Another way of looking at the intrusion detection problem is to
build "Artificial Ignorance" -- tools that more exactly mimic the way
people find/solve security problems. If you think about it, most of the
cases where a security incident is detected, it is because someone
noticed something that wasn't "right" someplace. What is needed, then
is a tool that draws things that are out of place to our attention.
Consider a tool modelled after the burglar alarm. Imagine it
is like a network security "assertion" statement. A burglar alarm works
on the assumption that "when I am turned on, nothing should be opening
or closing mjr's house doors" It goes off if the condition is violated.
Very simple. A more powerful model is a burglar alarm that uses a passive
I/R detector and looks for anomalies in more than just the doors: "when I
am turned on, nothing should be moving in mjr's house" -- this is more
likely to flag something (including my cats!) than the first one, since
it covers a wider area, with a simpler rule!
So, imagine you have a series of burglar alarms on your systems
and networks that know your normal preconditions and flag a deviation
from them. When I worked at DEC I had a box running NNStat that did
nothing but scan for a few simple rules in every IP packet that came
a) Logged all packets it saw on my subnet that had an IP
address that didn't *originate* on my subnet, but which
were not coming from any router I controlled
b) Logged all systems issuing RIP that were not routers
c) Logged all traffic coming from my external firewall
network. This rule was "superfluous" since there was a
firewall in place, but I WANTED to be the FIRST to know
in case somehow it happened.
Of the 3 rules listed, #b came out every so often. The other
2 never. I could imagine similar systems on hosts or on larger
networks, where conditions are known with more detail because there
are multiple "sensors" in place.
The TIS Gauntlet firewall (<-plug) takes an approach to
system log messages that exemplifies this "artificial ignorance"
approach. Rather than scanning the logs periodically for danger
signals, it scans the logs and *ignores* things that it's been
told aren't noteworthy. By definition, then, anything else is
worth bringing to the systems admin's attention. Lots of nice
things fall out of this approach -- the administrator will
suddenly get notification of disk partition overflows, or any
other previously unidentified warning condition.