Intrusion Detection Systems (IDS) are still very much in their infancy, but in terms of development they are growing at an extraordinary rate. The terminology associated with IDS is growing just as rapidly. This article is intended to introduce readers to some IDS terminology, some of it basic and relatively common, some of it somewhat more obscure. As a result of the speed of growth of IDSs, and the marketing prowess of some IDS vendors, come confusion has arisen about the proper meaning of certain terms: the same term may be used by different vendors to mean different things. Wherever possible, I have tried to include all terms except where I consider usage of the term to be inaccurate or misleading. This is a living document: if I'm missing any terms or you wish to discuss my interpretation please don't hesitate to contact me.
An alert is a warning issued by the IDS to the system operator that an intrusion is taking place or being attempted. On detecting an intrusion, the IDS will alert the analyst using a variety of methods. If the console is local to the IDS the alert would normally appear on the monitor. The use of a warning sound can be used, though on a busy IDS I could almost guarantee this will soon be turned off. Alerts to a remote console can be sent using the vendor proprietary method (usually securely), SNMP (often insecurely), email, SMS/Pager, or any combination of these methods.
The majority of IDS will alert when certain events match the signature of a known attack, an anomaly based IDS will build a profile of the host or network activity over time. When an event occurs which is outside this profile the IDS will alarm. ie when someone does something they haven't done before. An example would be a user who suddenly gains administrator or root privileges. Some vendors may try to sell this method as heuristics, but I would consider a heuristical IDS to apply more intelligence to it's reasoning.
Rather than install an IDS onto an existing system, ready built IDS appliances can be purchased which are usually rack mounted and only have to be plumbed into the network. Some examples of IDSs which are available as appliances are CaptIO, Cisco Secure IDS, OpenSnort, Dragon and SecureNetPro.
ArachNIDS - Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems
Developed by Max Vision's White Hats ArachNIDS is an attack profile database used to dynamically create signatures which are compatible with various Network IDS
ARIS - Attack Registry & Intelligence Service
A premium service offered by SecurityFocus, ARIS allows Internet-connected networks to pass their network security events anonymously to SecurityFocus. SecurityFocus then combines this data with that of many other participants to form detailed trend and statistical analysis, which is published on the Net.
Attacks can be considered attempts to penetrate a system or to circumvent a system's security in order to gain information, modify information or disrupt the intended functioning of the targeted network or system. The following is a list and explanation of the most common types of Internet attack that an IDS is set up to detect.
Attacks: DOS - Denial Of Service attack
Rather than penetrating a systems security by hacking, a DOS attack will just take the system out, denying the service to its user. The means of achieving this are varied from buffer overflows to flooding the systems resources. These days systems are slightly more DOS aware, this has resulted in DDOS attacks
Attacks: DDOS - Distributed Denial of Service
A standard DOS attack, the type that use large quantities of data from a single host to a remote host, cannot deliver sufficient packets to achieve the desired result, therefore the attack will be launched from many dispersed hosts, hence the name DDOS. Shear weight of numbers take out either the remote system or swamp it's connection. Steve Gibson has written an article called The Strange Case of the Denial of Service Attacks Against GRC.com about how his network ground to a halt when a 13 year old boy carried out a DDOS attack against him.
An older attack but one that is still frequently attempted, a smurf occurs when a ping is sent to a smurf amplifiers broadcast address using the spoofed source address of the target, all the active hosts will then reply to the target, swamping the connection. The top ten smurf amplifiers can be found here.
The term Trojan comes from the wooden horse used by the Greeks to attack Troy. The horse contained Greek soldiers who, once the horse was wheeled inside the city, spilled out of the horse and laid siege to the city and its inhabitants. In computer terms it originally referred to software that appears to be legitimate, but that actually contains hidden malicious software. When the legitimate program was run, the malicious software was installed, unknown to the user. However, as the majority of malicious programs installed in this fashion were remote control tools, the term Trojan soon evolved to refer to this type of tool, such as BackOrifice, SubSeven, NetBus etc.
As well as alerting to an attack, some IDS can automatically defend against them. This is achieved in a variety of ways: firstly, by reconfiguring routers and firewalls to reject future traffic from the same address and, secondly, by injecting packets on the network to reset the connection. There are problems with both methods. Attackers can use a reconfigured device to their own advantage by spoofing the address of a friendly party and launching an attack, the IDS then configures the routers/firewalls to reject the these addresses, effectively DOSing them. The method of injecting packets needs to have an active interface, thereby making itself susceptible to attack. There are ways around this, such as having the active interface inside the firewall, or using a packet crafter, bypassing the need for a standard (responding) IP stack.
