Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


New Way to Nab Hackers



 By: Dennis Fisher
2002-05-06
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Two security vendors will announce intrusion detection system products that eschew the traditional signature-based approach to intrusion detection in favor of behavior monitoring and anomaly detection.

As the threats to corporate networks continue to mount and attackers methods evolve, security vendors are turning to technologies that detect not just what attackers are doing but how theyre doing it.

Okena Inc. and IntruVert Networks Inc. this week will announce IDS (intrusion detection system) products that eschew the traditional signature-based approach to intrusion detection in favor of behavior monitoring and anomaly detection.

Okenas StormWatch 3.0 focuses on the behavior of applications and systems instead of relying on signatures from a database that needs constant updates. StormWatch intercepts function calls at the operating system level and is able to make real-time decisions about whether to allow or reject the applications behavior.

Each application is assigned to a specific class based on how it behaves, and systems administrators can apply policies to each class.

If an application attempts to perform a function that is out of line with its normal behavior, StormWatch stops the action and generates an alert. It can also prevent so-called untrusted applications from starting and using "trusted" applications, a common attack method.

The updated version of StormWatch, available now, includes protection for Windows and Solaris systems against heap buffer overflows, which are among the most common and easily exploitable vulnerabilities in software. Last years Code Red and Nimda worms, for example, both exploited buffer overruns in Microsoft Corp.s Internet Information Services Web server.

However, while many experts and vendors are touting such systems as the future of network security, others say there will always be a place for traditional IDSes.

"Theres always going to be signature-based technology because its valuable when theres a prescribed model on how things are supposed to go," said Becky Bace, a technologist at Trident Capital Inc., in Palo Alto, Calif., and an IDS expert, formerly with the National Security Agency.

"The key is, the faster you can converge on whats happening, the faster you can resolve it. IDS is like pharmaceuticals: There are some that go after very specific causes and others that have a broad sweep," Bace said.

Okena, in Waltham, Mass., is not the first vendor to take this approach. Companies such as Harris Corp. and Lancope Inc. also rely on a behavior-based approach. However, some IDS experts say anomaly detection alone is no better than using only signatures.

"The thing to realize about anomaly detection is that it assumes anything unusual is wrong. So that means that the majority of behavior must be usual and predictable," said Gene Spafford, a professor of computer science at Purdue University, in West Lafayette, Ind., and the designer of Tripwire, the first free IDS and one of the most widely deployed systems on the Internet.

"Anomaly systems tend to generate more false alarms in general," Spafford said. "Signatures alone work only on things that the signatures match. New attacks or variations on attacks cant be found. Adding signatures to anomaly systems helps cut down on the processing overhead for known attacks."

To that end, IntruVerts new appliances combine the signature-based approach of traditional IDSes with anomaly detection and the ability to detect and choke off denial-of-service attacks. The new I-4000 and I-2600 boxes can monitor how hosts interact with other hosts on the protected network and can identify illegitimate behavior.

The appliances, which are due this summer, also have a "micro-tuning" feature that enables administrators to set multiple policies on a single sensor and apply them to individual applications if they so choose.

"What were trying to do is integrate the entire spectrum of detection technologies," said Ramesh Gupta, vice president of engineering at IntruVert, in San Jose, Calif.

The advantage of the systems that combine signatures and anomaly detection lies in their broader and deeper view of network activity, Trident Capitals Bace said.

"If youre in a position to pull cues from a greater portion of the environment, its easier to find and fix any problems that might come up," she said. "The preponderance of signatures are simplistic, and the best theyre able to do is raise a flag."

Related stories

  • Special Report: Ignorance: The Hackers Best Friend
  • Computer Crime Takes Heavy Toll on Companies
  • Network Defenses Cant Foil Viruses
  • Anti-virus Makers Pushing Automation
  • Living with Worms, Viruses and Daily Security
  • New Security Strategy: Preventive Medicine
  • Cyber-security Czar Gives IT a Wake-Up Call
  • Viruses to Continue Their Assault on Net



      Reader Comments: New Way to Nab Hackers
    >>> Be the FIRST to comment on this article!
     

