247-249.html

入侵检测的相关教程

			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=247-249//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="245-247.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="249-251.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading20"></A><FONT COLOR="#000077">A Word about Sequences</FONT></H4>
<P>A pattern-matching IDS can look at a sequence of events to detect a problem. For example, if someone is suddenly removing dozens or hundreds of files, you might be faced with a disgruntled employee about to leave a system in an irreparable state. If you wanted to detect such an attack, you could configure your monitor to look for a sequence of <I>N</I> file deletions in a row by the same user, and ask the system to alert you when this threshold is hit. The first challenge to your thinking is the <I>interval problem</I>.</P>
<P>Suppose someone has 100 sensitive source files that are not backed up on any other system. This practice is bad to begin with, but it really does happen. If this intruder knows you are looking for successive file deletes, one possible way to escape detection is to delete one file each day for the next 100 days (or any number of deletions per day less than <I>N</I>). If the <I>scope</I> of your detection pattern is a login session, or a day, or a week, the pattern will not detect the problem because the threshold is not hit before a new scope boundary is hit. The pattern must reset its counter when a scope begins. Within each scope there can be any number of <I>intervening</I> events between successive file deletes. This is not a problem for the signature because it is happily counting the events as they occur, regardless of whether each delete command is followed by ls or any other command.</P>
<P>Most IDSs do not enable you to define a scope for resetting thresholds. Instead, the simplifying assumption is that a login session defines the scope of interest. Thus, if the user deletes <I>N</I> files between login and logout events (in the same way that parenthesis bound a related comment), the pattern will fire. The problem with this approach is that it will not catch the trick mentioned previously.</P>
<P>An alternative approach would be to track <I>N</I> file deletes regardless of the number of intervening events. The problem here is still to define the scope. If the scope is defined broadly as &#147;from the very first event for this user on this system&#148; up until &#147;now,&#148; the pattern will be of little use. Over a period of years, an employee is sure to delete many files. The pattern would fire every day for some user. Defining scope as a week, or as a day, or some other calendar duration is a good idea, but IDSs do not provide this capability today.</P>
<P>A statistical anomaly detector suffers from the same dilemma. Usually, these tools take a <I>per day</I> approach to computing the baseline, giving the number of average file deletes by each user per day. To catch a tricky hacker, per week or per month metrics also would be needed. If the perpetrator is someone who deletes hundreds of files per week as normal behavior, catching the disgruntled employee described before will be tough.</P>
<H4 ALIGN="LEFT"><A NAME="Heading21"></A><FONT COLOR="#000077">Focusing on Local Attacks</FONT></H4>
<P>Think about a single system for which you are responsible. One type of attack can originate from a user logged on to your system. Another possibility is that the crack is launched via a network connection to the system. For each of these two categories, different attack severities range from denial-of-service up through gaining superuser privileges.
</P>
<P>A system with a network adapter thus faces threats from users who are logged in and running programs and from users who connect to this computer from other nodes in your network. The goal of a hacker who has a login account on the system is to gain superuser privileges to have complete control. The goal of a hacker who does not have an account on the system is usually to establish an account on the system. The <I>usually</I> is added in the last sentence because it is not necessary for a hacker to have an account on a system to wreck things. Network connections to programs with security weaknesses can be exploited by crackers to do things just as if they had a login account on the system. Getting a login account just makes it easier to explore or trash a system.</P>
<P>In these sections, the focus is on attacks that can occur when a user eventually has login access to your system. In the next chapter, you will see how some of these same kinds of attacks can occur when someone communicates with your system over the network. <I>In the worst case, a remote user without an account is able to gain superuser privileges on your system</I>. For the moment, though, you should focus first on how local login users can exploit your system&#146;s weaknesses.</P>
<P>To recap the increasing severity of local problems, remember that the list goes as follows:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Denial of service
<DD><B>&#149;</B>&nbsp;&nbsp;Local account gains read access to a resource
<DD><B>&#149;</B>&nbsp;&nbsp;Local account gains write access to a resource
<DD><B>&#149;</B>&nbsp;&nbsp;Local users gain privileges, especially of superuser
</DL>
<H4 ALIGN="LEFT"><A NAME="Heading22"></A><FONT COLOR="#000077">An IDS Limitation</FONT></H4>
<P>At this point, you should see a limitation of IDSs that is shared with other tools. <I>If you do not configure the tool properly, it will not catch intrusions or misuse by insiders</I>. You must specify <I>what</I> you want to monitor, unless you monitor everything. To use an IDS, you must state your monitoring policy, particularly if you want to monitor resources not predefined in the IDS, such as application binaries. As you can see, the IDS might make some assumptions that a knowledgeable hacker can use to avoid detection. This doesn&#146;t mean that IDSs do not work, it just means that catching hackers is really hard and requires tuning of the tools.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="245-247.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="249-251.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->