CERT - Computer Emergency Response Team
This term was chosen for the first Computer Emergency Response Team, founded at the Carnegie Mellon University, which responded to computer security incidents. These days many organizations will have a CERT, a computer security incident handling team. As the word emergency is a little ambiguous many organizations replace it with Incident - Computer Incident Response Team (CIRT). In turn, the word response has on occasion been replaced with handling, the thought being that response covers the immediate reaction rather than the long-term investigation.
CIDF - Common Intrusion Detection Framework
The Common Intrusion Detection Framework (CIDF) was an effort to standardize intrusion detection to some degree by developing "protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems"
CIRT - Computer Incident Response Team
Derived from CERT, CIRT indicates the change in philosophy towards security occurrences. Whereas CERTs were initially targeted at specific computer emergencies, the term incident in CIRT indicates that while not all incidents are necessarily emergencies, all emergencies can be considered incidents.
CISL - Common Intrusion Specification Language
CISL is the language used for CIDF components to communicate with each other. As CIDF is an attempt to standardize protocols and interfaces, so CISL is an attempt to standardize the language of intrusion detection research.
CVE - Common Vulnerabilities and Exposures
An age-old problem with vulnerabilities is that when designing scans or countermeasures, one vendor will call a vulnerability by one name and another vendor will call it something completely different. Moreover, some vendors may have multiple signatures for what would be a single CVE entry, possibly giving the illusion of them producing a more effective product. MITRE has gone to some lengths to address this with CVE, they standardize names for vulnerabilities and participating vendors then use this name. For more information, please visit www.CVE.mitre.org.
Being able to build your own packet allows you to bypass the normal conventions about the structure of a packet. Therefore, you can pretend to be someone you're not, or build the packet in such a way that the receiving computer will not know how to deal with it and fall over. One tool that can be used in crafting packets is nemesis.
Desynchronization (see also Evasion)
Originally the term desynchronization was used for evasion methods using sequence numbers. Some IDSs could be confused about what sequence number it should expect, the resulting inability to reconstruct data effectively blinded it. This technique was known in 1998 and is now largely obsolete. I have also seen more recent articles where the term desynchronization was used for the other methods of IDS evasion.
Hackers will often leave a signature when they write an exploit, one of the most notorious of which is elite. It works like this elite = eleet referring to their abilities if eleet is transposed to numerals it would be 31337. 31337 is often used as a port number (BackOrifice) or sequence number etc. It's worth checking to discover what the current term is. As of the time of publication of this article (04 July 2001) a popular word was "skillz".
After passively researching and social engineering your network an attacker will start to enumerate it. Enumerating is when an attacker actively probes a network to discover what is there and what can be exploited. As this action is no longer passive it can be detected, though they will probably be doing it as stealthily as possible to avoid detection.
Evasion (see also Desynchronization)
Evasion is the process of carrying out an attack without an IDS successfully detecting the attack. The trick is making the IDS to see one thing and the target host another. One form of evasion is to set different time to live (TTL) values for different packets. Therefore, the information passing the IDS will seem harmless however the TTL on the harmless bit is less than that which is required to reach the target host. Once beyond the IDS and nearing the target the harmless piece is dropped leaving the harmful remains. This example is greatly simplified. For an indepth discussion on some of the principles of evasion discussed here, please see Ptacek and Nesham's seminal article, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.
For every vulnerability there is an exploit, ie a mechanism by which to exploit the vulnerability. An exploit can be considered the means of taking advantage of the structural weakness of the vulnerability. In order to attack a system, a hacker 'exploits' vulnerabilities in the code.
Exploits: Zero Day Exploit
A zero day exploit is an exploit that isn't known about in the wild, ie one that hasn't been caught yet. As soon as an exploit is discovered by the security world, it can be patched against and signatures can be written for IDS thereby making the exploit ineffective and the risk of being caught greater. Understandably, zero day exploits are an extremely valuable commodity to hackers.
A false negative occurs when an attack or an event is either not detected by the IDS or is considered benign by the analyst.
An event that is picked up by the IDS and declared an attack but is actually benign.
The network security door. A firewall is not an IDS but their logs can provide valuable IDS information. A firewall works by blocking unwanted connections based on rules or criteria, such as source address, ports etc.
FIRST - Forum of Incident Response and Security Teams
International government and private sector organizations have established a coalition to exchange information and coordinate response activities. There is also an annual FIRST conference which is highly regarded.
