spacer back contents
ERCIM News No.49, April 2002


Methods and Tools against Hacker Attacks

by Andreas Wespi

The research work of the Global Security Analysis Lab (GSAL) Zurich is dedicated to ensuring that the benefits and convenience of networked computing continue to outweigh the risks of operating in an open networked environment.

Increasingly refined intrusion-detection techniques allow users to operate with confidence, in spite of the vast number of attacks that threaten computer systems. The Zurich lab supports IBM’s security consulting practices and managed security services by developing methodologies and tools for the detection, prevention and analysis of recurring hacker attacks.

A key component for the GSAL’s work on intrusion detection is its Vulnerability Database (VulDa), a comprehensive database of computer system weaknesses. Developed by the GSAL and now maintained by IBM’s Managed Security Services (MSS) organisation, it contains all known attacks, hacks and countermeasures. It therefore provides a powerful tool for continued intrusion-detection research and, at the same time, supports IBM's security offerings by allowing carefully controlled access to the data by IBM consultants as well as IT architects and developers. VulDa is unique with respect to its size and the quality of the data it contains. It is a product of the continuous monitoring of information that is publicly available on the Internet (hacker Web sites, newsgroups, mailing lists, ftp sites) and data obtained from confidential IBM sources. The filtering and classification methods developed by GSAL provide unique options for accessing the data. Employing three different search engines has optimised the efficiency of information retrieval from the more than 40 gigabytes of compressed data contained in VulDa. In addition to a classical full-text search engine, advanced search techniques involving document clustering and vulnerability profiles vastly improve the accuracy of searches. The GSAL research activities concentrate on distributed intrusion-tolerant intrusion detection systems and are structured along three main axes: (i) development of new ID (Intrusion Detection) sensors, (ii) development of an ID management console, and (iii) research on the application of the dependability paradigm for intrusion detection. The third item constitutes the core of a three-year European project, which started in January 2000 and involves six partners. The Zurich laboratory is co-leader of this project.

Some results of the two first axes constitute the core of the Tivoli Risk Manager product and of a novel ID sensor called 'Web IDS', targeted at detecting attacks against Web servers. Tivoli Risk Manager enables organisations to centrally manage attacks, threats and exposures by correlating security information from various intrusion detectors. The solution enables administrators to eliminate clutter such as false positives, while quickly identifying the real security threats. This helps administrators respond with adaptive security measures. Web IDS is a real-time intrusion-detection system. It addresses penetration of the system, denial-of-service attacks, legal but undesirable activity, existing server vulnerabilities, and policy violations. This is required technology for e-business, because network intrusion-detection systems have a limited ability to detect Web attacks. The Web intrusion-detection system is designed specifically for content-based attacks on URLs using http or https.

Furthermore, three other new ID sensors have been developed and are currently being used. The first one is called a 'sniffer detector', which, as its name implies, is designed to detect so-called sniffers (passive intruders) in a network by simulating network traffic using intentionally false information as bait. Any reuse of this information indicates that a system has been compromised. This can also help locate an intruder within the network.

The second prototype is a so-called behaviour-based approach for intrusion detection. It monitors the behaviour of a system and sends an alert when a deviation from normal behaviour occurs. This behaviour-based approach is used for processes running on UNIX machines. It has broken new ground by applying the 'Teiresias' algorithm, originally used for DNA sequencing, to intrusion detection.

The third prototype, called RID ('routing intrusion detection'), has been developed primarily by a group of the Zurich Lab’s Communications Systems department based on its core competency in routing algorithms. The GSAL is contributing to this joint project by providing expertise on the ID front. The principle of RID is to monitor a network for significant deviations from its normal behaviour. Intrusion detection is crucial for providing active security in a network. As a by-product, it also provides a means of automatically detecting potential system misconfigurations or errors that may affect overall network operation. An example of routing intrusion is a reachability attack: an intruder floods false reachability information to hijack calls or to generate a denial-of-service attack. An RID application prototype which detects reachability attacks in OSPF and PNNI has been implemented and is operational.

Please contact:
Andreas Wespi, IBM Zurich Research Lab, Switzerland
Tel: +41 1 724 8264