Intrusion detection cont.

Auditing

a thorough prces of investiagtina nd analaysing aa system for vilnerabilities

can also refer to logging (esp. in a databse context)

protect aginst network intrusions

built in or third party
- built in - integration quality of control. ofen light convenince features maybe no GUI
black/whitelist
mandatory access control on routers
- mandatory access control
  - e.g., block a netork port
  - block icmp packets (some sytems are vulnerable)
application level filtering for desktop systems
- finer grained control for linking rules to applications themselves (processes)
- router doesn't know about applications
- may not trust an aplication to connect o a web server but do trust other.
- dont have to block everything on that webserver
provide altering and logging (avoid crying wolf)
- "end user alert fatigue"

northcutt and novak - network intrusion detection

often bundled with commercial routers, network storage devices (NAS, SAN) - "cloud storage within organisation"
can also be host based (HIDS) "situated aroud network"
intrusion can be identified by know signatures (like pattern-based virus scanners)
can also be anomaly-based (using heuristics)

deliberately place sofware where it will interact with attacks, somewhat resembling a police sting operation.

decoy service used to attact attackers
divert attackers from real service
identify attack origin - analyse attack - create countermeasures
honey-nets - co-ordiniated honeypots. - analyse malware infection behaviour (malware epidemiology)
bogus email address lists to hinder spammers
individual e-mail address can be used to gather and analyse spam smessages