|Intrusion Detection Systems (IDS) are still in their infancy, but in terms of development they are evolving at an extraordinary rate. The terminology associated with IDS is evolving just as rapidly. As a result of IDS' rapid growth and the marketing prowess of some IDS vendors, some confusion has arisen about the correct meaning of key terms. In some cases the same term may be used by different vendors to mean different things. This is the first of a two-part series that discusses IDS terminology, including terms where there may be disagreement from within the security community. Wherever possible, I have tried to include all definitions except where I consider usage of the term to be inaccurate or misleading.
Alerts (or Events)
An IDS alert is a warning issued by the IDS to the system operator when it detects suspicious activity. The IDS sends alerts either locally or to a remote console in a multitude of ways. The bespoke GUI is considered the most common for full time analysts who receive this either directly or via a database. I have seen syslogs, event logs, flat files, email, pop-ups even mobile phone text messages being used. The most impressive use of a phone I have seen has to be the guy whose honeypot passed alert messages to his mobile phone telling him everything the hackers inside his honeypot were doing. This allowed him to cut the connection should they endanger others on the Internet.
ArachNIDS (Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems)
Developed by Max Vision's White Hats, ArachNIDS is an attack profile database used to dynamically create signatures which are compatible with various Network IDS.
As well as alerting to an attack, some IDS can automatically defend against them. This is achieved in a variety of ways: first, by reconfiguring routers and firewalls to reject future traffic from the same address and, second, by crafting packets on the network to reset the connection. There are problems with both methods. Attackers, through spoofed source addresses, can convince the victim's IDS to reconfigure their firewalls etc to block a friendly party. Resets could fire on false positives, causing disruptions in normal traffic. Attackers have been known to use the resets generated by their attack to discover, through the packet's TTL, where in the network the IDS is likely to reside, though some IDS vendors craft the reset with variable TTLs. Other considerations are: do the resets go to both source and destination or just destination, and where in the network is the packet injected? Finally, what about UDP? Issues with automated response have come to a head with the advent of Intrusion Prevention Systems that rely on automated response for most of their protection. Realistically, automated response could be used where the likelihood of a false positive is minimal as with so much of the security arena it's a question of being able to manage the risk.
Bandwidth is the maximum amount of data that can traverse a network segment. Bandwidth usage is a great tool to an IDS analyst, as unexpected increases can give an early warning of a DDOS attack or correlate a suspicious event. Quite often there are legitimate reasons for such activity but the kudos gained by the analyst for reporting such activity within the NOC is invaluable.
Blacklist Many organizations will build a list of addresses from various companies, ISPs and even countries that they consider to be a threat. These will either be explicitly blocked or monitored closely. A few sites on the Internet maintain lists of known offenders which can be downloaded such as http://www.kgb.to/.
CIDF - Common Intrusion Detection Framework
The Common Intrusion Detection Framework (CIDF) is an effort to standardize intrusion detection to some degree by developing "protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems."
CISL - Common Intrusion Specification Language
CISL is the language used for CIDF components to communicate with each other. As CIDF is an attempt to standardize protocols and interfaces, so CISL is an attempt to standardize the language of intrusion detection research.
This is the ability to apply a security policy to the body of a communication within network transmissions. Collectively this refers to both URL filtering and e-mail filtering. Unlike infrastructure elements, such as routers, firewalls and many Intrusion Detection Systems that look at content independent of context, a content security system must completely assemble the network transmissions within the intended context before the content can be analyzed.
In order to make an IDS suitable for the corporate environment, the dispersed IDS sensors need to report to a central console. These days many central consoles will also accept data from other sources, such as other vendor's IDSs, firewalls, routers, etc. This information can be correlated to present a more complete attack picture. Where the console accepts input from multiple sources each product will report the same event in different ways. The central security console will have its own taxonomy allowing events to be analysed whilst only having to understand the central consoles event reports. Recently products such as ISS SiteProtector and Tenable have correlated events with vulnerability scanner information. The IDS events are prioritized according to how susceptible the target hosts are to the attack. The main drawback of a central console is the limited depth of information presented to the analyst. In my experience a good analyst will refer back to the original data source for some events where the central console provides minimal information.
This is the cross-relating of multiple data sources to gain a wider understanding of an incident.
CVE - Common Vulnerabilities and Exposures
An age-old problem with vulnerabilities is that when designing scans or countermeasures, one vendor will call a vulnerability by one name and another vendor will call it something completely different. Moreover, some vendors may have multiple signatures for what could be a single CVE entry, possibly giving the illusion of them producing a more effective product. MITRE has gone to some lengths to address this with CVE, by standardizing names for vulnerabilities and participating vendors then use this name. For more information, please visit www.cve.mitre.org.
DeepSight Analyzer and DeepSight TMS (Threat Management System)
DeepSight Analyzer is a free service offered by SecurityFocus/Symantec (SecurityFocus is owned by Symantec) to which Internet-connected networks may pass their network security events to anonymously. Events are then correlated from different IDS and firewall devices, allowing users to monitor and trend their data. In turn, this data is used anonymously in DeepSight TMS, Symantec's commercial offering, which provides early warning of worms, in global Internet attack trends, and other attacks.
