Adaptive and Behavioral Approach to New Threats
by Scott Paly - CEO of Global DataGuard, Inc. - Monday, 13 December 2004.
In the early years of the internet, most attacks were launched against individual computer systems or networks. But with the rapid growth in home PCs, broadband access and the size and complexity of the internet itself, attacks today are characterized increasingly by the use of easily available exploitation scripts, by compromising large groups of computers for use as DoS weapons, and by leveraged attacks on the infrastructure itself.

The CERT Coordination Center is an internet security clearinghouse located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.

According to CERT, in 1988 the organization received just six reports of internet security incidents, a number which swelled to 3734 a decade later, and by 2003 the number of internet security incidents reported to CERT numbered a staggering 137,529.

“The complexity of administration of computer and network infrastructures makes it difficult to properly manage the security of computer and network resources,” CERT noted in a 2003 report.

“As the number of internet users grows and intruder tools become more sophisticated and easy to use, more people can become 'successful' intruders.”


As the threats to networks and systems have evolved, so too have the technologies deployed to meet those threats.

Most companies and agencies long ago installed firewalls, antivirus scanning software and user authentication systems. But to fully understand both the current status of their systems, and to detect and counteract developing threats, organizations are fortifying those static defense measures with more proactive and predictive security technologies.

To really understand what is going on in your network, you must do more than deploy security devices, you must also monitor your security situation on a constant basis. Intrusion detection monitoring is a major trend in the security industry.

One early form of intrusion detection, called knowledge-based monitoring systems, continuously scans strategic points in a network, and then compares current activity against a periodically updated database of known worms, viruses and other threats.

Knowledge-based intrusion detection, also known as signature based, provides a proven and cost-effective line of protection. But much like the more familiar virus scanning systems, knowledge based ID can only detect and defeat known threats. When a new worm is created or when someone tweaks the code of an existing threat – events which occur with unfortunate regularity – knowledge-based systems are vulnerable until that variant is identified and cataloged.

To provide the proactive security needed in today’s dynamic IT environment, a new and more powerful form of intrusion detection has now emerged.

A behavioral approach

This new approach, called behavioral intrusion detection, uses sensors placed at strategic points throughout an organization’s network – such as at the firewall, on internal servers, databases and other locations – to monitor and analyze potential security threats.

The first generation of behavioral intrusion detection systems employed an initial ‘learning mode’ period, during which the data collected by these sensors is evaluated and stored, and used to create a profile of network behavior under typical operating conditions. Once a profile has been established, the system is switched to monitoring mode, and current network activity is compared to the profile to identify and investigate potential security threats.

Behavioral ID represents a notable advance in security protection, but those first-generation systems suffer from a timebased limitation not unlike those associated with library-based scans. Once the learning mode is switched off, these early generation behavioral systems can identify only those threats contained in the established and increasingly obsolete profile.

Nor can those set-profile systems adjust quickly enough to effectively monitor the changing behavior of robust enterprise networks – networks that change constantly as organizations launch new business initiatives, consumer demand fluctuates and security threats emerge and mutate.

Adaptive profiles


MagSpoof: A device that spoofs credit cards, disables chip-and-PIN protection

The device can wirelessly spoof credit cards/magstripes, disable chip-and-PIN protection, and predict the credit card number and expiration date of Amex cards after they have reported stolen or lost.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th