?? 231-234.html
字號:
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=8//-->
<!--PAGES=231-234//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="229-231.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="234-237.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading5"></A><FONT COLOR="#000077">Misuse Detector</FONT></H4>
<P>The patented component of Stalker that is most interesting is the collection of intrusion detection patterns along with the engine that analyzes them. In simplistic terms, audit records are dropped into the engine, which maintains a series of state transition diagrams representing intrusions and misuses. When a particular pattern reaches a terminal state, a misuse or intrusion event is indicated.
</P>
<P>This analysis component of Stalker is called the Misuse Detector (MD) for historical reasons. Technically, it is both a misuse detector and an intrusion detector. Recall from earlier discussions that misuse detection looks for abuses by internal users, and intrusion detection is focused on attacks from outsiders. Today, these terms are often used interchangeably.</P>
<P>Like the TB, the MD can be run interactively or scheduled to operate in batch mode. Stalker detects roughly 80—90 different attacks depending on the version of UNIX running on the client. Not all patterns are supported on each OS. From the MD GUI, you can choose which attack signatures you want to monitor.</P>
<H4 ALIGN="LEFT"><A NAME="Heading6"></A><FONT COLOR="#000077">Attacks Detected by Stalker</FONT></H4>
<P>Stalker conveniently groups patterns into classes, such as Trojan Horse. Space does not permit an exhaustive list and description of attacks detected by Stalker. Table 8.1 summarizes this information.
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 8.1</B> Stalker’s Misuse Detector Signatures
<TR>
<TH COLSPAN="2"><HR>
<TR>
<TH WIDTH="30%" ALIGN="LEFT">Attack Signature Category
<TH WIDTH="70%" ALIGN="LEFT">Types of Attacks Detected
<TR>
<TD COLSPAN="2"><HR>
<TR>
<TD VALIGN="TOP">Covering Tracks
<TD>Detects when a user tries to modify audit configurations, delete entries in system log files, or run known rogue programs like <I>zap</I> to cover tracks.
<TR>
<TD VALIGN="TOP">Gaining Privilege
<TD>Detects a number of different ways that user gains privilege on the system.
<TR>
<TD>
<TD>These signatures can be configured to permit or deny specific privilege transitions, such as when the RUID changes to zero.
<TR>
<TD VALIGN="TOP">Known Attack Programs
<TD>Looks for instances of a user running one or more known rogue programs.
<TR>
<TD>
<TD>A preconfigured list is provided but can be modified.
<TR>
<TD VALIGN="TOP">Misuse Outcomes
<TD>Looks for evidence of attacks that have a known outcome, such as password guessing attempts matching the order of names in /etc/passwd (indicating the user file has been stolen). Another example is reading someone else’s data or bypassing ACLs by gaining privilege.
<TR>
<TD>Self Defense
<TD>Watches the Stalker directories for evidence of tampering.
<TR>
<TD VALIGN="TOP">System Access
<TD>Detects when critical systems files have been altered, or attempted to be altered. This category includes Trojan Horse signatures.
<TR>
<TD>Vulnerabilities
<TD>Looks for evidence of someone trying to exploit a known security advisory.
<TR>
<TD>Masquerading
<TD>A user switches to another user and then attacks the system.
<TR>
<TD VALIGN="TOP">Tagged Events
<TD>Tagged files or programs that a user accesses (planted by the administrator as bait) or a tagged user account being accessed.
<TR>
<TD COLSPAN="2"><HR>
</TABLE>
<P>The MD was developed over several years and has a good foundation in intrusion detection research. IDSs use different engines for analyzing attacks. Some, such as CMDS, rely on rule-based expert systems. Stalker employs a <I>finite state machine</I> (FSM) for recognizing attacks. As you probably know, finite state machines are the underlying technology for compilers. Recognizing patterns with the utmost speed is one of the reasons FSMs are used in compilers. This reason was also one of the reasons it was chosen for Stalker.</P>
<P>You also can buy a Misuse Detector Toolkit to add signatures to Stalker. This toolkit is not particularly easy to use and requires skill in C++. Over time you can expect Stalker and other IDSs to provide a scripting language for writing new patterns.</P>
<H4 ALIGN="LEFT"><A NAME="Heading7"></A><FONT COLOR="#000077">Is Stalker Right for You?</FONT></H4>
<P>At the time this chapter was written, the real-time, client-server, heterogeneous Stalker product was not available. Naturally, you should check the Network Associates Web site for the latest information. Many enhancements to Stalker have been planned and will roll out over time. You want to remember that batch reports are an important part of security monitoring. Monitoring <I>everything</I> in real time is probably not the best approach. Also, Stalker’s capability to go query and search through past audit logs is valuable. If you find that you have been hacked, it’s good to know that you easily can filter for specifics through large amounts of historical audit data using Stalker.</P>
<P>Stalker will be a good match for your environment if you consider the following:</P>
<DL>
<DD><B>•</B> Real-time analysis is <I>not</I> necessary.
<DD><B>•</B> Identifying the accountable user is <I>very</I> important.
<DD><B>•</B> Audit trails already are captured at your site, or you do not mind logging audit records.
<DD><B>•</B> You need a tool to perform audit reduction.
<DD><B>•</B> You need a tool that detects a wide range of UNIX system attacks.
<DD><B>•</B> Detection of privilege escalation problems is <I>very</I> important at your site.
<DD><B>•</B> You want the capability to scan for custom-defined events in large volumes of data.
<DD><B>•</B> You audit several different UNIX systems.
</DL>
<P>Stalker has a large set of attack patterns for UNIX system-level monitoring. If the set of attack patterns is useful to you, which it probably is, deploying Stalker on critical systems is a good way to get started.
</P>
<P>Unlike accounting files, the audit trail can detect privilege transitions. The Morris worm, which overlaid itself with a fork() and then an exec(), would not have been detected in the accounting files, although it does show up in audit logs. When a user runs a similar attack, the AUID remains unchanged, and thus accountability is preserved. The AUID also persists when a user runs the <I>su</I> command, even though the RUID changes. Other transitions in privilege also are surfaced in the audit log. With Stalker’s TB and MD capabilities, you can catch these type of security events on your systems.</P>
<P>Depending on your needs, Stalker may not be the best tool for your environment. For example, if you want real-time consolidation of audit logs from the clients to the Stalker server, the tool does not provide this feature today. Your requirements might cause you to see the following as limitations of Stalker:</P>
<DL>
<DD><B>•</B> Batch analysis of audit logs.
<DD><B>•</B> Only one client at a time can be interactively administered or configured <I>interactively</I>, although initial definitions for clients can be input via a batch file. (You can run several simultaneous reports in batch mode.)
</DL>
<P>Given the number of valuable reports that Stalker can generate for you, these problems are not particularly difficult.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="229-231.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="234-237.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -