As the field of intrusion detection systems (IDS) has evolved, the focus of custom, open, and commercial solutions has been on structural, rather than operational, analysis and detection. Structural IDS will be defined as identifying and monitoring unusual actions and objects in the network and computers participating on the network. Some examples of these actions and objects are: failed logins, strange packets, and attempts at access violations by otherwise authenticated users. Operational IDS will be defined as the procedures used to identify intruders using otherwise valid credentials and presenting no other attributes that would normally be caught by the structural IDS in place on the network.
Although structural IDS plays an important role in the continued security of a network installation, it is crude in the sense that it does not offer methods of distinguishing between two people - both logging in at the same physical terminal, using the same valid credentials, at the same time of day, on the same day of the week, and accessing the same information - one of whom is a valid user, the other an intruder. Indeed, setting alerts on failed logins, scanning and analyzing both traffic and content, and watching for deviations in the network ?fingerprint? outside of the thresholds established by the administrators can only go so far. It is clear that sophisticated attackers seeking sensitive information will be using social engineering techniques to gain access, rather than using crude Denial of Service (DOS) attacks and brute forcing login credentials.
This document will explain the differences between structural and operational IDS, will discuss the shortcomings of structural IDS that make it necessary to employ operational IDS, and will offer a few examples of operational IDS in practice.
Structural and Operational IDS
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.