`
`""“‘-iii"
`
`TECHNOiOGY SERIES
`TECHNOLOGY SERIES
`
`3;
`
`NTRUSION
`INTRUSION
`ETECTION·
`DETECTION ‘
`
`~
`
`·.
`
`
`
`
`Reborn! Curie}! Baa'
`
`
`Symantec V. Columbia
`
`IPR2015-00375
`
`
`
`[same as SYMC 1007 in
`
`IPR2015-00372]
`
`Columbia EX. 2007
`
`
`
`1
`
`SYMC 1007
`
`

`

`CET.
`Hm
`L5mmH&
`
`,2
`Hzgcaoz05.8107
`
`
`SYMC 1007
`
`2
`
`SYMC 1007
`
`

`

`What we're hearing from repiewers
`about I ntrusiotJ Detection . ..
`"People have been working on <:omputer intrusion detection systems for nearly 20 year:s. & a researcher,
`I am bothered that other scientists aren't familiar with the good work dut has already been done, and as
`a consumer I am disconcerted that I don't have better commercial products to defend my systems.
`
`Becky Bau has been there, done that, read about it, thought about it a lot, and now written it all down.
`Everyone who works in intrusion detection <:an gain something by reading this book. You can too."
`
`E11gene H. SpRfforti, Professor Rnd Dinctor of the Purlifle University C.ElUAS
`
`"This book serves as a fantastic reference: for the history of commercial and research intrusion detection
`tools. Even for practitioners of intrusion detection, this book can be an eye-opener.
`
`Becky's book grounds the intrusion detection discussion in a way that is readable, informative:,
`and practical."
`
`Gene Kim, ChiefTechnoloiJY Officer, Tripwire Sec11ri1y SysteMS, Inc.
`
`"I cannot imagine a consulting expert in th.is field who will want robe without a copy ofBc:d:y's book.
`Corporate: managers, ditt:<:tors, and legal counsel need to digest these: arguments as well."
`
`Fred Chris Smith, Attor,ey, S4ntR Fe, New M~co
`
`"There is plenty here to point the needful System Administrator in the direction of an intrusion detec(cid:173)
`tion system appropriate for his current envisioned needs. But this book does much more: It provides
`solid perspective: in a field where empty claims often dominate, and it will provide insights needed to
`cope with siruations where existing products fall short or f.Ul altogether to protect a system.
`
`,
`
`I am certain that this book will become an indnstry standard in intrusion detection as a discipline."
`
`Marvin Schtufer, Chief Scientist, Vice-PresUient, Area Syste"'s
`
`"This book bridges a critical gap in the reference: market. It encompasses both the principles of intrusion
`detection and a wealth of specific examples, enabling the reader to furm a sound basis for understanding
`and evaluating what is happening in the field.
`
`This book demystifies intrusion detc:<:rion without oversimplifying the problem."
`
`R.utiJ Nel.ron, President, Inform~~.tion. System Securi~
`
`The Niju·bashi Bridge was built in 1888 as the main access to the: Imperial Palace in Tolcyo. The: famous
`.. Double Bridge: (Niju bashi)" is a popular name: and should fOrmally be: called the: 04Stonc Bridge." The: real
`Double Bridge is a steel bridge: that nands behind the Stone: Bridge: and wu built at the same time. These: bridgq
`were: built to replace: the previous wooden bridge&, giving the: palace: nc:"N Western-style c:mbc:llisbmcnt.
`
`I
`
`3
`
`SYMC 1007
`
`

`

`_-- 4 L
`
`INTRUSION
`DETECTION
`
`Rebecca Gurley Bace
`
`MA C MI U AIII
`TtCMNICAl
`.PU iliSMINCi
`U •$•A
`
`4
`
`SYMC 1007
`
`

