Overview
Français
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Hervé DEBAR: Senior Expert, France Télécom R&D
INTRODUCTION
The development of information technology has been accompanied by security problems. Initially, viruses spread slowly through the exchange of computer media. With the advent of the first TCP/IP networks, security problems diversified and led to the development of new security techniques.
Very early in the development of the Internet, vulnerabilities in operating systems enabled attackers to move virtually from system to system. In the military context of TCP/IP network deployment, the detection of malicious actions quickly became a necessity. Preventive measures proved insufficient, and led to the creation of intrusion detection systems (IDS).
These systems have been developed to detect abnormal operation of information systems and networks, indicating that actions are being taken by one or more users that do not comply with security policy. Two families of analysis techniques have been developed for this purpose. The first family of analysis techniques assumes that it is possible to differentiate the behavior of an attacker from the usual behavior of the information system under surveillance. The second family exploits accumulated knowledge of vulnerabilities and ways of penetrating information systems; when user actions resemble previously described attacks, the intrusion detection system transmits an alert.
These analysis techniques apply to different data sources, which must be acquired by the intrusion detection system (network listening or file reading, for example), and pre-processed to simplify analysis.
The main purpose of intrusion detection systems today is to provide operators with information on the health of the information system being monitored. However, as analysis techniques evolve and become more reliable, it may be possible in a few years' time to develop more sophisticated protection systems than those currently available. In particular, it should become possible to protect each service offered by an information system individually, without being tied to network access points, as is the case today with widespread firewall technology.
The Ultimate Scientific and Technical Reference
This article is included in
Security of information systems
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
Intrusion detection and analysis
Context
Bibliography
References
- (1) - WOOD (M.), ERLINGER (M.) - Intrusion Detection Message Exchange Requirements. - IETF (22 oct. 2002). http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
- ...
Organizations
Internet Engineering Task Force (IETF) http:/www.ietf.org
Intrusion Detection Exchange Format Working Group (IDWG) http://www.ietf.org/html.charters/idwg-charter.html
Software
Snort http://www.snort.org
Stide (Sequence Time-Delay Embedding) http://www.cs.unm.edu/~immsec/systemcalls.htm
Nessus http://www.nessus.org
...
Databases
Snort Signature Database http://www.snort.org/snort-db
Bugtraq http://www.securityfocus.com/bid
Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org
...
The Ultimate Scientific and Technical Reference
