VIEWS: 26 PAGES: 24 POSTED ON: 5/2/2011
Network Security: Intrusion Detection CS 4235 Spring 2006 Asim Ali Zachary Allen Gregory Heim Thang Ly 12 April 2006 Introduction When attempting to secure a network, there is no magic bullet. No one product or piece of software can even begin to solve all network security related problems. Administrators must take a holistic approach to network security, implementing separate controls for the separate vulnerabilities in their networks. They must educate users to prevent them from compromising the network, install anti-virus software to identify and remove malicious code from the network’s systems, and put up firewalls to block malicious outsiders from entering the network. Intrusion detection fits into its own niche within network security. Of the three major areas of security: prevention, detection, and response, intrusion detection assists network administrators with detection (“Computer”). One of the most frightening realities that a network administrator deals with is that, in many cases, he may not even be aware that his network is being attacked (especially if the attacks are unsuccessful, resulting in no symptoms). Given an infinite number of attempted attacks, at least one will eventually succeed. Thus, intrusion detection is necessary to discover these attempts, hopefully before they become an issue. This research paper will discuss three main areas of intrusion detection. First, it will define intrusion detection, provide relevant background information on the subject, and introduce the various categories of intrusion detection systems. Next, it will discuss the historical circumstances which led to the development and evolution of intrusion detection. Finally, it will compare and contrast the intrusion detection products available in the market today, allowing the reader to find a system that they might use to protect their own network. Background Information In information security, we aim to preserve the confidentiality, integrity, and availability of information systems. In the most general sense, intrusion detection can be defined as “the act of detecting actions that attempt to compromise the confidentiality, integrity, and availability of a resource (“Intrusion Detection”)”. There are two ways in which intrusion detection can be performed, and both deal with the review of audit logs of information system activity. It can be performed manually, which involves a person examining the audit logs or perhaps other evidence for signs of an intrusion, or it can be performed by a system that automatically reviews audit logs. Such a system is called an intrusion detection system (IDS) (“Intrusion Detection”). Modern networks employ IDSs in order to detect unwanted manipulations to systems, ranging from attacks made by “script kiddies” with automated tools to those made by skilled, malicious hackers (“Intrusion-detection system”). These attacks may include network based attacks against vulnerable services, data driven attacks on applications, malicious code attacks (viruses, Trojan horses, or worms), and various host based attacks (privilege escalation, accessing sensitive files, or unauthorized logins) (“Intrusion-detection system”). IDSs are necessary to detect those types of malicious network traffic and computer usage attacks that cannot be detected by traditional firewalls (“Intrusion-detection system”). Whereas firewalls limit the access between networks in order to prevent intrusions without ever signaling that at attack occurred, IDSs evaluate suspected intrusions once they have occurred and then signal an alarm (“Intrusion-detection system”). Firewalls also fall short in that they do not deal with attacks that originate from within their own network (“Intrusion-detection system”). Typically, an IDS has three main components: sensors, a console, and a central engine (“Intrusion-detection system”). Sensors generate security events, the console controls the sensors and monitors events and alerts, and the central engine records the events generated by the sensors and determines if an alarm should be triggered (“Intrusion- detection system”). There are two main locations in which an IDS can operate; it can either be host- based or network-based (“Intrusion Detection”). A host-based IDS resides on a single system, usually in the form of a software agent, trying to detect malicious activity that may be occurring on the system on which it is installed (“Intrusion-detection systems”). This agent does so by analyzing virus scanners, system activity, and system logs (system calls, application logs, or file modifications) for evidence of possibly illegitimate activity (“Host-based”). A host-based IDS focuses its efforts on the internals of a system, rather than on the external interfaces of a system as a network-based IDS would do (“Host- based”). A network-based IDS, by contrast, is an independent system, usually connected to a hub or switch, which examines network