`

`·~
`
`~ -+Mt•• .... PWolt~..............,,,y,••~t .... .._.r.~•--••••1-""""'..,"'''• ~ .. - . -...... .,._ ....
`!-
`
`-1
`~ . ' ..
`
`•'
`
`.: ..
`
`< ••
`
`• v. ' ·
`
`I' .
`
`,, , .. "
`"' J, .
`
`Intrusion Detection
`Rebecra Curley Bace
`Published by:
`Macmillan Technical Publishing
`201 Wm. 103cd Street
`Indianapolis, IN 46290 USA
`Copyright C2000 by Macmillan Technlcal Publlihing
`All rights reserved. No pan of this book may be reproduced or tranSmitted
`in any form or by any mean.s, electronic or medw:ucal, including photo(cid:173)
`copying. recording, or by any information stor.Jge and retrieval system,
`without written permission from the publisher, except for the inclusion of
`brief quotations in a review.
`International Standard Book Number: 1-57870-185-6
`Library of Congress Catalog Uld Number: 99-63273
`03 02 01 00
`7 6 5 4 3 2
`Interpreurion of the printing code: The rightmost double-digit number is
`the year of the book's printing; the rightmost single-digit number is the
`number of the book's printing. For example, the printing code 00-1 shows
`thar the first printing of the book occurred in 2000.
`Ccmposed in Gal/lard and MCPdigltal by Maani/lan Technical PublUhlng
`Prlnud in the United StaUs of America
`
`Trademark Acknowledgments
`All terms mentioned in this book that ace known to be trademarlcs or
`service 'marks have been appropriately capitali:z<:<l. Ma.cmillan Technical
`Publishing cannot attest to the accuracy of this information. Use of a term
`in this book should not be regarded as affecting the validity of any
`trademark or service mark.
`Warning and Disclaimer
`This book is designed to provide information about inrrusion detection.
`Every effort has been made to make this book as complete and as accurate
`as possible, but no wuranty or fitness is implied_
`The information is provided on an as-is basis. The authors and Macmillan
`Technical Publishing shall have neither liability nor responsibility to any
`person or entity with respect to any loss or damages arising from th
`infOrmation contained in this book or from the usc of the discs or
`programs that may accompany it ..
`Feedback Information
`At Macmillan Technical Publishing, our goal is to create in-depth technical
`books of the highest quality and value. Each book is crafted with care and
`precision, undergoing rigorous development that involves the unique
`expertise of members from the professional technical community.
`Readen' feedback is a natural continuation of this process. If you have
`any comments regarding how we could improve the quality of this book,
`or otherwise alter it to better suit your needs, you can contact us at
`networktech@mcp. com. Please make sure to include the book ride and
`ISBN in your mes • .
`We gready appreciate your assistance.
`
`PuB USHER
`David Dwyer
`
`ExEcUTIVE EDITOR
`Linda Ratts Engelman
`
`MANAGING EDITOR
`Gina Brown
`
`PRODUCT MARKETING
`MANAGER
`Stephanie Layton
`
`ACQUISITIONS EDITOR
`Karen Wachs
`
`DEVELOPMENT EDITOR
`Katheri~ Pendergast
`
`PROJECT EDITOR
`·A/is:s:a Cayton
`
`CoPY EDITOR
`June Waldman
`
`INDEXER
`Larry Sweazy
`
`ACQUISITIONS
`COORDINATOR
`Jennifer Garrett
`
`MANuFACTURING
`COORDINATOR
`Chris Moos
`
`BOOK DESIGNER
`UJuisa Klucz1nlc
`
`COVER DESIGNER
`Aren Howell
`
`COMPOSITORS
`Scan Communications
`Group, Inc.
`Amy Parker
`
`'
`
`5
`
`SYMC 1007
`
`

`

`About the Author
`Rebecca Gurley Bace is the president of I~del, Inc., a consulting prac(cid:173)
`tice specializing in intrusion detection and -network security technology
`and strategy.
`
`Prior to founding Infidel. Ms. Bace spent 13 years in government. the first
`12 as an employee of the National Security Agency (NSA}. She led the
`Computer Misuse and Anomaly Detection (CMAD} Research program
`from 1989 through ·1995, as a charter member of NSA's Office of
`Information Security (Infosec) Research and Technology (R2).
`
`As the leader of. CMAD research, Ms. Bace was responsible for champi(cid:173)
`oning much of the early research in intrusion detection, funding academic
`research ~t Purdue University (COAST project): University of California,
`Davis, {Security Lab); Untve~ity of New Mexico; and Tulane University.
`She also served as the government's technical monitor for the Wisdom
`and Sense and STAR anomaly detection research projects at Los Alamos
`National Laboratory.
`
`Ms. Bace's research collaborations with Dr. David !cove of the Federal
`Bureau of Investigation led to the commercial publlcatlon of a manual for
`computer crime investigation and a government study of convicted hack(cid:173)
`ers. She and the CMAD workshop series she founded and sponsored were
`involved in the 1995 detection, traceback, and apprehension of Kevin
`Mitnick, at the time the FBI's most wanted computer criminal. She
`receives mention In Tsutomu Shimomura's book on the subject, Takedown
`(Hyperion Press, 1995). Ms. Bace received the NSA's Distinguished
`Leadership Award in 1995, in recognition of her work building the
`national CMAD community.
`
`Mer leaVing the NSA In 1996, Ms. Bace served as deputy security officer
`for the Computing, Information, and Communications Division of the Los
`Alamos National Laboratory. In this role, Ms. Bace was charged with deter(cid:173)
`mining protection strategies that allowed the Laboratory to balance neecls
`for security with needs for availability and performance.
`
`j.
`
`A native of Leeds, Alabama, Ms. Bace holds a bachelor of science degree
`from the University of the State of New York and a master of engineering
`science degree from Loyola College.
`
`6
`
`SYMC 1007
`
`

