About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
edge top

February 2001
Volume 5
Number 1

Information
Assurance Issue

Securing Enterprise Resources with PKIs

How Does PKI Work?

Cyberspace Detectives Employ Intrusion Detection Systems and Forensics

Correct Cryptographic Protocols Provide Authentication and Confidentiality

Secure Infrastructure Management

Network Management System for Base Information Protection

Helping Secure United States Transportation Command Data

Defense in Depth

Information Assurance Highlights

CVE Continues to Grow

 
Home > News & Events > MITRE Publications > The Edge >
Cyberspace Detectives Employ Intrusion Detection Systems and Forensics

On any given day, the network to which you connect your computer is probably under assault. The degree of the problem varies from site to site, but network administrators of organizations both small and large are reporting that hostile traffic is increasing dramatically. Defensive measures such as scanning tools and firewalls commonly provide security perimeter protection. However, these measures are not foolproof and the systems and firewalls can be improperly configured (and managed), allowing attackers to bypass these defenses. When that happens, system administrators and law enforcement officials face a mystery with many questions. What systems were the attackers targeting? How many attacks were there? Were the attacks successful? What was the damage? Answers to questions like these come from the related disciplines of intrusion detection and forensics.

Multisource Input

Intrusion Detection Systems (IDS) are analogous to burglar alarms. One monitors cyberspace, while the other monitors physical space--both issue alerts when unexpected activity occurs. However, in the cyberworld unauthorized activity is much more difficult to detect than in the physical world, because computer systems often offer around-the-clock service. An unauthorized building entry at 2 a.m. would set off alarms, but computer network activity at the same hour may be innocuous. Separating the innocuous from the anomalous is the job of the IDS operator. Once it is confirmed that a compromise has occurred, computer forensic analysts come into play to provide a much deeper analysis of the security breach.

Sometimes attackers bypass defenses, elude the IDS, and penetrate a system. Like most burglaries, the crime is eventually discovered and investigated. In ways much like their traditional counterparts, computer forensic analysts sift through lots of data from the victimized system, the IDS, and other logs, looking for evidence of the crime. Unfortunately, skilled attackers have many ways of removing or hiding this evidence, and can even modify the computer operating system, making the detection problem very difficult. Since attackers are never perfect, it is up to the forensic analysts to find evidence that has not been destroyed by the intruder by using a vast array of tools from many different sources, including MITRE-developed tools.

What is available today?

Current automated IDS and forensic procedures function primarily by a process known as "signature matching," that is, searching through the available data looking for known attack patterns and tools. When the data matches one of the search signatures, the process generally raises an alarm for human review. Typically, a forensics analyst pursues a structured analysis process that begins with the automatically generated alarms and then expands the process to include analyzing other, less refined data sources such as logs and detailed system information. To identify evidence of an attack, the analyst must combine a detailed knowledge of the system in question, knowledge of attack techniques, the output of any diagnostic tools, and the raw system information. This manual analysis is a labor-intensive process requiring highly skilled individuals. Needed skills include detailed expertise in hardware systems (particularly disk technology), operating system internals, and network protocols.

The effectiveness of automatic signature matching and the technology behind these tools vary widely. The signatures themselves are one reason for this variation; some correctly identify a specific attack, while others are quite general and cause many false alarms to be generated. For example, the known vulnerability posed by the common gateway interface program "phf" enables specific attacks, while port scanners are a more general form of attack. Another factor influencing effectiveness is the profile of the attack, which can range from blatant use of publicly available scripts to very stealthy custom attacks developed by skilled individuals. Finally, signature systems fail completely on new attacks that have not yet been analyzed and for which signatures do not exist. Like virus scanners, IDS and forensic tools not only are very dependent on updates, but signatures are not even available until some time after the attack has already been unleashed.

MITRE teams, working internally and with various sponsors within the Department of Defense and the Intelligence Community, are developing tools and techniques to improve and automate intrusion detection and forensics. The initial result of these efforts is an ad hoc collection of commercial and specialized tools. Effective use of these tools requires highly skilled analysts to review large amounts of data, a labor intensive and error-prone process. Solving this problem using reduction and presentation techniques is an important part of the research that MITRE is currently performing.

Operational Prototype and Ongoing Research Efforts

Because there are no "silver bullet" methods for intrusion detection or forensics, combining tools and techniques is a necessity for a highly effective solution. Several MITRE projects are working on the problem of combining what were stand-alone technologies into an integrated system. MITRE's corporate intrusion detection team has an operational prototype IDS back-end using multiple sensor types, a common data store, and an abstract analytical process. With this prototype, MITRE has demonstrated the usefulness of this kind of integration by providing a single point of view for all of MITRE's security engineers. In other research, the Lighthouse Project, an Air Force-managed information assurance research program, has expanded this model to an enterprise data-collection and analysis architecture that includes client-server based probing, modular analytical engines, and the drawing in of additional security technologies such as vulnerability scanning, modeling and simulation, and network policy enforcement.

The Common Vulnerabilities and Exposures (cve.mitre.org) project is developing a comprehensive dictionary of agreed-to names for vulnerabilities and other information security exposures. (See "CVE Continues to Grow".) CVE has already become a critical component of tool integration efforts at MITRE and elsewhere. The MITRE research project Data Fusion for Intrusion Detection is developing open protocols and technologies to allow heterogeneous sensors and managers to communicate seamlessly. With uniform standards, customers can construct architectures that do not depend on specific sensors and analytic engines.

A layered architecture helps in the discovery of malicious activity.

A layered architecture helps in the discovery of malicious activity.

 

MITRE research teams have been tasked with moving beyond signature detection with the Data Mining to Improve Intrusion Detection project. Early results indicate that existing data mining algorithms can be used to detect network anomalies and to identify complex patterns of both normal and intrusive behavior. This can lead to an improved analytical process that reduces the number of false alarms and aids in the detection of previously unknown attacks.

Other research and development efforts that concentrate on the harder problems in forensic analysis have also begun looking at interesting new areas. Projects just getting underway involve deep recovery mechanisms for long-term storage media, the construction of a "virtual laboratory" that attempts to push the capabilities of the laboratory out to the field, and the development of algorithms that attempt to automate pieces of the analysis process. The objective of this work is to more confidently identify and prosecute intruders who prey on our sponsors' information systems by providing the ability to perform more effective damage assessment.

The MITRE teams are working hard to close the gap between technologies in order to detect and analyze intrusions for many sponsors and for ourselves. By exploiting available industry and academic research, our researchers are overcoming obstacles in both intrusion detection and forensic analysis. This work, coupled with integration in the field, is helping our sponsors further protect themselves from electronic attacks by providing analysts with a layered architecture (see illustration above) that helps them discover malicious activity. Our researchers employ the latest technologies to create the building blocks for the assurance of information that flows through our national infrastructure and beyond.

More information on intrusion detection and forensics can be found at:

For more information, please contact Todd O'Boyle using the employee directory.

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us