traffic in order to identify possible intrusions (“Intrusion-detection systems”). By reading all incoming traffic and looking for suspicious patterns, a network-based IDS tries to detect common malicious acts that propagate though networks such as port scans, denial of service attacks, and login attempts by unauthorized users (“Network”). A network-based IDS does not, however, limit itself to incoming traffic only; outgoing or local traffic can be monitored as well in order to detect possible attacks by insiders (“Network”). In reality, most IDSs used in the real world are neither purely host-based nor purely network-based. They are actually hybrids which combine the approaches used by both types. A hybrid IDS combines data from a host agent with network information in order to form a comprehensive view of an entire network (“Intrusion-detection systems”). Besides their classification by location, IDSs can also be classified by how they actually detect intrusions. A signature-based IDS (also known as a misuse detection IDS) identifies traffic patterns or application data presumed to be malicious by matching the data it monitors against a set of “known” attacks (“Intrusion Detection”). It works much like anti-virus software in that it compares the information it gathers to a large database of previously documented attack “signatures,” looking for specific attacks (“Intrusion- detection systems”). In this sense, a signature-based IDS is only as good as its list of attacks which it is able to detect (“Intrusion-detection systems”). An anomaly-based IDS, on the other hand, has no predefined set of attacks for which it checks. Instead, it compares the information it gathers to a “normal” baseline based on other, previously gathered information (“Intrusion Detection”). Through self- learning, an anomaly-based IDS defines for itself what a normal system state is by statistically analyzing characteristics such as traffic load, breakdown, protocol, typical packet size, etc (“Intrusion-detection system”). Once this baseline has been defined, it then classifies each piece of information it examines as either normal (falling within some preset range around the baseline) or anomalous (outside of that range) (“Anomaly”). Whereas a signature-based IDS is quite limited in what it can detect, an anomaly-based IDS can detect any type of misuse that is not considered normal system operation (“Anomaly”). Once an IDS has determined that an intrusion has occurred, there are several actions that it can take. Generally, intrusion detection does not include the prevention of intrusions, and taking action to stop an intrusion or prevent it from happening again is outside of the scope of intrusion detection (“Intrusion Detection”). When an IDS detects an intrusion, it usually logs the relevant information to some kind of database, and then perhaps generates an alert in the form of an e-mail or pager message to let the appropriate party know what has occurred (“Intrusion Detection”). Most IDSs operate in this manner, and are known as “passive” systems (“Intrusion-detection system”). However, there are “reactive” systems which take actions upon detecting an intrusion such as logging off an unauthorized user or reconfiguring a firewall to block traffic from a malicious attacker (“Intrusion-detection system”). A Bit of History In 1972, James P. Anderson realized that several problems existed with network security audit logs. Back then, logs existed as large amounts of dot-matrix fan-folded paper which was not easily analyzable for intrusions (Innella). In 1980, Anderson was hired to improve the security auditing and surveillance capability of a company’s systems. During the investigation, Anderson suggested that audit trails could be useful for tracking misuse and understanding user behavior (Innella). Anderson wrote his findings in the groundbreaking article “Computer Security Threat Monitoring and Surveillance,” and the concept of automated intrusion detection was born. In his article, Anderson made many suggestions for ways to improve monitoring computer usage in order to detect misuse and intrusions. At the time, the customer kept audit trails on a weekly or monthly basis. The data was dumped into a single file from which various reports (primarily for accounting purposes) were produced. After producing these reports, the customer transferred all data to a tape, and had several years of raw data in this format. The audit trail data was mostly distributed to customer data processing personnel (rather than IT), and in general, the users of a company database or application did not receive any relevant security audit trail data. The company’s audit data could detect unauthorized access based on user identification. However, the system was flawed; it did not take into account users who operated at a level of control that bypassed application level auditing. By gaining access to an account, a hacker could escape detection, and even a valid