|
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
Misuse DetectorThe patented component of Stalker that is most interesting is the collection of intrusion detection patterns along with the engine that analyzes them. In simplistic terms, audit records are dropped into the engine, which maintains a series of state transition diagrams representing intrusions and misuses. When a particular pattern reaches a terminal state, a misuse or intrusion event is indicated. This analysis component of Stalker is called the Misuse Detector (MD) for historical reasons. Technically, it is both a misuse detector and an intrusion detector. Recall from earlier discussions that misuse detection looks for abuses by internal users, and intrusion detection is focused on attacks from outsiders. Today, these terms are often used interchangeably. Like the TB, the MD can be run interactively or scheduled to operate in batch mode. Stalker detects roughly 8090 different attacks depending on the version of UNIX running on the client. Not all patterns are supported on each OS. From the MD GUI, you can choose which attack signatures you want to monitor. Attacks Detected by StalkerStalker conveniently groups patterns into classes, such as Trojan Horse. Space does not permit an exhaustive list and description of attacks detected by Stalker. Table 8.1 summarizes this information.
The MD was developed over several years and has a good foundation in intrusion detection research. IDSs use different engines for analyzing attacks. Some, such as CMDS, rely on rule-based expert systems. Stalker employs a finite state machine (FSM) for recognizing attacks. As you probably know, finite state machines are the underlying technology for compilers. Recognizing patterns with the utmost speed is one of the reasons FSMs are used in compilers. This reason was also one of the reasons it was chosen for Stalker. You also can buy a Misuse Detector Toolkit to add signatures to Stalker. This toolkit is not particularly easy to use and requires skill in C++. Over time you can expect Stalker and other IDSs to provide a scripting language for writing new patterns. Is Stalker Right for You?At the time this chapter was written, the real-time, client-server, heterogeneous Stalker product was not available. Naturally, you should check the Network Associates Web site for the latest information. Many enhancements to Stalker have been planned and will roll out over time. You want to remember that batch reports are an important part of security monitoring. Monitoring everything in real time is probably not the best approach. Also, Stalkers capability to go query and search through past audit logs is valuable. If you find that you have been hacked, its good to know that you easily can filter for specifics through large amounts of historical audit data using Stalker. Stalker will be a good match for your environment if you consider the following:
Stalker has a large set of attack patterns for UNIX system-level monitoring. If the set of attack patterns is useful to you, which it probably is, deploying Stalker on critical systems is a good way to get started. Unlike accounting files, the audit trail can detect privilege transitions. The Morris worm, which overlaid itself with a fork() and then an exec(), would not have been detected in the accounting files, although it does show up in audit logs. When a user runs a similar attack, the AUID remains unchanged, and thus accountability is preserved. The AUID also persists when a user runs the su command, even though the RUID changes. Other transitions in privilege also are surfaced in the audit log. With Stalkers TB and MD capabilities, you can catch these type of security events on your systems. Depending on your needs, Stalker may not be the best tool for your environment. For example, if you want real-time consolidation of audit logs from the clients to the Stalker server, the tool does not provide this feature today. Your requirements might cause you to see the following as limitations of Stalker:
Given the number of valuable reports that Stalker can generate for you, these problems are not particularly difficult.
|
![]() |
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. |