Feedback is an important part of the generic model. The presence of some event might trigger the rule base to learn and add a new rule. If the Rule Set detects a threshold change in the Activity Profile, one response could be to alter the types, frequency, or details of events emitted from the Event Generator. Note that there is no architectural limitation on the generic model that restricts it to a single system. Each of the three main subsystems could be running on different nodes in a network, and each individual subsystem could itself be partitioned further across multiple nodes.

Getting Ready to Look for Hacker Trade

The introduction of intrusion detection systems (IDS) into your environment is targeted at filling in the gaps left by other security products. In previous chapters, system and network weaknesses were identified, and recommendations were made for improving security. Despite the possible improvements, weaknesses still exist. This chapter described how I&A, access control, firewalls, and cryptography are still not enough for complete security, and why an IDS rounds out the solution.

Differences in intrusion detection products were described, and the pros and cons of different approaches were briefly mentioned. Vulnerability scanners were the focus of this chapter, although subsequent chapters will deal with network and system-intrusion detection products in more detail. System and network scanners were shown to play a vital role in securing your site because they look for evidence of hacker behavior, examine configuration weaknesses, probe for well-known security problems, and provide useful reports.

If you want to dig a bit deeper into intrusion-detection research before heading into the next few chapters, here are some pointers. Excellent papers and links for intrusion detection can be found at the COAST and UC Davis Web sites. COAST is spearheaded by Gene Spafford and cranks out some papers on intrusion detection. Some of the documents are limited to sponsors, but many have been posted electronically on the site and have been published in journals and conference proceedings. Check it out at www.coast.purdue.edu. A particularly useful page with one of the most comprehensive collections of security links is maintained there at www.coast.purdue.edu/security-links.html.

UC Davis has several IDS researchers and graduate students. Much of the original work on intrusion detection funded by DARPA involved collaboration between UC Davis and other sites such as Livermore Labs, Los Alamos, and DoD teams. Browse the pages at www.ucd.edu/security for good background and current readings. Be sure to pay a visit to the cryptography pages maintained there as well.

Visit the SRI Web site at www.csl.sri.com to see active research from some of the founding members of the IDS field. Peter Neumann and his colleagues are working on the EMERALD project there and are seeing promising results. As a final note, get your hands on conference proceedings from NISSC. Numerous papers on intrusion detection and computer security in these collections.