programmer could abuse their privileges and access lower level database files without leaving a trace. Since most operating systems back then lacked built-in access control mechanisms, these logs also placed a heavy burden on the customer’s system. Audit trails were rarely complete enough to support the needs of the security officers (Anderson). Anderson divided malicious attacks into three categories: external penetration, internal penetration, and misfeasance. The categorization of an attack was based on whether or not an attacker had authorized access to a computer they were penetrating and whether or not that attacker had access to the resources that they were accessing. External penetration occurs when the attacker has neither access to the computer nor the resource. Internal penetration occurs when the attacker has gained use of a machine, and has thus overcome a major barrier to unauthorized access. Misfeasance involves the misuse of authorized access both to the system and to its data (Anderson). In order to detect abnormal use, Anderson proposed creating a profile of the characteristics of normal computer use for legitimate users doing legitimate tasks. A user’s profile included both the list of programs they usually ran as well as the data files that entered their programs. Also, several time parameters were included, such as the time of day a job was run, the day of the week the job was run, and the amount of time the job took to run. Abnormal behavior could then be detected by viewing the variability in these time parameters, usually by viewing the sum of the squares of the absolute values of the difference between average time for a user and a measured time with the formula, score i 1 Ai Bi . This formula showed whose login patters exhibited the greatest 24 2 variability, which may have been the result of illicit use. If a parameter ever fell more than 2.58 standard deviations from the mean in either direction, this would be reported as an exception (Anderson). Obviously, these ideas very closely resemble an anomaly- based IDS. In 1983, Dr. Dorothy Denning of SRI International began working on a new IDS for the government. Denning and Dr. Peter Neumann created the Intrusion Detection Expert System (IDES), the first functional IDS for a Navy SPAWAR contract. The system’s goal was to analyze audit trails from government mainframe computers and to create profiles of users (Innella). In 1987, Denning published “An Intrusion-Detection Model” based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage. In her paper, Denning theorized that four factors motivated the development of a real-time intrusion detection system. First, security flaws in existing systems allowed intrusions and finding and fixing all these deficiencies was not feasible for technical and economic reasons. Second, existing systems had flaws that could not be replaced by more secure systems due to important features which only existed in the less secure systems. Third, creating a system which was completely secure was almost impossible. Lastly, secure systems were still open to misuse and abuse by insiders (Denning). Denning’s model borrowed a lot from Anderson’s in that it was highly statistically based. Her model included six main components: subjects (who initiate activity), objects (the resources in the system: files, commands, devices, etc.), audit records (created by the system and based on the actions of the subjects), profiles (structures which characterize the subject’s behavior), anomaly records (created when abnormal behavior is detected), and activity rules (actions taken when certain conditions are met). The model worked as a rule-based pattern matching system which observed standard operations on the system, looking for abnormal usage (Denning). Activity profiles for a subject’s behavior were recorded in terms of a statistical metric and a model. The metric represented a quantitative measure calculated over a period of time. Types of metrics included the event counter (number of audit records satisfying some property), interval timer (the length of time between two related events), and resource measures (the quantity of resources used by an action). The statistical models contained metrics and determined if a new observation was abnormal compared with previously found values (Denning). These two groundbreaking papers set the stage for future progress in the realm of intrusion detection. In 1989, Haystack Labs became the first commercial vendor of IDS tools. Among these was Stalker, a host-based, signature-based IDS (Innella). During the early 1990’s, Science Applications International Corporation (SAIC) introduced Computer Misuse Detection System (CMDS), a host-based IDS (Innella). In 1990, Todd Heberlein introduced the ideas of network-based intrusion detection and distributed IDSs (dIDS) (Innella). That same year, the Air Force's Cryptologic Support Center created the Automated Security Measurement System (ASIM) which monitors network traffic on the US Air Force's network. ASIM was designed for scalability and portability, issues that had previously inhibited network-based IDS products. It was the first hybrid IDS, a system that combined both hardware and software (Innella). In 1994, the Wheel Group introduced NetRanger, the first commercially viable network-based IDS (Innella). In 1998, Presidential Decision Directive 63 (PDD-63), “[set] a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003” (Clinton) bringing information security into the public eye and prompting more companies to produce IDS products. Within a few years, companies such as ISS, Cisco, Symantec and others created their own IDS products or merged with companies that sold them (Innella). Product Comparison Due to the increasing concern over information security, many companies have introduced a wide variety of IDS products. Obviously, due to the multitude of products currently on the market, this report can only cover a small portion of them. Instead, it will concentrate on products from major, well-trusted companies and extremely popular systems, rather than smaller companies or systems for specialty networks or hosts. Cisco, one of the leading manufacturers of networking equipment, sells IDS products. The Cisco Intrusion Detection System has the ability to simultaneously protect multiple network subnets through the support for multiple sniffing interfaces, thereby delivering up to five sensors in one. The Cisco Secure IDS Sensors incorporate user- defined feedback, so that the system can automatically eliminate specific connections identified with the unauthorized activity. Only the unauthorized traffic from internal users or external intruders will be quickly and effectively removed. By instantly changing Access Control Lists (ACLs) of Cisco routers as unauthorized activity is detected, Cisco Secure IDS can dramatically improve security posture (“Cisco Intrusion”). In addition to the Cisco Intrusion Detection System, Cisco offers a broad family of products, all of which follow an inverse relationship between their price and the amount of traffic that they can handle. Smaller businesses can pay less for a system that handles less traffic, while larger businesses can spend more for a system that handles more traffic. For smaller businesses, Cisco offers the Cisco Secure IDS-4210 Sensor and Cisco IDS-4215-K9 Sensor which handle 45Mbps and 80 Mbps traffic respectively. Either can be easily purchased for less than $8,000. Larger businesses would be more interested in the Cisco IDS-4235-K9 or Cisco IDS-4250-TX-K9 which handle up to 200 Mbps and 500Mbps traffic and sell for less than $19,000 and $25,000 respectively (“Cisco Intrusion”). Symantec, an information security company famous for its anti-virus software, produces Symantec Host IDS. Symantec Host IDS protects information assets with a complete library of intrusion detection signatures, and includes regular updates from Symantec (“Enterprise”). The basic system sells from around $280 to $330 per copy (“Symantec Host”). Symantec also offers a few add-ons. ManHunt Smart Agent allows IT administrators to feed events from an IDS into ManHunt in order to monitor and analyze the events from the ManHunt administration console. This add-on is available for Symantec Host IDS, as well as several other IDS systems (“Symantec Announces"). McAfee, another company famous for anti-virus software, produces the McAfee IntruShield. The product family includes IntruShield 4000, IntruShield 2600, and IntruShield 1200 scaling from 100’s of Mbps to multi-gigabit bandwidth rates. Each level of IntruShield is available in two styles. IntruShield Global Manager provides global intrusion prevention system (IPS) deployments of up to several hundred sensors. IntruShield Manager is suited for distributed deployments supporting up to six sensors. Both systems feature virtual IPSs and an internal firewall to protect from overlapping hybrid attacks. IntruShield also uses selective blocking attacks that can be user-initiated or automated. The sensors can selectively block malicious packets or sessions (without affecting legitimate traffic), terminate offending sessions, reconfigure firewall ACLs, log packet sessions, and generate notifications by e-mail, PDA, and pager (“McAfee IntruShield 1200”). Different products in the IntruShield family are oriented towards businesses of varying sizes. For small business use, McAfee makes the IntruShield 1400 and 1200. They can handle up to 200 Mbps of traffic on up to 4 x Fast Ethernet Ports (“McAfee® IntruShield® Network”) and sell for around $6,000 to $12,000 (“McAfee IntruShield - Froogle”). Larger business can choose from IntruShield 2700, 3000, 4000, and 4010, which vary from 600 Mbps to 2 Gbps and have between 4 and 12 ports. Each product is available in copper and fiber (“McAfee® IntruShield® Network”). Tripwire, Inc., a leader in auditing software, concentrates on two IDS products. Tripwire