     
     
    >>> More Network Security & Hardware Articles          >>> More By Dennis Fisher
     


    • x}r㶲s\@♵M=RJؖgRJEĘ"Hʗ䬟/Oo<xӅ|L'cK@7Fw?H9wur56%SE}"I{C(`RϩIzNڶ? }~mksu;{#|6%߽w *s=NN5K&OxgMlM1eck`p,FcwM5d{=B ~5;6(CJep$ZwvH~Th⻶eMGaoN w*Nuol9 Q!)*X^P~FD;ǎ5~r 5{a_;U'i3[<$C5nCUVekV6^;s9ȹ׳z$nRvn8Gd`jI:@*"4C6S!p55\`p)jHZ6tG,> H>P7sIzV@daS/*! lpa+j)y'C<ΠE[Uֶg5]q;ܹcglZENX*o~cn!LjXE&sؗCYͼaF3l˸;4 HSKVUBX)ڑx>o9{ۖ3p*sgyÝ|k7~+eUvѻ]HQPw;@ږVj0n{'Owq@α{A~$Vj}& D%\.I&0h5&tt:~Xs|\㍒~7nJV4E; KHr gSd!XI#/YTU!wlni_Wם^'gם)7fٚY jiedX]1,Uisiڟ:'gw:Rڟ+H/k*}k!-z??LmrG=.iTjVM&usBr,Ndo_;Be}#7ReQ o̱n>@|ˤd6M2Tc]Nj__ѬZxka 4+@_x0ND5fMs,eg{0AM)61tGv!fByM)oz@@ZR~nV(U7$ٛ"G;ž_"ʥcp1S{.ӰuirqZoV͉*]XYujZlE?´;\g8m7-һ^5߷aUb}PhvZM]qsuTSt*Zl:?o|5գ"T G'&-d`q86ayƔIG?{yL>NR'}:;SjZi};Ni(|I}Ѧޣ8ݘXI70i|V8; uCuӹga {>0kJY=D57 l"&q}s)к`yna2C?FlEnP>X^0 jp3*~s=w= } wAk 6G~[>l0s0N\IQo -2(%E2G 4.gP)AH =k \99~ ޑvZ*&RP*m=!ԑt݁Z*=h3aGe-n^ $ d6g2+IMiG0V-&D7r"e.G 7Kᙖ6ZlkVe y=0ГޙJ7n2gNP/h|WY 3EDVhdF!! = \PȭT)w^IY䞅T_9YX X`~w ,Rd0q6I SXh8G/C4jM;24$֒f{ց$l JҰ.Z*![r5}a׼6F]RZRKHDlPc/X +ezd(e6LF%jIo2@n=ȢmD jrA7 )Kۊ7q~4EiZ\-}sf8, J; H璉IJ*6*SXSĝyд\"қy}@n&zW@>8`3ǟGRlC2DhQ+}ne@ͤԪ)X[3T2.Q\&V,'`#z3F K~,Y\Xϗ+]65e&@0oʵLuzh< VȲO[:¿٤ RTw֐~3KJAUc?&i?怚H|A2exL,`_#׶lʠ::7IҜ!ȅ@:*ZCç c"Dk_(+ `kAOYϩDkJc\Cњy]֩;lRzzwݱM% Wl RN0})Xk±&>,<<+ځi0A  ~HLb4>\Pbr>+ eT)5*IMym"P/?ˇ%Ŵ谢zԘ{}Qː 0gted-흧 IR-frheU-UjR9_V2:EƟQpV6ʼnG =q?@*:2 XZ 0(E{0 qDLҀJ 5^ƙl)baJ)?oZyඨ,3YZD]bRYEGʚQzCgé#fuMaFžJV-="9KAG^320"C;wF\!bVS_C܏3ܷ V}uP@&e'ß~VfoQ*\ ,УǸ'~Uc2~z:i0-aZ`O- v uhՂrO'(3߅rf>k5VΚ>:lv''< hrõm7>Dv? sc{~O n:R.R r=ct3e}tV?nHCos_ 车2Q&OB8Jh-[r_A~V0u^A##ȫͦ'0k(j'gcO7)~ }$DC9km{~RTP]\HMP*jIIz, :*h6Y+(#t+^ǽa m.E<9[ 1ķʨTIV+Gs;"ʊg b|r{q>'F{lj>cWՄθ4;fGXd;ɲ6ڤiD@kXJ7eVV5XI0iUI+T Z} 2aU}/*\&IvSf﩮 Ϛ8`rOn{W90J$7rQӊ5JR}'0Lp ( rA-ã,z(d2rYjdP\؈'߾b[D ‚'T'.n\'Wƒ"'!Z+53,qvë eVqm^?3Z cS7WZU{"}QL ޟpف#{?J䏽n:!)hl{ٗNχxDŽu_u{~{yHDyYD߫޿ LЇ_e!)X|xxْ:m~l1z˾WM$(Xq4q!'