Desynchronization (see also Evasion)
Originally the term desynchronization was used for evasion methods using sequence numbers. Some IDSs could be confused about what sequence number it should expect, and the resulting inability to reconstruct data effectively blinds it. This technique was known in 1998 and is now partly obsolete. I have also seen more recent articles where the term desynchronization was used for another method of IDS evasion. New methods of evading IDS are constantly being thought up, and it's the job of the vendors to try and keep up. Thus far most have managed this very well.
Enumeration is when an attacker actively probes a network to discover what hosts and services are present. As this action is no longer passive it can be detected, though many networks reveal this information with minimal active probing.
Evasion (see also Desynchronization)
Evasion is the process of carrying out an attack without an IDS successfully detecting the attack. The trick is making the IDS see one thing and the target see another. One form of evasion is to set different time to live (TTL) values for different packets. Therefore, the information passing the IDS will seem harmless, however the TTL on the harmless bit is less than that which is required to reach the target host. Once beyond the IDS and nearing the target, the harmless piece is dropped leaving the harmful remains. This example is greatly simplified. For an in depth discussion on some of the principles of evasion discussed here, please see Ptacek and Newsham's seminal article, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.
False Negatives / Miss
A false negative occurs when an attack or an event is either not detected by the IDS or is considered benign by the analyst. Ordinarily the term false negative would only apply to the IDS not reporting an event. However, I have seen this same problem at the analyst level. The scenario is this: the analyst sees a certain signature day after day and knows it to be benign so ignores it. However, one day the IDS alerts on a genuine attack with the same signature. The analyst however chooses to ignore it believing it to be benign, thus a False Negative. Ordinarily this alert trigger would be removed through a false positive reduction procedure (either the entire signature or tuning the signature), though in my experience this tuning can create false negatives. There is little difference between the IDS being tuned to declare this event as benign and the analyst doing so on his own.
False Positives / False Alarm
An event that is picked up by the IDS and declared an attack but is actually benign.
If a packet is too big to pass on a network segment, it will have to be broken up into smaller pieces (fragments.) Fragmentation is mostly brought about by networks having differing Maximum Transmission Units (MTU.) For instance, for token ring the MTU is 4464 and for Ethernet it's 1500. Therefore, if a packet is moving from token ring to Ethernet, it would have to be fragmented into smaller packets that are then rebuilt at the target. Ordinarily, while somewhat inefficient, fragmentation is perfectly normal. Hackers saw fragmentation as a means to evade IDS, and there are also a few associated DOS attacks that use this technique.
The term heuristics should be used where artificial intelligence (AI) is used to detect intrusions. IDSs that genuinely use heuristics have been allegedly almost ready for around a decade. It is my understanding that they still aren't quite clever enough and can be trained by an attacker to ignore malicious traffic. Some IDSs use anomalies to detect intrusions, where the IDS has to learn over time what can be considered normal. As this is fairly clever some vendors will sell this as a heuristic IDS. I can think of at least one IDS that does use an AI scripting language to apply analysis to the incoming data. Rather than learning what is normal signatures can be created that look for abnormal traffic these are sometimes referred to as heuristic signatures, ie., too many repeated characters in a URL.
According to the The Honeynet Project: a honeynet, "is a tool for learning. It is a network of production systems that is designed to be compromised. Once compromised, this information is captured and analyzed [in order] to learn about the blackhat community." A Honeynet is therefore an extremely valuable resource, providing an inside view of a hack. The Honeynet Project consists of a group of thirty accomplished security professionals who have set up a series of honeypots to study the tactics, tools, motives and behaviours of hackers by providing a seemingly vulnerable network of honeypots and observing the hackers who intrude on those 'vulnerable' systems.
Honeypots are a highly flexible security tool with differing applications for security. They don't fix a single problem but instead they have multiple uses, such as intrusion prevention, detection, or information gathering. Honeypots all share the same concept, as a security resource that should not have any production or authorized activity. This makes them very simple to use. There are two general types of honeypots, production and research. Production honeypots aka low interaction honeypots are easy to use, capture only limited information, and used primarily by companies or corporations for detecting interest in their assets. Research honeypots are complex to deploy and maintain, capture extensive information, and used primarily by research, military, or government organizations. Another purpose is to delay attackers in their pursuit of legitimate targets, causing the attacker to waste time on the honeypot, whilst the original entry hole is secured, leaving the truly valuable assets alone. In some countries law enforcement agencies cannot prosecute using evidence from a honeypot. See also Honeynet.
A honeytoken is a seemingly valuable/interesting document or similar that may be taken by an attacker, signatures are written for the IDS to track it's movement.
The second and final article in this series will discuss various types of IDS categories in detail, as well as other important IDS terms such as Signatures and Anomalies.
Andy Cuff is a computer security consultant who specializes in Intrusion Detection. He is currently responsible for deploying and maintaining various IDSs on a Global network of over 300,000 hosts. During the last two decades he has experienced a variety of different security roles ranging from cryptography to TEMPEST and from bug sweeping to pen testing. In his spare time he maintains the vendor independent Talisker Security Tools website which offers salient details on every known network security device. Andy is a regular contributor to many security-related mailing lists.