Computer and network systems are subject to attacks such as unauthorized users, viruses, worms, trojans, spyware, targeted attacks, rootkits, bots, phishing, Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks. To maintain IT security, an understanding of how threats are changing is important. There is an ever-decreasing window of time between the announcement of a new vulnerability and the release of an associated threat capable of exploiting the vulnerability. Undoubtedly, the decreasing window of time is at least partially responsible for the emphasis placed on the need to continuously update the rules and definitions utilized by network-based security countermeasures.
A virus is a program which is able to self replicate and depends upon user interaction for penetration, execution and propagation. A virus also is not self contained and is dependent on a host file or program and host resources such as a host hard drive. A virus will, by definition, make unauthorized changes to a computer and almost always corrupt or modify files on a targeted computer.
A worm is another self replicating program. It is engineered to take advantage of an identified vulnerability to penetrate and execute without user interaction. Unlike a virus, it is self contained and exists in system memory. It uses system and network services to complete transmission and propagation lifecycle stages without reliance on files or programs. A worm often carries a “payload” which is program code in the worm that is designed to do more than spread the worm. For example, it might delete files on a host system, encrypt files, or send documents via e-mail. A common payload for worms is to install a “backdoor”, which is a method of securing unauthorized communication, that allows the worm author to access and control the infected computer.
A trojan or trojan horse, is a program that masquerades as a useful or important program. It does not self replicate and will not infect other files. Trojan horses can steal information, and harm their host computer systems. Once a Trojan has been installed on a targeted computer system, an unauthorized user may be given remote access to the computer allowing them to monitor and watch the user's screen, perform operations such as the theft of electronic data including passwords, bank and credit card information, and computer files. A trojan may also track and report internet activity and log the keystrokes of the targeted computer.
Network-based security attempts to stop threats before they gain unwanted access to and/or propagate throughout an organization's computing environment. In general, network-based security countermeasures fall into two classifications: those which are based on a positive model of control, and those which operate with a negative model of control.
Positive-model countermeasures, such as firewalls, operate by identifying communications and then allowing only those communications, programs, and data elements that are known to be good access to the protected computing environment. In general, firewalls filter connections by examining data packets and comparing them to a set of rules for the local process involved in the data transmission. The extent of the filtering is defined by the provided rules. This approach often yields an indiscriminate elimination of unknown as well known threats. Firewalls are most often communications-centric and provide a layer of protection by controlling incoming and outgoing network traffic. Firewalls also have the capability of being able to block material based on file type, as determined by the filename extension. Overall, firewalls have the ability to stop threats when they are being transmitted or are propagating.
Negative-model countermeasures, such as intrusion detection/prevention systems (IDPS) operate by identifying and stopping communications, programs, and activities involving data elements which are known to be bad. The bad data elements are usually associated with a threat to Information Technology (IT) security. IDPS usually incorporate detection techniques which are proactive and reactive mechanisms. Proactive mechanisms include vulnerability based signatures, identification of traffic, and protocol anomalies.
Reactive mechanisms include profile-based (anomaly) intrusion detection, signature-based, and misuse intrusion detection. A false positive occurs when an IDPS reports an event as an intrusion, when the event is a legitimate network activity. A false negative occurs when the IDPS fails to detect actual malicious network activity.
Profile-based intrusion detection detects activity that deviates from statistically common activity. This is commonly known as statistical anomaly-based detection. This method of detection uses a baseline of the network's traffic conditions and average performance. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action. The dependence on a statistical definition can make profile based intrusion detection more prone to a large number of false positives.
Signature-based intrusion detection includes pattern matching and detection techniques. Pattern matching looks for a fixed sequence of bytes within a single packet which are associated with a particular service, source or destination port. Signature-based detection is a method of detection which utilizes attack signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability. If the matching is based on a pattern that isn't unique enough, a large number of false positives may result.
Misuse detection, in general, detects a pattern of activity which closely matches the activity of a network intrusion. This is often referred to as stateful protocol analysis detection. This method identifies deviations of protocol states by comparing observed events with predetermined profiles of generally accepted definitions of benign activity. A threat is identified by matching the sequence of activities of a malicious individual to a predetermined profile. As with firewalls, the effectiveness of IDPS is heavily reliant on the rules and definitions which form a basis of operation.
Known rule editing software provides access to logs of security events as well as a template in which a security rule may be modified or created. Security logs can be used to track user and system activity and typically can not be altered or modified. An alarm mechanism is often employed for notification purposes, i.e., if there is an accumulation of events that indicate an immanent violation of security policy. Certain security systems and rule editors can associate event log entries with the security rule that triggered the creation of a given event log and be used to assess the accuracy and effectiveness of the security rule.
To remain effective, IT security systems require rules and definitions that allow legitimate user and program activity while preventing or stopping malicious activity. While the foregoing, known rule editor is effective in editing existing security rules or composing new security rules, it does not indicate the viability of an edited or new security rule.