New Way to Nab Hackers

Two security vendors will announce intrusion detection system products that eschew the traditional signature-based approach to intrusion detection in favor of behavior monitoring and anomaly detection.

As the threats to corporate networks continue to mount and attackers methods evolve, security vendors are turning to technologies that detect not just what attackers are doing but how theyre doing it.

Okena Inc. and IntruVert Networks Inc. this week will announce IDS (intrusion detection system) products that eschew the traditional signature-based approach to intrusion detection in favor of behavior monitoring and anomaly detection.

Okenas StormWatch 3.0 focuses on the behavior of applications and systems instead of relying on signatures from a database that needs constant updates. StormWatch intercepts function calls at the operating system level and is able to make real-time decisions about whether to allow or reject the applications behavior.

Each application is assigned to a specific class based on how it behaves, and systems administrators can apply policies to each class.

If an application attempts to perform a function that is out of line with its normal behavior, StormWatch stops the action and generates an alert. It can also prevent so-called untrusted applications from starting and using "trusted" applications, a common attack method.

The updated version of StormWatch, available now, includes protection for Windows and Solaris systems against heap buffer overflows, which are among the most common and easily exploitable vulnerabilities in software. Last years Code Red and Nimda worms, for example, both exploited buffer overruns in Microsoft Corp.s Internet Information Services Web server.

However, while many experts and vendors are touting such systems as the future of network security, others say there will always be a place for traditional IDSes.

"Theres always going to be signature-based technology because its valuable when theres a prescribed model on how things are supposed to go," said Becky Bace, a technologist at Trident Capital Inc., in Palo Alto, Calif., and an IDS expert, formerly with the National Security Agency.

"The key is, the faster you can converge on whats happening, the faster you can resolve it. IDS is like pharmaceuticals: There are some that go after very specific causes and others that have a broad sweep," Bace said.

Okena, in Waltham, Mass., is not the first vendor to take this approach. Companies such as Harris Corp. and Lancope Inc. also rely on a behavior-based approach. However, some IDS experts say anomaly detection alone is no better than using only signatures.

"The thing to realize about anomaly detection is that it assumes anything unusual is wrong. So that means that the majority of behavior must be usual and predictable," said Gene Spafford, a professor of computer science at Purdue University, in West Lafayette, Ind., and the designer of Tripwire, the first free IDS and one of the most widely deployed systems on the Internet.

"Anomaly systems tend to generate more false alarms in general," Spafford said. "Signatures alone work only on things that the signatures match. New attacks or variations on attacks cant be found. Adding signatures to anomaly systems helps cut down on the processing overhead for known attacks."

To that end, IntruVerts new appliances combine the signature-based approach of traditional IDSes with anomaly detection and the ability to detect and choke off denial-of-service attacks. The new I-4000 and I-2600 boxes can monitor how hosts interact with other hosts on the protected network and can identify illegitimate behavior.

The appliances, which are due this summer, also have a "micro-tuning" feature that enables administrators to set multiple policies on a single sensor and apply them to individual applications if they so choose.

"What were trying to do is integrate the entire spectrum of detection technologies," said Ramesh Gupta, vice president of engineering at IntruVert, in San Jose, Calif.

The advantage of the systems that combine signatures and anomaly detection lies in their broader and deeper view of network activity, Trident Capitals Bace said.

"If youre in a position to pull cues from a greater portion of the environment, its easier to find and fix any problems that might come up," she said. "The preponderance of signatures are simplistic, and the best theyre able to do is raise a flag."

Related stories

  • Special Report: Ignorance: The Hackers Best Friend
  • Computer Crime Takes Heavy Toll on Companies
  • Network Defenses Cant Foil Viruses
  • Anti-virus Makers Pushing Automation
  • Living with Worms, Viruses and Daily Security
  • New Security Strategy: Preventive Medicine
  • Cyber-security Czar Gives IT a Wake-Up Call
  • Viruses to Continue Their Assault on Net