`

`:~
`I
`-1
`
`~
`
`. '! .,
`
`'
`
`'
`
`. ~
`':
`l,
`.., ..
`·•·
`, .
`..
`~ .. ! •.
`
`. i
`.
`.: .i
`1
`1
`. .
`..
`;·~·~r :~
`.. ·~
`. 1
`.. r • •
`
`. . ~~
`
`• 'I, ... ~
`'1
`,·-;; ··r
`·~ ;)
`
`'J T
`f-
`'
`'"(
`
`About the Technical Reviewers
`These reviewers contributed their considerable practical, hands-on exper(cid:173)
`tise to the entire development process for Intrusion Detection. As the book
`was being written, these folks reviewed all the material for technical con(cid:173)
`tent, organization, and flow. Their feedback was critical to ensuring that
`Intrusion Detection fits the reader's need for the highest quality technical
`information.
`
`David Neilan has been working in the computer/network industry for
`more than eight years. the last five of which have been primarily devoted
`to network and Internet security. From 1991 to 1995, he worked at
`lntergraph, dealing with graphics systems and networking. David then
`spent four years working with DEC firewalls and network security at
`Digital Equipment. Since 1998, David has been working with Present
`Online Business Systems, LAN/WAN, and Internet security where he Is
`designing network infrastructures to support secure LAN/WAN connec(cid:173)
`tivity for various companies utilizing the Internet to create secure virtual
`private networks.
`
`Robin Roberts has been In the information security industry for more
`than 10 years. Since 1997 she has been employed by BTG Inc., a technol(cid:173)
`ogy integrator and services provider. At BTG she serves as an information
`security subject matter expert and manages an Information and network
`security services group with particular focus on customers from the inte11i(cid:173)
`gence community. From 1986 to 1997, Robin worked for the Central
`Intelligence Agency, managing the Information Security R&D Program
`and providing subject matter expertise to a variety of agency projects.
`
`Stephen E. Smaha was founder and CEO of Haystack Labs. Inc., which
`designed, implemented, and fielded software-based intrusion and misuse
`detection systems starting in 1989. Before launching their first commercial
`product in 1993, Haystack Labs did research and development work on
`intrusion detection systems for a variety of government agencies and their
`contractors, including the FBI, National Security Agency, Department of
`Energy, the U.S. Air Force, and some unmentionables. Haystack Labs,
`Inc .. was acquired in October 1997 by Trusted Information Systems
`(TIS) . At TIS, Smaha served as vice president for technology until}that
`company's acquisition by Network Associates In April 1998. Since that
`
`7
`
`SYMC 1007
`
`

`

`~ .
`~ ·.
`
`time, he has served on several computer cqmpany boards of directors and
`technical advisory boards and is actively involved In mentorlng startup
`companies. Prior to founding Haystack Labs, Smaha developed computer
`security systems for military customers at Tracor Applied Sctences, man(cid:173)
`aged an artificial intelligence software group at Schlumberger, designed
`office automation workstations at Syntrex Corp., and wrote biostatistics
`software for Health Products Research. Smaha is a well-known speaker and
`contributor to lnterop. COMDEX, Internet World, and a variety of security(cid:173)
`related forums. He has served on federal and state-level expert panels on
`security and privacy. Smaha's undergraduate degree is from Princeton
`University In math and philosophy. He has a master's degree from the
`University of Pittsburgh in philosophy and a master's degree from Rutgers
`University In computer science.
`
`Fred Chris Smith p~ctices law in Santa Fe, New Mexico, where he has
`lived since 1978. Since 1985 he has also consulted from time to time with
`the Los Alamos National Laborntory about various digital evidence analysis
`tools and other computer forensic technologies developed by the national
`labs. He currently consults with the lab in an ongoing effort to make new
`computer forensic tools and techniques available to public law enforce(cid:173)
`ment and to private computer security professionals. He served as the
`director of special prosecutions and investigations for four consecutive
`New Mexico attorneys g.eneral. Since 1989 he has worked with SEARCH
`and recently helped to develop the advanced Internet investigation course
`curriculum for state and local law enforcement officers, which he helps to
`teach in Sacramento, California. He currently serves on the National
`White Collar Crime Center Executive Director's Advisory Board in
`Richmond, Virginia. Over the past 10 years, Fred has developed training
`programs and spoken to numerous state and federal agencies about com(cid:173)
`puter crime and new developments in theories of legal liability resulting
`from an increased use of networked software applications In commerce.
`He works as a consultant for groups and companies from the private sector
`on investigation and litigation strategies where electronic evidence is
`involved. His most recent publication ts a manual for the National
`Coalition for the Prevention of Economic Crime, Forming Partnerships for
`the Prosecution of Computer Network Intrusions, which will be published
`sometime after Y2K. Fred attended the University of Michigan as an
`undergraduate and received his law degree from Stanford In 1972.
`
`8
`
`SYMC 1007
`
`

`

`~ Intrusion Detection
`
`Christopher Wee has been a researcher In ln~uslon detection and net(cid:173)
`work security since 1991. His research interests are in host-based audit
`monitoring. the exploitation of vulnerabilities in network protocols, and
`the specification of security policies. As a graduate student and postdoc(cid:173)
`toral researcher at University of California, Davis, he worked on the
`DIDS, LAFS, GriDS, and IDIP intrusion detection systems. Cluis Is cur(cid:173)
`rently a senior Infosec analyst wtth Intel Online Services, Inc. He holds a
`bachelor of science degree in electrical engineering and a master's degree
`and doctorate in computer science from University of California, Davis.
`
`.,
`
`I o_--· I
`
`: ..
`;,.
`'·
`I. . ~-
`..
`~ ..
`.. ~ ,.,.
`:.f..~ I
`,;; I
`-~:··~!
`· ..
`
`(
`
`..........
`,. ~ ., .
`
`> ..
`
`... ·;
`
`"c .
`
`9
`
`SYMC 1007
`
`