If a packet is too big to fit, it will have to be broken up into smaller pieces (fragments.) Fragmentation is brought about by networks having differing Maximum Transmission Units (MTU.) For instance, for token ring the MTU is 4464 and for Ethernet it's 1500. Therefore, if a packet is moving from token ring to Ethernet, it would have to be fragmented into smaller packets that are then rebuilt at the target. Ordinarily, while somewhat inefficient, fragmentation is perfectly normal. Hackers saw fragmentation as a means to evade IDS, there are also a few associated DOS attacks that use this technique.
For most mature hackers, their ethics are sacrosanct and should be respected, though what is considered ethical varies greatly from person to person. For instance, some see great value in the need for information-exchange, using their experience and abilities for what they see as the common good: if the information is known, everyone should have access to it, with or without the owner's consent. Alternatively, breaking into systems is considered to be ethically sound on the condition that the intruder doesn't take or steal data, change data or divulge the content of the data to other parties. A good resource on hacker ethics is available here.
Hacker Ethics: Black Hat
The bad guys, hackers who have total disregard for the law and feel no restrictions or limitations on where they are entitled to go. Upon discovering a vulnerability will use it to their own advantage rather than reporting it to the community, so that it can be fixed.
Hacker Ethics: White Hat
The good guys: upon discovering a vulnerability, white hat hackers will advise the vendor of the product, keeping quiet until the product is patched. For a white hats perspective on ethics and a few IDS tools, read Jude Thaddeus' Confessions of a white hat hacker.
Hacker Ethics: Grey Hat
Grey hat hackers tread a fine line between the other two hats: upon discovering a vulnerability, they will advise the hacker community as well as the vendors and then watch the fallout. Hacker ethics come into play here. It is felt by many that the vendors should be given some advance notice; however, some vendors take advantage of this. Rain Forest Puppy therefore produced a policy designed to meet the needs of both the vendor and the "security researcher" which states: "This policy exists to establish a guideline for interaction between a researcher and software maintainer. It serves to quash assumptions and clearly define intentions, so that both parties may immediately and effectively gauge the problem, produce a solution, and disclose the vulnerability."
The term heuristics should be used where artificial intelligence (AI) is used to detect intrusions. IDSs that genuinely use heuristics have been allegedly almost ready for around a decade. It is my understanding that they still aren't quite clever enough and can be trained by an attacker to ignore malicious traffic. Some IDSs use anomalies to detect intrusions, the IDS has to learn over time what can be considered normal, as this is quite clever some vendors will sell this as a heuristic IDS. I can think of at least one IDS that does use an AI scripting language to apply analysis to the incoming data.
According to the The Honeynet Project: a honeynet "is a tool for learning. It is a network of production systems that is designed to be compromised. Once compromised, this information is captured and analyzed [in order] to learn about the blackhat community." A Honeynet is therefore an extremely valuable resource, providing an inside view of a hack. The Honeynet Project consists of a group of thirty accomplished security professionals who have set up a series of honeypots to study the tactics, tools, motives and behaviors of black hat hackers by providing a seemingly vulnerable network of honeypots and observing the hackers who intrude on those 'vulnerable' systems.
A honeypot is a system that can simulate one or many vulnerable hosts, providing an easy target for the hacker to attack. The honeypot should have no other role to fulfill, therefore all connection attempts are deemed suspicious. Another purpose is delay attackers in their pursuit of legitimate targets, causing the attacker to waste time on the honeypot, whilst the original entry hole is secured, leaving the truly valuable assets alone.
Although one of the initial objectives of honeypots is as evidence-gathering mechanisms in the prosecution of malicious hackers, there is much talk of entrapment when deploying honeypots; however, does the vulnerability of the honeypot necessarily give the hacker the right to attack it? In order to reach the honeypot an attacker would have had to circumvent at least one bonafide security device, provided the honeypot is inside your network. In some countries law enforcement agencies cannot prosecute using evidence from a honeypot. See also Honeynet
To read Intrusion Detection Systems Terminology, Part Two: H - Z, click here.
A. Cliff has worked with electronic security for nearly 20 years on everything on the transmission side from HF to SHF, both systems work and repair down to component level. He has worked at nearly every level, from mainframes to PCs to networks.He has also worked on various secure telephone exchanges, fibre optic repair, cryptography, etc. In his spare time, he also maintains a list of network security tools, which is available at http://www.networkintrusion.co.uk