for Servers is designed for smaller organizations. It monitors servers and desktops and allows management of thousands of installations. The system uses Secure Sockets Layer (SSL), a security protocol that supplies authentication and data encryption protection for every communication link between the Tripwire-equipped servers and the Tripwire Manager. It also allows the user to create a “golden build” state of proper use for comparison and provides multi-vendor support for monitoring servers and detecting changes (“Change”). Tripwire for Servers sells for around $9,000 (“Techworld.com”). Tripwire Enterprise is designed for larger organizations. It automatically directs third- party tools to immediately restore changed systems to their trusted state and prides itself on its thorough change archive. The system produces customizable reports and dashboards to document the effectiveness of changes in management processes and provides security for “millions of elements” including files, directories, registry settings, directory server objects, and configuration files (“Tripwire”). Tripwire Enterprise costs $3,999 for the server software and $595 per agent and $125 per agentless device on which it is placed (“Review”). Enterasys Dragon is well known for their wide variety of products for both host and network IDSs. The Dragon® Host Sensor and Web Server Intrusion Prevention determines if content has been changed via an MD5 hash. It also analyzes log files or directories against signature policy and monitors for opened TCP and UDP ports for protection against backdoor services. It detects suspicious privilege escalations and other signs of kernel-level compromise and provides an open and easy interface for custom module development (“Enterasys Dragon® Host”). The system costs anywhere from $540 to $625 for one user license (“Dragon”) or $47,100 for a 100-use license (“Buy”). Dragon Network Defense consists of three parts: Dragon Security Command Console, a security information manager (SIM), Dragon Behavioral FlowProcessor, and Dragon Behavioral Flow Sensor. Different models of the three parts can be chosen to customize system to allow organizations to customize to their specific needs. The system also provides a “before, during and after” view of vulnerabilities and uses flow-based architecture for granular monitoring and data collection. It detects zero day attacks, worms, viruses, DDoS attacks and other threats before they can spread with more than 10,000 signatures and events mapped to Dragon (“Enterasys Dragon® Network”). Sourcefire is an IDS from the creators of Snort (“SOURCEFIRE”). It provides line speeds from 3 Mbps to 4 Gbps (“SOURCEFIRE”). The hardware, software, and operating system are optimized for mission-critical applications with a latency of approximately 100µs (“Sourcefire Network”). Sourcefire provides protection for VoIP (“Sourcefire Network”). Sensor throughput varies between models (“SOURCEFIRE”). The models range from the IS500, with a throughput of 5 Mbps and a price tag of $3,500, to the IS5800, with a throughput of up to 8 Gbps and a cost of $78,500 (immixTechnology). Issues As with any technology, there are several issues concerning IDSs that must be considered. In security, one of the fundamental tradeoffs is that of security versus performance. As we make a system more secure, we inevitably hinder performance, and IDSs are no exception to this rule. Even from their inception, Anderson noted that as the number of legitimate users of a system grows, an IDS will begin to log an extremely high amount of login information, consuming system resources such as CPU time and disk storage space (Anderson). If we attempt to remedy this problem by limiting the amount of login audit data we collect, the IDS becomes less effective, hindering security (Anderson). Network-based IDSs suffer greatly from this performance problem. During a flood-type attack (or any period of high traffic), most network-based IDSs become so busy capturing packets that they cannot readily analyze them to deduce that a denial of service attack is occurring (Bace). An attack can sometimes cause the IDS to crash, rendering it ineffective. If the IDS does in fact detect the attack and drop packets in order to keep itself online, we lose security because we will never be able to analyze the dropped packets (Ranum). IDSs also tend to suffer from a problem with false positives (McClure). It is desirable to minimize the number of false positives that are triggered, as they are extremely bothersome. Whenever an IDS generates an alert, the person responsible for receiving alerts has to respond, perhaps taking time away from other important work. These false alarms greatly reduce productivity. During its initial period of installation, an anomaly-based IDS has to analyze a large amount of information in order to form its baseline, often requiring extensive “training sets” of system event records in order to characterize normal behavior