[316] in Intrusion Detection Systems
Intrusion detection, Tripwire, etc
daemon@ATHENA.MIT.EDU (Gene Spafford)
Tue Aug 22 20:55:50 1995
To: ids@uow.edu.au
Date: Mon, 21 Aug 1995 22:04:05 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
Reply-To: ids@uow.edu.au
Dr. Fred Cohen observed:
> I guess it figures that the three responses I got via Email were
> all about tripwire. Perhaps I wasn't clear enough. I wasn't looking
> for an integrity checker to detect changed files on my server. If I
> were, I would use Integrity Toolkit (before tripwire, there wat IT!, and
> IT is better).
1st comment: "better" is relative to some metrics. If the metrics
include low cost, availability of source code, portability to lots of
different versions of Unix, or configurability, then Tripwire is
probably better. However, it really depends on what you want. As I
gather you had something to do with IT, I can understand why you might
believe it better. :-)
2nd comment: Tripwire is more than an integrity checker that notes
changed files on a server, if you so configure it.
3rd comment: Systems that snapshot certain file system
characteristics, especially "honey pot" entities, can be used as a
form of cheap intrusion detection. Most system crackers will either
install backdoors for re-entry, or unwittingly alter file system and
directory characteristics if they are snooping about. A detector
monitoring for such change will provide a warning even if nothing else
does. We've had scores of such reports from Tripwire users. That may
explain why you got such a response to your query.
> I am looking for a real-time intrusion detection system that can
> take information provided by syslogs and other similar sources coming
> from a distributed network of computers, fuse the incoming information,
> and detect both patterns that are dissimilar to normal usage patterns
> and patters that are indicative of known attack profiles.
>
> I am interested in a package that operates on information from
> different sources, including but not limited to Unix varieties and
> output from routers. It would be best if it ran on trusted computing
> bases, it would be nice if was programmable to allow us to customize it
> to meet the client's ever-changing needs, and it would be even better if
> it were supported by a substantial commercial organization with a
> long-term commitment to its ongoing availability and enhancement.
> Finally, it would be nice if the cost were relatively modest for the
> value given, taking into account support, customization, etc.
4th comment: You are basically looking for the "Holy Grail" of IDS.
You want it to do everything, on every machine, and be available for
low cost. Good goals. However, you need to specify what you are
willing to sacrifice to achieve them. Dynamism? Efficiency?
Rejection of false alarms? Coverage?
5th comment: Anomaly-based detectors (what you are requesting first)
tend to be very large and/or slow, and tend to suffer significant
false-alarm rates. This is the nature of the beast, whether
rule-based or statistical in nature. Misuse detectors (the other
approach, "known attack profiles") will not work against new and
unknown attacks. As time goes on, I am more convinced that the best
systems are those that monitor effects and goals rather than activity
and user behavior.
If I get several requests, I'll be happy to expand on this whole
thread. If you haven't read the related-work chapter in Kumar's
dissertation, you might want to -- it explains some of this, too:
http://www.cs.purdue.edu/coast/coast-library.html
Cheers,
--spaf
