed by signature- and anomaly-based systems (Scarfone and Mell, 2007).
The stateful protocol analysis method of intrusion detection relies upon well-defined and well-behaved protocol models. In cases where a protocol is proprietary, poorly defined, or a vendor implementation deviates from the standard, stateful protocol analysis becomes less accurate (Scarfone and Mell, 2007).
The biggest limitation of stateful protocol inspection for intrusion detection is the resource requirements. Tracking and analyzing the state information for enterprise systems requires significant resources. As performance capabilities of processors and networks increase, the resource challenges associated with stateful protocol analysis amplify (Scarfone and Mell, 2007). Another challenge of utilizing stateful protocol analysis with intrusion detection systems is that malicious traffic may properly utilize a protocol and, therefore, be undetected (Scarfone and Mell, 2007).
Means of Detecting Intrusions
There are two main methods for deploying intrusion detection systems: network and host. Network based intrusion detection systems analyze and identify threats from network traffic and include network-based, wireless, and network behavior analysis systems (Scarfone and Mell, 2007). Host based intrusion detection systems, “[monitor] the characteristics of a single host and the events occurring within that host for suspicious activity” (Scarfone and Mell, 2007). There is a trend amongst software vendors towards integrating anti-virus, anti-spyware, host-based firewalls, and host-based intrusion detection systems into endpoint protection systems.
Trends in Intrusion Detection Research
Research into general improvements to intrusion detection systems based on the Denning model is ongoing. Alfaro, et al. investigate formalizing configuration management as utilized in intrusion detection systems as a means of ensuring these systems’ complex rules reflect the security policies as intended (Alfaro, et al., 2008). The statistical models are refined, updated, and improved as new techniques are discovered, such as Goonatilake, et al.’s analysis of chi-squared statistical models for anomaly-based intrusion detection (Goonatilake, et al., 2007). New methods are developed for detecting emerging attack types, such as man-in-the-middle attacks, that were not previously known or detected by IDS’ (Trabelsi and Shuaib, 2008). Protecting intrusion detection systems from distributed denial of service attacks is another critical research area, as DDoS attacks can cripple an IDS and leave an organization deaf and blind to incoming attacks (Chen, 2007; Sodiya, 2004). In addition, research is underway to enable intrusion detection systems to manage and process ever-increasing data volumes that result from increases in processing power and network bandwidth (Xinidis, et al., 2006; Gonzalez, et al., 2007).
Intrusion Prevention and Autonomic Network Defense Systems
Intrusion detection systems provide a valuable service to security practitioners seeking to defend systems and networks from attacks. By identifying and alerting upon the occurrence of an attack, IDS’ provide a trigger for responding to incidents in an efficient and effective way. Intrusion prevention systems advance the technology of IDS’ to include automated response to threats. An IPS may invoke additional firewall rules, shutdown network ports, and instigate other actions to respond to a detected attack.
The leading edge of IPS research is referred to as autonomic network defense. Autonomic network defense treats networks and systems holistically and seeks to apply an immune system metaphor to the defense of an organization’s systems and networks as a whole. In contrast to traditional defense-in-depth strategies, the autonomic network defense approach attempts to provide a whole system solution instead of many overlapping, piecemeal defenses. Anagnostakis et al. (2007) describe a system of cooperating, collaborating autonomous agents that, “share information about the spread of malicious virus in the Internet and use this infor- mation for controlling the behavior of detection and filtering resources” (Anagnostakis, et al., 2007, p. 374). Autonomous network defense systems, due to their distributed nature, should prove to be more resilient to denial of service attacks than current systems.
Intrusion prevention systems are an active area of research and development that promise to improve businesses’ defensive posture. However, as Goodall, Lutters, and Komlodi state, “because of false positives and the potential for self-damaging responses to inaccurate alerts, all of our participants agreed that fully automated IDSs are never a completely effective solution, and despite attempts at automated solutions, there is no substitute for the intuition that human analysts bring to bear on the process” (Goodall, Lutters, and Komlodi, 2009, p. 93).