`

`,_..
`
`ii ..
`
`.l
`
`Table of Contents ~
`
`Dedication
`To the "Graybeards" and "Nobeards" of computer security-may we
`someday get It right.
`In loving memory of Joey Bace,
`(1985-1994)
`who taught h1s mom what matters most.
`
`Acknowledgments
`During the writing of this book, as in the rest of my life, I've been
`blessed with an abundance of extraordinary people who have spun 1}. web
`of support around me.
`
`I am deeply Indebted to Steve Smaha, who has been my intrusion detec(cid:173)
`tion muse for many years. He, Jessica, and Rebecca have been a source of
`support and inspiration to me through the past decade. It was at Steve's
`behest that I tackled writing this book, and he was the source of much
`entertaining and informative discussion throughout the process.
`
`Jennifer Garrett, Katie Pendergast, Alissa Cayton, and Linda Engelman
`of Macmillan Te~hnical Publishing have been a joy to work with.
`encouraging and guiding me through the totally alien landscape of
`the publishing business.
`
`My colleagues In network and information security make up a wise,
`Intelligent. and Incredibly entertaining community. They have been
`generous with Information and encouragement, responding to my
`requests for opinions and explanations with unfailing good humor, funny
`email, fresh gossip, and profound Insight. Sp~lal thanks go to ]lm
`Anderson, Dorothy Denning, Gene Spafford, Bob Abbott, Marv
`Schaefer, Ruth Nelson, Marcus Ranum, Kevin Ziese. Adam Shostack,
`Chris Wee, Fred Smith, Drew Gross, Carolyn Turbyfill, Robin Roberts,
`Stephanie Fohn, Gene Kim, Ron Gula, and Dave lcove.
`
`My former colleagues in the National Security Agency are brilliant and
`dedicated professionals who perform a critical, though all too often thank(cid:173)
`less function in our society. I consider It an honor to have been part of
`that organization, and I salute them for their support of the nation .
`
`. ..
`
`·~·
`
`10
`
`SYMC 1007
`
`

`

`~ Intrusion Detection
`
`Finally, my famUy has been a source of lmmense joy and enlightenment to
`me. Thls includes the family to which I was born as well as the family that
`has gathered around me in the form of dose and steadfast friends. I'm
`fortunate to have so many who have opened their hearts and lives to me.
`I am especially indebted to Terri Gilbert and to Paul Bace for their love,
`support, and patience as I wrote this book.
`
`• ..
`1'-· ....
`
`•
`'
`
`1.
`
`. )· . ·j
`··.;,;.
`~:: ~
`
`I ·,.
`.
`I~
`I --.ry ·"' ,
`I.~
`
`I • ..
`
`11
`
`SYMC 1007
`
`

`

`' ~-·
`
`' f
`
`OVERVIEW
`
`Introduction
`
`The History of Intrusion Detection 7
`
`2 Concepts and Defmitions 27
`3
`Information Sources 45
`4 Analysis Schemes 79
`
`5 Responses 121
`
`6 Vulnerability Analysis: A Special Case 135
`
`7 Technical Issues 155
`
`8 Und.erstanding the Real-World Challenge 173
`9 Legal Issues 195
`
`..
`
`10 For Users 217
`
`11 For Strategists 235
`
`12 For-Designers 255
`
`13 Futuie Needs 275
`
`Appendix A Glossary 289
`
`AppendiX B Bibliography 297 .
`
`Appendix C Resources· 315
`
`Appendix D Checklist 321
`
`Index 323
`
`12
`
`SYMC 1007
`
`

`

`I :
`
`!
`
`CONTENTS
`
`Introduction
`Defining Intrusion Detection
`By Way of Introduction
`I The History of Intrusion Detection
`1.1 Audit: Setting the Stage for I ntrosion Detection
`1.1.1 Differences between Financial and Security Audit
`1.1.2 Audit as a Management Tool
`1.1.3 EDP Audits and Early Computer Security
`1.1. 4 Audit and Military Models of Computer Security
`1.2 The Birth of Intrusion Detection
`1.2.1 Anderson and the Audit Reduction Problem
`1.2.2 Denning. Neumann, and IDES
`1.2.3 A Flurry of Systems through the 1980s
`1.2.4
`Integrating Host and Network-Based
`Intrusion Detection
`1.2.5 The Advent of Commercial Products
`1.3 Conclusion
`Endnotes
`2 Concepts and Dermitions
`2.1 An Introduction to Intrusion Detection
`2.2 Security Concepts
`2.2.1 A Cultural View of Computer and Network Security
`2.2.2 Practical Definition of Computer Securi'ty
`2.2.3 Formal Definition of Computer Security
`2.2.4 Trust
`2.2.5 Threat
`2.2.6 Vulnerability
`2.2. 7 Security Policy
`2.2.8 Other Elements of the System Security Infrastructure
`2.2.9 How Security Problems Occur
`2.3
`Intrusion Detection Concepts
`2.3.1 Architecture
`2.3.2 Monitoring Strategy
`2.3.3 Analysis Type
`2.3.4 Timing
`2.3.5 Goals of Detection
`2.3.6 Control Issues
`
`.~
`
`1
`3
`4
`7
`7
`9
`9
`10
`11
`12
`12
`14
`15
`
`21
`23
`24
`25
`27
`27
`28
`28
`29
`29
`30
`30
`31
`32
`33
`35
`37
`37
`38
`38
`40
`40
`42
`
`:::-:·
`
`' '
`'·.
`
`-~; ... :l f
`""'. •t
`r-.. ·J
`::; .
`. -;:
`
`• v.
`
`',f 1 ..
`
`'l'
`
`• • -
`
`'<~ ,.._.t:
`·(:~.:~: ~,!
`
`0
`
`t
`
`~ .... .
`/
`! .... ':
`:·'.; !
`. ~:~.!~.:
`
`I
`
`..
`. <'[
`
`.. -.·
`i i1:··:-$
`: 1...;..
`~··~~
`
`13
`
`SYMC 1007
`
`