patterns (Bace). During this initial training phase, the IDS produces many false positives (“Understanding”). However, after training, even legitimate users (and networks) can often exhibit behavior which is “abnormal (Bace).” The very nature of a job may be irregular; an employee may work on a problem for varying amounts of time and at all times of the day, making it very hard for the IDS to determine what normality is (Anderson). Thus, although false positives can be minimized over time, they can never be reduced to zero, and there will always be some annoyance for security personnel. Besides issues with performance and false positives, several smaller issues with IDSs also exist. First, consider what happens when an IDS logs a series of invalid login attempts. Someone reviews the logs, and tries to determine if an outside attacker is attempting to crack into the network. But what if a legitimate user just mistyped his password several times? The log reviewer then sees several close mutations of a legitimate login in the audit log, and may be able to deduce the actual password for an account to which he is not authorized (Anderson). Next, consider a case in which host-based IDSs are installed for use in a distributed system. They are difficult to manage, as individual differences between systems require administrators to customize each installation (Bace). Besides sapping the CPU time and eating up storage space on their host system, they make tempting targets for attackers as well. Host-based IDS are susceptible to denial-of-service attacks, as they generally focus more on application data and system calls than network packets. Once the IDS has been disabled via a denial-of-service attack, the attacker can then hack into the system undetected (Bace). Also, IDSs cannot read encrypted traffic (McClure). Although they may be able to monitor the flow of packets throughout a network, IDSs cannot actually discern the upper-layer contents of most of those packets. If a malicious user launches at attack at the application layer, all of the packets he sends will remain encrypted until they reach the application layer of the target host. IDSs generally do not monitor application data as closely as system data, and thus they are more vulnerable at the application layer. As is the case with a denial-of-service attack, an application level attack may disable the IDS, leaving the computer open for hacking (Bace). There is even some debate over whether or not IDSs are effective at all. All an IDS can do if tell you that you have been attacked. It cannot actually back-track the attacker, which would be very difficult anyway for even the most technically skillful expert (Howarth). It cannot determine if the attack was successful, only that it occurred (Bace). Even Anderson noted that some malicious users (particularly insiders) can be nearly impossible to detect, as they possess correct usernames and passwords and never login at inappropriate times (Anderson). Conclusion Intrusion detection fills a needed role in network security. Most companies today have to worry more about corporate espionage and internal spies that random outside attacks, which are much easier to detect and prevent. Anderson and Denning realized that outside attacks as well as internal attacks and internal misuse could all be detected by analyzing already existing audit log data. Because of their papers, there exists today a great variety of intrusion detection systems, all of which alert network administrators whenever anything suspicious occurs which may be an attack. Recent commercial and political interest in information security, as emphasized in PDD-63, has encouraged a commercial explosion of intrusion detection products. These products cater to a wide range of customers with different needs and different budgets. However, IDSs are by no means a panacea for network security. They provide one piece of the puzzle, a means by which to detect attacks that slip through other network defenses. Not only must they be combined with other controls, but they have their own slew of issues due to their relative infancy. We are confident, though, that future research will come up with solutions to these issues, and IDSs will become as commonplace in networks as firewalls and backups. Works Cited Anderson, James P. “Computer Security Threat Monitoring and Surveillance.” History of Computer Security. 26 Feb. 1980. Computer Security Resource Center. 18 Mar. 2006 <http://csrc.nist.gov/publications/history/ande80.pdf>. “Anomaly-based intrusion detection system.” Wikipedia: The Free Encyclopedia. 21 Aug. 2005. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Anomaly-based_intrusion _detection_system>. Bace, Rebecca, and Peter Mell. “Intrusion Detection Systems.” NIST Computer Security Special Publications. Nov. 2001. National Institute of Standards and Technology. 18 Mar. 2006 <http://csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf>. “Buy Enterasys DSHSS7-100-LIC at Provantage.” Provantage. 