Security Information Management Systems
Correlating alerts from host and network intrusion detection systems, firewalls, intrusion prevention systems, anti-virus and anti-spyware can result in an information overload for security practitioners. Providing tools to enable more efficient and effective processing and analysis of security information is critical. As Debar and Viinikka describe, “Owing to the volume and diversity of security and log information sources, SIM platforms have emerged in recent years as the solution for concentrating heterogeneous logs and providing the security officer with a homogenous view of the security state of its information system” (Debar and Viinikka, 2006, p. 417). Security information management system research dovetails with autonomic network defense,
SIM will continue to foster research in alert correlation, leading to more complex scenarios that actually provide reliable threat information to the security officer. Once this stage is reached, we will see a large body of research taking place on automated countermeasures, i.e. ensuring that attacks are dealt with efficiently and accurately, with as little human intervention as possible. (Debar and Viinikka, 2006, p. 433)
Goodall, et al. stress that innovations in information visualization are a critical success factor for these systems, “The next logical step for tool designers is to use innovative visualizations to drive the tuning process by using the understanding analysts glean from the analytic process to create and update the rule bases in automated systems” (Goodall, et al., 2009, p. 105).
Intrusion detection systems are a vital component for an effective defense-in-depth security strategy. IDS’ provide the primary mechanism for notifying security practitioners if and when policy has been violated. Intrusion protection systems are emerging as an evolution of IDS technology that includes automated responses to perceived attacks. Security information management systems promised to provide better correlation and understanding of the large volume of information and alerts generated by IDS’ and other security systems.
Alfaro, J., Boulahia-cuppens, N., & Cuppens, F. (2008). Complete analysis of configuration rules to guarantee reliable network security policies. International Journal of Information Security, 7(2), 103. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1459115061&Fmt=7&clientId=62763&RQT=309&VName=PQD
Anagnostakis, K., Greenwald, M., Ioannidis, S., & Keromytis, A. (2007). COVERAGE: Detecting and reacting to worm epidemics using cooperation and validation. International Journal of Information Security, 6(6), 361. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1363502201&Fmt=7&clientId=62763&RQT=309&VName=PQD
Chen, Z., Chen, Z., & Delis, A. (2007). An inline detection and prevention framework for distributed denial of service attacks. The Computer Journal, 50(1), 7. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1180225761&Fmt=7&clientId=62763&RQT=309&VName=PQD
Debar, H., & Viinikka, J. (2006). Security information management as an outsourced service. Information Management & Computer Security, 14(5), 416. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1143417571&Fmt=7&clientId=62763&RQT=309&VName=PQD
Denning, D. E. (1987). An intrusion-detection model. IEEE Trans.Softw.Eng., 13(2), 222-232. Retrieved from http://dx.doi.org.library.capella.edu/10.1109/TSE.1987.232894
Fan, W., Miller, M., Stolfo, S., Lee, W., & Chan, P. (2004). Using artificial anomalies to detect unknown and known network intrusions. Knowledge and Information Systems, 6(5), 507. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=690356861&Fmt=7&clientId=62763&RQT=309&VName=PQD
Filipek, R. (2006). Online security nightmares for CIOs. The Internal Auditor, 63(3), 19. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1061016441&Fmt=7&clientId=62763&RQT=309&VName=PQD
Gonzalez, J. M., Paxson, V., & Weaver, N. (2007). Shunting: A hardware/software architecture for flexible, high-performance network intrusion prevention. Paper presented at the CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA. 139-149. Retrieved from http://doi.acm.org.library.capella.edu/10.1145/1315245.1315264
Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network intrusion detection. Information Technology & People, 22(2), 92. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1880534761&Fmt=7&clientId=62763&RQT=309&VName=PQD
Goonatilake, R., Herath, A., Herath, S., Herath, S., & Herath, J. (2007). Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security. J.Comput.Small Coll., 23(1), 255-263.
Lin, P. P. (2006). System security threats and controls. The CPA Journal, 76(7), 58. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1082185941&Fmt=7&clientId=62763&RQT=309&VName=PQD
Roberts, G. K. (2005). Security breaches, privacy intrusions, and reporting of computer crimes. Journal of Information Privacy & Security, 1(4), 22. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=999547341&Fmt=7&clientId=62763&RQT=309&VName=PQD
Sodiya, A. S., Longe, H. O. D., & Akinwale, A. T. (2004). A new two-tiered strategy to intrusion detection. Information Management & Computer Security, 12(1), 27. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=644926111&Fmt=7&clientId=62763&RQT=309&VName=PQD
Trabelsi, Z., & Shuaib, K. (2008). A NOVEL MAN-IN-THE-MIDDLE INTRUSION DETECTION SCHEME FOR SWITCHED LANs. International Journal of Computers & Applications, 30(3), 234. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1632843071&Fmt=7&clientId=62763&RQT=309&VName=PQD
Xinidis, K., Charitakis, I., Antonatos, S., Anagnostakis, K. G., & Markatos, E. P. (2006). An active splitter architecture for intrusion detection and prevention. IEEE Transactions on Dependable and Secure Computing, 03(1), 31. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1018532191&Fmt=7&clientId=62763&RQT=309&VName=PQD