`

`l ....
`
`Table of Contents ~
`
`3
`
`,/
`
`2.3.7 Determining Strategies for Intrusion Detection
`2.4 Conclusion
`Endnotes
`Information Sourca
`3.1 The Organization of this Chapter
`3.1.1 Which Source Is the Right Source?
`3.1.2 Enduring Questions
`3.2 Host-Based Information Sources
`3.2.1 Operating System Audit Trails
`3.2.2 Approaches to Structuring Audit Trails
`3.2.3 Problems with Commercial Audit Systems
`3.2.4 Pros and Cons of Operating System Audit Trails
`3.2.5 Content of Audit Trails
`3.2.6 Audlt Reduction
`3.2.7 System -Logs
`3.2.8 Applications Information
`3.2.9 Target-Based Monitoring
`3.3
`Network-Based Information Sources
`3.3.1 Why Network Sources?
`3.3.2 Network Packets
`3.3.3 TCP / IP Networks
`3.3.4 Packet Capture
`3.3.5 Network Devices
`3.3.6 Out-of-Band Information Sources
`3.4
`Information from Other Security Products
`3.4.1 An Example of a Security Product Data Source
`3.4.2 Organization of Information Prior to Analysis
`3.4.3 Other System Components as Data Sources
`3. 5 Conclusion
`Endnotes
`4 Ana1yJis Schemes
`4.1 Thinking About Intrusions
`4.1.1 Defining Analysis
`4.1.2 Goals
`4.1.3 Supporting Goals
`4.1.4 Detecting Intrusions
`4.2 A Model for Intrusion Analysis
`4.2.1 Constructing the Analyzer
`
`I
`
`L__
`
`: :-
`
`~-
`' ....
`>'
`,. r
`
`,,
`::..;
`
`~j
`,
`}', I
`~Jf
`" . ·.
`';._r
`
`~;--.:
`~-
`.:~
`.-·
`'li
`
`~
`.....
`
`~
`;~.
`"
`· -~
`
`~
`
`.
`;j&
`~-
`~·
`~
`7:i~
`~ . .
`"'~
`~~·
`rr-
`: ~
`"it
`~"::.·,
`~-~
`~ .. 1-
`:¥.··
`l".li!
`.·.;
`
`,.~
`~- -
`
`43
`43
`44
`45
`45
`46
`46
`47
`47
`48
`48
`49
`49
`57
`58
`60
`65
`67
`67
`67
`68
`70
`73
`73
`74
`74
`75
`76
`76
`77
`79
`79
`79
`80
`81
`82
`83
`84
`
`14
`
`SYMC 1007
`
`

`

`..
`·I
`~
`
`t •
`
`, .
`,. · ..
`
`;
`
`.; ,:. l
`...
`~ .
`'~ ..
`
`~~~':
`
`.~(~~
`
`~~"' . . . 1
`~ .
`t
`I
`:f
`.,
`a .-
`
`•
`
`I
`,..,
`
`~ Intrusion Detection
`
`4.2.2 Performing Analysis
`4.2.3 Feedback and Refinement
`4.3 Tedmlques
`4.3.1 Misuse Detection
`4.3.2 Anomaly Detection
`4.3.3 Alternative Detection Schemes
`4.4 Conclusion
`Endnotes
`5 Re.~ponsa
`5.1 Requirements for Responses
`5.1.1 Operational Environment
`5.1.2 System Purpose and Priorities
`5.1.3 Regulatory or Statutory Requirements
`5.1.4 Conveying Expertise to Users
`5.2 Types of Responses
`5.2.1 Active Responses
`5.2.2 Passive Responses
`5.3 Covering Tracks During Investigation
`5.3.1 Fail-Safe Considerations for Response Components
`5.3.2 Handling False Alarms
`5.3.3 Archive and Report
`5.4 Mapping Responses ttJ Policy
`5.4.1
`Immediate
`5.4.2 Timely
`5.4.3 Long-Term-Local
`5.4.4 Long-Term- Global
`5.5 Conduskm
`Endnotes
`6 Vulnerability Analysis: A Special Ca#
`6.1 Vulnerability Analysis
`6.1.1 Rationale for Vulnerability Analysis
`6.1.2 COPS-An Example of Vulnerability Analysis
`6.1.3
`Issues and Considerations
`6.2 Credentialed Approaches
`6.2.1 Definition of Credentialed Approaches
`6.2.2 Determining Subjects for Credentialed Approaches
`6.2.3 Strategy and Optimization of Credentialed
`Approaches
`
`88
`89
`91
`91
`100
`110
`117
`117
`121
`121
`123
`123
`124
`124
`125
`125
`128
`130
`130
`130
`131
`131
`132
`132
`132
`133
`133
`134
`135
`136
`136
`136
`140
`140
`141
`141
`
`142
`
`15
`
`SYMC 1007
`
`