24 Mar. 2006 <http://www.provantage.com/enterasys-dshss7-100-lic~7CABD02H.htm>. “Change Auditing, Server Monitoring & Security for System Availability | Tripwire for Servers.” Tripwire. 24 Mar. 2006 <http://www.tripwire.com/products/servers/ index.cfm>. “Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide.” Cisco Systems, Inc. 2004. 4 Mar. 2006 <http://www.cisco.com/ application/pdf/en/us/guest/products/ps4077/c2001/ccmigration_09186a0080362c c6.pdf>. Clinton, William J. “PROTECTING AMERICA'S CRITICAL INFRASTRUCTURES (PDD 63).” 22 May 1998. 8 Apr 2006 <http://www.fas.org/irp/offdocs/pdd- 63.htm>. “Computer insecurity.” Wikipedia: The Free Encyclopedia. 8 Apr. 2006. 10 Apr. 2006 <http://en.wikipedia.org/wiki/Computer_insecurity>. Denning, Dorothy. “An Intrusion-Detection Model.” IEEE Trans. on Software Eng. Feb. 1987. IEEE. 18 Mar. 2006 <http://www.cs.georgetown.edu/~denning/infosec/ids- model.rtf>. “Dragon® Host Sensor and Web Server Intrusion Prevention - Froogle.” Froogle. 4 May 2006 <http://froogle.google.com/froogle_cluster?q=Dragon%C2%AE+Host+ Sensor+and+Web+Server+Intrusion+Prevention&pid=4813673996736868239&o id=12490298336077519952&btnG=Search+Froogle&scoring=mrd&hl=en>. “Enterasys Dragon® Host Sensor and Web Server Intrusion Prevention.” Enterasys. 24 Mar. 2006 <http://www.enterasys.com/products/ids/DSHSS7/>. “Enterasys Dragon® Network Defense.” Enterasys. 24 Mar. 2006 <http:// www.enterasys.com/products/ids/DSIMBA7/>. “Enterprise: Products & Services - Symantec Corp.” Symantec. 24 Mar. 2006 <http:// www.symantec.com/Products/enterprise?c=prodinfo&refId=864&cid=1005>. “Host-based intrusion-detection system.” Wikipedia: The Free Encyclopedia. 26 Jan. 2006. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Host-based_intrusion- detection_system>. Howarth, Fran. "Enterprises under attack - the role of intrusion prevention technologies." IT-Director. 4 Mar. 2006 <http://www.itdirector.com/article.php? articleid=12736>. “immixTechnology - GSA Schedule Pricing.” immixTechnology. 24 Mar. 2006 <http:// www.immixtechnology.com/contracts/gsa_pricing.cfm?ID=210>. Innella, Paul. “The Evolution of Intrusion Detection Systems.” SecurityFocus. 16 Nov. 2001. 29 Mar. 2006 <http://www.securityfocus.com/infocus/1514>. “Intrusion Detection.” Wikipedia: The Free Encyclopedia. 3 Jan. 2006. 4 Mar. 2006 <http://en.wikipedia.org/wiki/Intrusion_Detection>. “Intrusion-detection system.” Wikipedia: The Free Encyclopedia. 6 Mar. 2006. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Intrusion-detection_system>. “McAfee IntruShield 1200, 1400, and 2700 Network IPS Appliances.” McAfee. 4 Mar. 2006 <http://www.mcafee.com/us/local_content/datasheets/ ds_intrushield_ips_app.pdf>. “McAfee IntruShield - Froogle.” Froogle. 4 Mar. 2006 <http://froogle.google.com/ froogle?hl=en&lr=lang_en&safe=off&btnG=Search&q=McAfee+IntruShield&lm ode=online&sa=N&start=0>. “McAfee® IntruShield® Network IPS Appliances.” McAfee, Inc. 2006. 4 Mar. 2006 <http://www.mcafee.com/us/products/mcafee/network_ips/intrushield_appliances .htm>. McClure, Stuart, and Joel Scambry. "Once-promising intrusion detection systems stumble over a myriad of problems." InfoWorld (2005). 4 Mar. 2006 <http:// www.infoworld.com/articles/op/xml/00/12/11/001211opswatch.html>. “Network intrusion detection system.” Wikipedia: The Free Encyclopedia. 31 Jan. 2006. 14 Mar. 2006 <http://en.wikipedia.org/wiki/Network_intrusion_detection_ system>. Ranum, Marcus J. "Intrusion Detection: Challenges and Myths." Window Security.com (2002). 4 Mar. 2006 <http://www.windowsecurity.com/whitepaper/info/ids/ ids_mythe.html>. “Review: Tripwire Enterprise provides robust, intrusion reporting.” SearchSecurity.com. 4 Mar. 2006 <http://searchsecurity.techtarget.com/ originalContent/0,289142,sid14_gci1104336,00.htm?track=IDSLG>. “Sourcefire Network Security - Intrusion Sensor.” Sourcefire. 24 Mar. 2006 <http:// www.sourcefire.com/products/is5800.html>. “SOURCEFIRE PRODUCT OVERVIEW: Sourcefire 3D System.” Sourcefire. 4 Mar. 2006 <http://www.sourcefire.com/products/downloads/public/ sf_prod_overview.pdf?a=1&b=2#go>. “Symantec Announces ManHunt Smart Agent for Symantec Host IDS.” Symantec. 24 Mar. 2006 <http://www.symantec.com/press/2003/n030127a.html>. “Symantec Host IDS - Froogle.” Froogle. 4 Mar. 2006 <http://froogle.google.com/ froogle_cluster?q=%22Symantec+Host+IDS%22&pid=2051809816615309311& oid=699296812918247440&btnG=Search+Froogle&scoring=mrd&hl=en>. “Techworld.com - Tripwire for Servers/Manager 4.” Techworld.com. 24 Mar. 2006 <http://www.techworld.com/opsys/reviews/index.cfm?ReviewID=57&ProductID =57>. “Tripwire Enterprise | The Premiere Change Auditing Solution for IT Infrastructure.” Tripwire. 24 Mar. 2006 <http://www.tripwire.com/products/enterprise/ index.cfm>. "Understanding Intrusion Detection Systems." Niscc Technical Note 19 Nov.-Dec. 2003. 18 Mar. 2006 <http://www.niscc.gov.uk/niscc/docs/re-20031119- 00729.pdf?lang=en>.
"Intrusion Detection Paper"