With the increasing dependence of nearly all aspects of moderm life on network-based communications, network security has become of primary concern to businesses, individuals, and governments. Security Management is therefore of growing interest for industry and research. There are at least four general methods of Security Management, including: (i) Scanning, in which knowledge-based software tools look for security loopholes in a network; (ii) On-line monitoring, in which network management tools are triggered by certain suspicious events; (iii) Data encryption and secure passwords; and (iv) Firewalls. The combination of several disparate mechanisms into a common security architecture constitutes the “Defense-in-Depth” security management approach that is currently in vogue.
The failure of authenticators and other protection mechanisms to provide an adequate defense against attacks on information systems, as well as the resulting mistrust of these mechanisms, is among the most important driving forces behind the development of Intrusion Detection Systems (IDSs) in the past twenty years. However, current IDSs are not preventive security measures, and they are therefore most often used in conjunction with various other protection mechanisms, such as firewalls, smart cards and virtual private networks. Unfortunately, one of the current gaps in the development of IDSs relates to the inability of an IDS to interact with other networking elements.
For example, SNMP-based Network Management Systems are well known, and viable in industry. In the early 1990s, these systems were designed following the classic FCAPS (Fault, Configuration, Accounting, Performance and Security) model defined by the International Standard Organization. According to the FCAPS model, Security Management protects both the network and network management system against intentional or accidental abuse, unauthorized access, and communication loss. Under this definition, the deployment of IDSs belongs to the realm of Security Management, and it therefore comes a surprise that IDSs have not been designed to take advantage of the monitoring and alarming infrastructure provided by commercial NMSs.
In fact, little or no integration exists today between Intrusion Detection Systems (IDSs) and SNMP-based Network Management Systems (NMSs), in spite of the extensive monitoring and alarming capabilities offered by commercial NMSs. This difficulty is mainly associated with the semantic disparity between the distinct data sources used by the two systems: packet traffic and audit records for IDSs versus SNMP MIB variables for NMSs. In general, IDSs observe and understand the environment in terms of either audit records collected from hosts (Host-based IDSs) or raw packet traffic collected from the communication medium (Network-based IDSs). SNMP-based NMSs, on the other hand, observe and understand the environment in terms of MIB variables in order to set traps and perform polling. The fact that some IDSs are able to communicate with Network Management Systems via SNMP does not alleviate this problem; the key issue is appropriate semantic interaction among disparate systems rather than the control of individual IDSs.
The rules produced by current IDSs are passive, in the sense that a security violation has to occur in order to be detected. If detection could happen early enough, it might be possible to minimize, or even eliminate, the deleterious effects of the security violation. Unfortunately, early detection in current IDSs is usually the result of incidental circumstances, not of systematic design. On the other hand, almost all security violations encountered in practice evolve in multiple stages. Some of the preliminary stages may not be destructive per se, but merely preparatory steps in the Attack Scenario. If indicators of these preparatory steps, or attack precursors, could be detected and immediate action taken, the resulting attack would be prevented. This capability is called Proactive, or Anticipatory Intrusion Detection, in order to distinguish it from the passive detection enabled by current IDSs. If successful, Proactive Intrusion Detection could be an invaluable enabling capability for Response, since enough time would be available to respond to the destructive phase of the attack, ideally preventing it from ever taking place.
While there are some methods for knowing when a network or network device is currently undergoing or has undergone an attack, there have in general been no ways to know before the fact that a network is about to be attacked, except possibly by simple human guesswork. It would obviously be advantageous to businesses, academic institutions, and governmental agencies if it were possible to consistently predict when an attack is going to occur, even if the time lapse from prediction to attack were only a matter of seconds, in order that action could be taken to prevent damage to the network. What has been needed, therefore, is a way to automatically predict an imminent attack on a communications network or device and, preferably, a way to automatically take protective action after an attack has been predicted.