^Y{{l:k6|v>724H"rE}R|I{޽y-%{w;jd, YE# B򜜷ǧ5Bk;d4)(3z0fK#fWDH[h!u}͙cª9kI.Dz=d_5g0 h- ېco#s~uYLPH2'_aHHR ~tDӻ:o~Nkun/ m D78C*QW"REh%IA%'&g <@&9FhDu~mlEb}Ceax!wl0q%՝b"f0BٺCO,,mSsS)y# m$jRSfj# $_2 I,v+htlAzW jÚ]e /.\߹m|d`=`l)Za"|)Nr 9i`e>%;yRb QגZ4ҫoeW!9 |Ds`*=SL aʕCrWkb~]4ZU$=ݝ:F`cɅ``/#9ʼS3aZ GW ./vgNȣ&k{?wynLxqf='Fs)o.(cǩm:{@D'eNx>HАYc=p>}⌜00;z6bO0>oV8i?{޽s¾"CWq :+`*9$XhHn e_"2NIJn/:}L9zdM#}ݾJfz7ki^x̠t4w {{!.u0/y 㛟tϯ3i8%~WJ]i}D)]K5"vًKqyeQjȓGDK`#i>R{+!bi4V;Tf{s̷kD:>dO#@/mvc鼳2O> AYC؞qbLp#Pfp~n ֔I i#ĠHYsMs _5DN XW+Oiƿ_BWc+YT>9bs量Bl-d5mhS2Pq <9f ) \;M]1o(ż~oG!V{ζOY~lOӊW,[3L2W!Tjb߱X7$%4 )Yz%.<K9xqY{?Ar :(q3mNT-8E2+ɦƈܐՄ]:$Kɗ19yT F#'vyׇQԗuz&Ϝq۰PZpa(VhRbpb/?/:\gGh&Û9@Yfd)'PBbQ'PA<ݩWUTKn$viR@R|V#TTLk.U S!ͩx4eG\SKzRN]<0E^\4a6aB&ZSS18%I A|c}ewNR2#8iJ8D ; ;|8IIU%6y.״ ""oȗ͎tL_:+:K!t!1$Z w@pt0V$o''toRA+˥ $@%0D@ }"$ 36nfb ˜{6K~{&NϗDX\O]OPĝF*5\+gO"$O 2=4_X!IMtFEo-ˆG#p广Q -\zh:1J:S .L?'LcmlD љ"^p<'߾>B=f!^ǷD ~p$nF{'CwC-Y,p4GM#>P:1m lq?X3{Gk-֊qkl倾ӗ!:;{dg'dשxcp4 ɰ3]ӼS}Hx5:hx5zTQIկ6"F|iz-}_5RՌ莨Xf(|}ǒa_ DKW;`%<4(2e3| ƺ/< :}4 tJudQyBцZ?nlÂKػ$|8ݯOnn:Yo O2>` fXU|~#"\.}%a%-+'3Rbn+?w}tg;2(Pv>k~~i//m~a13+ɗy0X '6ӈath-{8R[xz1LBB1;1Z|@ aL槺l뎻CѸl`tq"o(kʁV=P,@Y+ Z l?QX2z% Zk^YR+Ȉz~btτƌשFSj9椷 GgTGȭZ"RM`obTy \ >)fFllz^C `5vX5ĮLVڹ𖧴q yK-y-J4s547ںsj[.Ԙ =-* ;,cKיm6ڴ#l#A;Э%-,b'c0/Ƙ;0/bZNa=4MwTXC,50Y>GN$(b ~-=-9 G0cˡWqb\ojWoQveMl3>AŨp?{wi/1~J+kC(s'J} _aci7t]ktKs>н3B;s^?bu{ι\`{AN-Yqc[RJBYIc0 "̲(q_M`Lwtc2LO@$5,?_J }+Q^_fZx+nO5,M!,?t1ц]3#ZNHh5J;Y]|_!&.) Cc |)W'nYVmIr .kh>a{R(?hUeQb+Y75 /U@D8AnKxnS@c:&~ )zS?!