`

`Table of Contents ~
`
`6.3 Noncredentialed Approaches
`6.3.1 Definition of Noncredentialed Approaches
`6.3.2 Methods for NoncredentiaJed Vulnerability Analysis
`6.3.3 Testing by Exploit
`6.3.4
`Inference Methods
`6.3.5 A Historical Note
`6.3.6 Architecture of SATAN
`6.3.7 Fail-Safe Features
`6.3.8
`Issues Associated with SATAN
`6.4 Password-Cracking
`6.4.1 Concepts of Operation
`6.4.2 Password Crackers as Vulnerability Analysis Tools
`6.5 Strengths and Weaknesses of Vulnerability Analysis
`6.5.1 Strengths of Credentialed Analysis Techniques
`6.5.2 Strenghts of Noncredentialed Analysis Techniques
`6.5.3 Disadvantages
`6.6 Conclusion
`Endnotes
`7 Technical Issues
`7.1 Scalability
`7.1.1 Scaling over Time
`7.1.2 Scaling over Space
`7.1.3 Case Study-GriDS
`7.2 Management
`7.2.1 Network Management
`7.2.2 Sensor Control
`7.2.3
`Investigative Support
`7.2.4 Performance Loads
`7.3 Reliability
`7.3.1 RelJabillty of Information Sources
`7.3.2 Reliability of Analysis Engines
`7.3.3 Reliabillty of Response Mechanisms
`7.3.4 Reliability of Communications Links
`7.4 Analpis Issues
`7.4.1 Training Sets for AI-Based Detectors
`7.4.2 False Positives/Negatives in Anomaly Detection
`7.4.3 Trends Analysis
`7.4.4 Composition of Policies
`
`144
`144
`144
`144
`145
`145
`147
`149
`149
`150
`150
`151
`151
`151
`152
`152
`153
`153
`155
`155
`155
`156
`157
`157
`158
`159
`159
`160
`160
`161
`162
`163
`164
`165
`165
`165
`166
`166
`
`16
`
`SYMC 1007
`
`

`

`:) ' i
`
`. .
`
`' ..
`
`..
`.. .
`
`•
`
`!
`
`.... . .
`.. ., .
`.
`. l·'·t. ·;
`. . . ~ .~ ..
`·~:'"!
`r.·
`
`-~
`
`•
`
`... --:
`
`-···.
`
`I
`
`~
`
`~ Intrusion Detection
`
`Interoperabillty
`7.5
`7.5.1 CIDF/CRISIS Effort
`7.5.2 Audit Trail Standards
`7.6
`Integration
`7. 7 User Interfaces
`7.8 Conclusion
`Endnotes
`8 Undentandlng the Real-World Challenge
`8.1 The Roots of Security Problems
`8.1.1 Problems in Design and Development
`8.1.2 Problems in Management
`8.1.3 Problems in Trust
`8.2 Through a Hacker's Eyes
`8.2.1
`Identifying a Victim
`8.2.2 Casing the Joint
`8.2.3 Gaining Access
`8.2.4 Executing the Attack
`8.3 Security Yersus Traditional Engineering
`8.3.1 Traditional Engineering
`8.3.2 Security Engineering
`8.3.3 Rules of Thumb
`8.4 Rules for Intrusion Detection Systems
`8.5 Conclusion
`Endnotes
`9 Legal Issues
`9.1 Law for GeeJcs
`9 .1.1 Legal Systems
`9 .1. 2 Legislation
`9.1.3 Civll Litigation/Tort Law
`9.1.4 Complications in Applying Law to Cyberspace
`9.2 Rules of Evidence
`9.2.1 Types of Evidence
`9.2.2 Admissibility of Evidence
`9.2.3 Restrictions and Exceptions
`9.2.4 Provisions for Handling Evidence
`9.2.5 Rules of Evidence as Applied to System Logs
`and Audit TraJJs
`9.3 La~ Relating to Monitoring Activity
`9.3.1 When a Svstem Administrator Monitors a System
`
`167
`169
`169
`171
`171
`172
`172
`173
`173
`174
`178
`181
`185
`185
`186
`186
`187
`191
`191
`191
`192
`192
`194
`194
`195
`196
`197
`198
`199
`201
`203
`203
`204
`205
`205
`
`~06
`207
`207
`
`17
`
`SYMC 1007
`
`

