HP Host Intrusion Detection System (HIDS) manual Where Does Intrusion Detection Fit In?

Overview

Why Do You Need Intrusion Detection?

Where Does Intrusion Detection Fit In?

The amount of information that flows through a typical corporate intranet and the level of activity on most corporate servers make it impossible for any one person to continually monitor them by hand. Traditional network management and system monitoring tools do not address the issue of helping to ensure that systems are not misused and abused. Nor can they help detect theft of a company’s critical data from important servers. The potential impact of computer-based crime is significant to most corporations: their entire intellectual property often resides on server machines. A tool that could detect security-related threats and attacks as they occur would significantly ease the burden that most network administrators face.

What Is Intrusion Detection?

Intrusion detection can be summarized quite simply: After you have put up the barbed wire fence, an intrusion detection system is like adding closed circuit TV cameras so that security guards can monitor your facilities to forestall an attack.

Intrusion detection is the art and science of detecting illegal and improper use of computing resources by unauthorized outsiders and authorized employees, before such misuse results in excessive damage. It does this by providing continuous monitoring of critical systems and data.

An intrusion detection system (IDS) monitors user and system activity to detect patterns of misuse that may correspond to security violations. The monitoring is automatic and constant on all the systems on which the IDS is deployed. It imposes a low overhead on the systems and network so as not to disrupt your business activities. In addition, an IDS can monitor a server machine, a whole network, or even an application (such as a database or web server).

Before attacking your systems, an attacker needs to identify potential vulnerabilities that can be exploited to subvert your system’s security. A vulnerability is a feature of the design, implementation, or operation of a computer system or network that leaves it open to subversion by an unauthorized (or authorized) user. Having identified a vulnerability to exploit, the attacker will then create an attack script, which is often just a shell script or simple program that performs a series of fixed steps to exploit the vulnerability. Often the script that the attacker needs has already been written and is available on a web page in which case the attacker’s job is much easier.

Despite the multitude of attacks that are known and reported, you may be surprised to learn that most of them are merely variations on a theme. Once one attacker identifies a weakness and releases an attack script for it, many others are inspired by his work and find similar weaknesses in other pieces of software. What follows is usually a flood of attacks that exhibit common patterns and follow similar steps. Given an attack, we can codify it, to express it in terms that an intrusion detection system can operate with. HP-UX HIDS uses the concept of a “detection template” to express some fundamental aspect of an attack that makes it different from legitimate behavior while permitting detection.