嘭#!+^bΑ,T֨o>\_R0F$u2C:΁ Z]h{IED#ThbGB#&^I79m[ 45aBx$ld Dps= m]H 1шby 19lP+KDȧn犉1J \-B@e=Dqyy䜅|~ IFK1tQ:..( oIYP,(ϏB5DSJTmn$|s 0;rdJ ŌF:Lma`t.t?OgGA~2?t:&ZI5KޝQ>ɖàzEQp#ߛSg0Y"*[7ΥiTEZ<& .ycI 8^yN4X+87,X2| =<RXX_1[> MꪂOJBveX &zĩxKwy |fY3{8~[BOz%ruW0`A='i92bg4t\KKISk;G̷м:LNפINmx;\;Kr>*lkE/WQwq{sپ\sS˃Sf&R<ejE)sC9lꌹ6W#\grxixɎ(ah,.6W(7PJTَ/!jbTթ4MW?f\z uӲr:j:ٙ%֌fySM/G}*4=V0.8SD^}'vn<(('ML7QޅnF9rz}y hjg@Si}CgG(ku֗wZFQd3ˌr'zƇ^Fg(gٮq1>E" >"@ \_^dE^f ?eAYF?P~Q{1 ?s w1~]7]? /WWq_e s?=eg_(e}G௏ ?e~2A(*h&࿛ Ku1Ay3CΚWpz~;"9(/R*zUKӌg賲+F7_˰ʠsk32Я!ednleڹ:鶒 aqʍz^S_xڞꖽpۭ]hq_l %^a/ ^敽I%<$xEGW4<< X1rnm٘=QǒGЬ]#=D(sҗe&os?`jGـ@' @9ξr m>v#y \^/ydֺWWVF+p'k͠~%k"N^d6yx߇ ߊD,#z e%Hi0\==r|F?f>xfOvHy>jo|Z/OUq4 5%pN!3J81|fZ gaFq`F]S[t=ӯ.1"ޘ?́a[@R'|(VT+[-WJr= fDD́P*R%}e`R++PPफ़h[iRo視 yVi8an%[C#Dk(x[xcEy_,mBfp0l{|y ގe@7 J,5{SŨЫD@3ĝKh* 6%dή1vu¿.lpН=u ? 3ΕDyiL[h xQ ~O>N[3AսgB΄[4пCs%(u5W5 5t0=_2nu–'*F'B;NkUErly0g lg-X5RG NDxaw./ ]C_NDЉ Ɓx6,0'._|0˩`wūGqexL´kD]Zm&Ĵ`Տs5㣭A{=0&FӴFo"9݌ţ*aRՍP^ݞjD89p=y x_ ˝+f {P3xX8 7tgG=םPĚwh/O^!ME:%](-70ƚ  oÓx5 d⟐|e'0O2#0' MĮ+fAj|n9IwL;yC͞a"q0q?K+_yl x$Qgj.ZԿsg-C{)B9 H|\k,##1苌Y MЦ = B8̈́pwPF 38 "s k!v+2}ju"vHϵ=8X0Dc&«U/=ׇ"2cX =O^/u.OkdY9Hr&zU h$.7=j"6: gK“J'Ңwvgcw[/AI)H[aʹD.v kL3SY,> N_dvO~%B+π %l#Yұ ߞR TDO"Ntx9m$KY[zQڗE@1agG;f*iů Kw? oX)un'|oW|B,[kl`NB`tmC>XZc.,s(ŬBSd=)O?5'[nI 5E`0v4aeh <ձ]w O`7@#>Ƌ/ћ!]J;=_v{[>/'R`*Ѝ5O|3'5ȱ ya1 g{y6W=?5zlvf~wx:YʐLW\DI qk.-ua4,Lb9"[^QI(`vX3|"@a)5|dn~ӧf<˜4W6QĶqytʵ-ˉ;{dyO|Y;D,5R7tP9͓z0 s͹!׆! a+cPOYjcL1GfY{L 52lt* X>!ˣŬ"D0Ȯ'%p''60MÄrM"5roq=yeיJpKg8 g!0X^Zɩȩ(v}_|JѬd;j +sGOg |>":xqeaVt*NzV?Pv/isTO3uG??; o:ˌhT*.㉋oڝg'u nɇݏ-)h,=R$Du $RzWVs>Y/7 ~c Whc<y&F2V*wN㛼VtƦI:1qzRSVs0v&b(1lS24K_hj*JlxTʉY+z[q;f†[hh /b;f1Բ7'