`

`Table of Contents ~ i :;
`
`v.·
`... ~
`
`\
`
`l
`~
`
`I
`.1
`!
`l
`
`~
`
`J
`
`,.
`
`9.3.2 When Law Enforcement Agents Monitor a System
`9.3.3 Notification of Monitoring
`9.4 What Real Cases Have Taught Us
`9.4.1 The Mitnick Case
`9.4.2 The Rome Lab Case
`9.4.3 Lessons Learned
`9.5 Conclusion
`Endnotes
`10 For Users
`10.1 Determining Your Requirements
`10.1.1 Your System Environment
`10.1.2 Goals and Objectives
`10.1.3 Reviewing Your Policy
`10.1.4 Requirements and Constraints
`10.2 Making Sense of Products
`10.2.1 Understanding the Problem Space
`Is the Product Scalable?
`10.2.2
`10.2.3 How Did You Test This?
`Is This Product a Tool or Is It an Application?
`10.2.4
`10.2.5 Buzzwords versus Wisdom
`10.2.6 Anticipated Life of Product
`10.2.7 Training Support
`10.2.8 Prioritized Goals of Product
`10.2.9 Product Differentiation
`10.3 Mapping Policy to Conflgurations
`10.3.1 Converting Policy to Rules
`10.3.2 Subject-Objects to Real World
`10.3.3 Monitoring Policy versus Security Polley
`10.3.4 Testing Assertions
`10.4 Show Time! Incident Handling and Investigation
`10.4.1 Scout's Honor
`10.4.2 Best Practices
`10.4.3 When the Balloon Goes Up
`10.4.4 DeaUng with Law Enforcement
`10.4.5 Expectations
`10.4.6 Damage Control
`10.4.7 Dealing with Witch Hunts
`10.5 Conclusion
`Endnotes
`
`208
`208
`208
`209
`212
`214
`215
`216
`217
`217
`217
`218
`218
`219
`220
`220
`221
`221
`222
`223
`224
`224
`224
`225
`225
`225
`226
`227
`227
`227
`228
`228
`229
`230
`231
`231
`232
`232
`233
`
`),,( ..
`f (
`.- -~
`I ;·
`f''
`f ::.
`I,
`
`..
`
`\
`
`_\
`
`:v
`I f ;·
`'. l '
`~ ·.
`~ ..
`.
`i .. ~·
`l~ .. ·.··
`! ·:.
`t ·.
`li•'
`p
`~~-
`\.
`Jt(.
`:*
`r;.
`r '.
`~.
`. '
`·~·
`-
`'</'
`!.';'
`~~::~
`~i
`~ !.\
`if~
`~ ;~·
`V.f.'
`.,
`~·$.
`"'~.:
`)'"\.
`(~
`r~~:.
`:~· .:
`rs; r
`''ft
`''
`?."
`i~'
`."Jil
`~'t?
`. ·-~
`! "·
`
`18
`
`SYMC 1007
`
`

`

`~ Intrusion Detection
`
`,~
`
`~
`
`.1
`I , ,
`·_s •
`!
`.. . .
`
`" .
`'. . .
`
`"t. ..
`!
`
`~ ..
`
`~: ..
`#··:.'
`;f~1 I
`
`237
`238
`239
`241
`242
`242
`242
`243
`
`243
`244
`244
`245
`245
`246
`
`246
`246
`247
`247
`
`For Strategists
`235
`11.1 Building a Case for Security
`235
`236
`11.1.1 Assembling Information
`11.1.2 What Is the Organization Trying to Accomplish?
`236
`11.1.3 How Does Security Fit Into Overall Business Goals? 236
`11.1.4 Where Does Information Security Fit Into the
`Corporate Risk-Management Program?
`11.1.5 What Do We Need to Secure the System?
`11.1.6 Finding Allies
`11.1. 7 Overcoming Management Resistance
`11.2 Delming Requiremenu for IDS
`11.2.1 Revisiting Goals and Objectives
`11.2.2 What Are the Threats?
`11.2.3 What Are Our Limitations?
`11.2.4 Considerations in Adopting Intrusion Detection
`and System Monitoring
`11.3 Marketing Hype versus Real Solutions
`11.3. 1 What Product Is Best Flttt)d to Us and Our Goals?
`11.3.2 How Painful Is This Product to Install?
`11.3.3 How Painful Is This Product to Run?
`11.,3.4 What Are the Expectations of the Personnel?
`11.3.5 Who Was the Dream Customer for
`Whom T his Product Was Designed?
`11.4 Integrating Security Into a Legacy Environment
`11.4.1 Assessing the Existing Systems
`11.4.2 Leveraging Investments in Security
`11.4.3 Dealing with "Wetware" -the Humans
`in the System
`11.4.4 Handling Conflicts
`11.5 Dealing with the Effects of Corporate Transitions
`11.5.1 Mergers and Acquisitions
`11.5.2 Strategic Partners
`11.5.3 Globalization
`11.5.4 Expansion and Contraction
`11.5.5 Going from Private to Public
`11.6 Ccndusion
`Endnotes
`
`248
`249
`250
`250
`250
`251
`251
`252
`252
`253
`
`19
`
`SYMC 1007
`
`

`

`Table of Contents I xvii
`
`I
`I
`
`~
`
`.J
`
`For Designers
`12.1 Requirements
`12.1.1 Good versus Great Intrusion Detection
`12.1.2 Different Approaches to Security
`12.1.3 Policies-One Size Does Not Fit All
`12.2 Security Design Principles -
`12.2.1 Economy of Mechanism
`12.2.2 Fall-Safe Defaults
`12.2.3 Complete Mediation
`12.2.4 Open Design
`12.2.5 Separation of Privilege
`12.2.6 Least Privilege
`12.2.7 Least Common Mechanism
`14.2.8 Psychological Acceptability
`12.3 Surviving-the Design Process
`12.3.1 EstabUshing Priorities
`12.3.2 On Threat Curmudgeons
`12.3.3 Striking and Maintaining Balance
`12.4 Painting the Bull$ Eye
`12.4.1 Gauging Success
`12.4.2 False Starts
`12.4.3 Testing Approaches
`12.4.4 Measuring Network-Based Performance
`12.5 Advice from the Trenches
`12.5.1 Use Good Engineering Practices
`12.5.2 Secure Sensors
`12.5.3 Pay Attention to Correct Reassembly
`12.5.4 Don't Underestimate Hardware Needs
`12.5.5 Don't Expect Trusted Sources of Attack Data
`12.5.6 Think Through Countermeasures
`12.5.7 No Support for Forensics
`12.5.8 Support Modern Security Features
`12.6 Conclusion
`Endnotes
`Future Needs
`13.1 Future Trends in Society
`13.1.1 Global Villages and Marketplaces
`13.1.2 Privacy as an Economic Driver
`13.1.3 A Different Kind of War
`
`255
`256
`256
`258
`260
`262
`262
`263
`263
`263
`264
`264
`265
`265
`265
`265
`266
`267
`268
`268
`269
`269
`270
`271
`271
`272
`272
`272
`272
`273
`273
`273
`273
`274
`275
`276
`276
`276
`277
`
`f' l~
`
`i i
`I' ,,,(.
`i (
`k'·
`.,
`I r
`~ J
`!.
`
`)
`
`r '
`~ .. .. :
`I . ..
`
`1'.
`
`;
`
`l~
`
`1.~
`/~
`::.~
`tr
`t--
`~)}
`; .. i hi
`~~
`tJ:,
`v.: ..
`~;"'
`~·'(
`~ \
`~
`~1 :~1.
`~ ... ,
`. ·!" r:»
`t::~
`1:
`(:.
`;~·
`i·:/J.
`~~
`~~
`t~l
`.. --:·
`, .. ~
`:~· i •J
`
`t J ). ..
`
`20
`
`SYMC 1007
`
`

`

`.j
`- ~
`
`..
`J • t
`! ...
`
`'
`
`r
`
`..
`: ' . ~ .
`!~~.r. : ... . .1: ..
`a .
`
`". '!
`
`,'fA
`
`... ... . . . :
`
`xviii I Intrusion Detection
`
`13.1. 4 Sovereignty
`13.2 Future Trends in Technology
`13.2.1 Changes in the Network Fabric
`13.2.2 Open Source Software
`13.2.3 Advances In Wireless Networking
`13.2.4 Ubiquitous Computing
`13.3 Future Trends in Security
`13.3. 1 Management
`13.3.2 Privacy-Sparing Security
`13.3.3
`Information Quallty versus Access Control
`13.3.4 Crypto, Crypto Everywhere ...
`13.3.5 The Erosion of Perimeters
`13.3.6 Liability Transfer versus Trust Management
`13.4 A Vision for Intrusion Detection
`13.4.1 Capabilities
`13.4.2 Highly Distributed Architectures
`13.4.3 911 for Security Management
`13.4.4 Ubiquitous Information Sources
`13.4.5 Silicon Guards
`13.4.6 Emphasis on Service. Not Product
`13.5 Conclusion
`Endnotes
`Appendix A Glossary
`Appendix B Bibliography
`Appendix C Resourw
`Boolq
`Intrusion Detection and Associated Technologies
`Security References and Textbooks
`Information Warfare, Critical Systems, and National Policy
`Introduction to Computer and Network Security
`Cryptography
`Firewalls
`War Stories
`Specific Application Venues
`Cybercrime and Law Enforcement
`For Fun
`
`277
`277
`277
`278
`278
`279
`279
`279
`281
`282
`282
`282
`283
`283
`283
`284
`285
`285
`285
`286
`286
`287
`289
`297
`315
`315
`315
`315
`316
`316
`316
`316
`317
`317
`317
`317
`
`21
`
`SYMC 1007
`
`

`

`Table of Contents ~
`
`WWW Resources
`Security Portals
`VulnerabilitY Information Sources
`Organizations
`Government Sites
`Academic Sites
`Commercial Products, Services, and-Research
`Miscellaneous Intrusion Detection References
`Appendix D Cbtdcllst
`In