Las Vagas

Beyond Intrusion Detection

By Dr. Myron L. Cramer

Niksun Directions In Convergence Conference
Las Vegas, Nevada

January 11, 2007


This paper discusses the need to go beyond network intrusion detection in order to respond to the evolution of today's information infrastructures and the phenomenon of "convergence". Convergence refers to the overlapping and integration of a variety of services. We see this today in both consumer and business applications. In looking at the impact of convergence on network intrusion detection, it useful to consider the historical context.

Historical Background

The origin of network intrusion detection was focused at the network packet level. Network intrusion detection is based on the premise that we can monitor network packets, compare them to catalogued attack signatures, and generate alarms when we have matches. This is the way these systems were programmed. Examples of the most successful network intrusion detection systems include Cisco's NetRanger, ISS's RealSecure, and Interasys' Dragon.

The dirty little secret about network intrusion detection is that it is not as easy as the product companies would like us to believe. Most situations are not black or white, but are shades of gray: it is not clear at the time that alarms are generated, whether there were triggered by normal or intrusive activity. The challenge for the analyst has always been to distinguish the actual security events from the much larger number of alarms triggered by suspicious activity and generated by any automated network intrusion detection system. The analyst who is the first to receive the notifications and see the initial alarms rarely has the time to stop what he is doing and conduct an investigation. He needs to continue monitoring the near-real time events. As a result, the best enterprise-level information assurance practices are organized in stages or tiers. The first tier is limited to the immediate assessment and response. The many events that can not be immediately assessed are then passed on to a second tier activity for more detailed investigation and analysis following the real-time monitoring. The second tier conducts the necessary more detailed follow-up investigations and forensic analyses of the vast number of suspicious events captured by automated network intrusion detection systems. It is also true that intrusions can be constructed by sequences of entirely normal activities and functions, none of which individually are inherently bad or which trip intrusion detection alarms.

Today's Context

Today's information systems are characterized by the increases in volume, velocity, and variety. These factors by themselves stress the adaptability of the best solutions across performance and security factors. Understanding these factors is critical to a successful strategy and solution, and the need to go beyond network intrusion detection.

Volume: The growth and pervasiveness of networks beyond the data centers to office desktops, factory floors, warehouses, service desks, and customer kiosks increases the extent of the information systems to be monitored. The volume of network traffic has also grown enormously from the early hundreds of kilobits per second in the early AppleTalk networks to the gigabit TCP/IP networks that are common today. Monitoring this volume of traffic presents unique challenges at every step including sniffing, correlating, and responding to the volume of packets at each monitoring point.

Velocity: The increasing bandwidth also increases the rate at which data travels and must be processed. This results in a faster rate at which intrusion detection alarms are generated. The increasing rate of alarms generates more quickly growing backlog for the analyst to review and process. The impact of these increases is less time for analysis of individual events, and an increase in the number of events that are ignored.

Variety: The variety of network traffic reflects the direct results of convergence. The primary network services in 1994 were telnet, ftp, dns mail, news, and hypertext. The graphical browser changed this, facilitating the incorporation graphics, applications, and multi-media including a wide variety of formats for dynamic content, flash, shockwave, RealPlayer, QuickTime, streaming audio, streaming video, etc. Applications have left the browser and are present as broadcast video, Voice over Internet Protocol (VOIP), internet chat, and other collaboration technologies. There is also convergence among the providers of information services, with suppliers overlapping into each others' business areas. COMCAST is offering packages of TV, HDTV, digital TV, internet, and telephone. Verizon is offering FIOS with integrated telephone, internet, digital/HD/Analog TV. Apple Computer is now Apple, Inc and is selling iPods, telephones, AppleTV, and other consumer electronics products. The principal of "net neutrality" provides a fertile breeding ground for increased competition across traditional market segments. The trend is clear that companies are offering overlapping integrated services in competing for the consumer and business marketplace.

Convergence Challenges

Convergence brings new challenges for network security that go beyond network intrusion detection. With the new services and systems come an increasing set of vulnerabilities and exposures. Traditional threats can use these to have a wider variety of services to exploit. The increasing volume of traffic makes it easier for them to operate and escape detection. The increased velocity reduces the time available to the defender to detect and respond.

The new services also invite new threats. Conventional information security systems are bypassed by the new services. Network intrusion detection systems have no signatures against the new threats or vulnerabilities. Analysts have no or limited experience with the new services or threats.

Our Response

With the increasing importance and dependence of our business on our information systems, we do not have the option to ignore, or worse, to surrender to the challenges brought by convergence. We must take the position that failure is not an option. To develop a response, we fall back to our fundamental principles; however we must implement them with modern methods and systems. Our solution approach is based on three steps.

1. Define a strategy
2. Design and implement an architecture, and
3. Operate the solution

Success Strategy

We have found that a successful strategy includes a combination of the four elements of technology, people, process, and facilities. None of these by itself is a solution, but if implemented properly, each contributes to the desired result.

Technology. We must select modern products with the capability to handle the results of convergence: volume, velocity, and variety.

People. We must maintain the currency and competency of staff, who need to be current with the new services.

Process. We must expand our processes to cover the converged infrastructures.

Facilities. We must not lose sight of the physical security elements, and must leverage the traditional strengths of the data center model in designing information infrastructures.


The information security architecture must integrate the new security systems where they are needed across the information landscape. The resulting design must be fully responsive to the information security requirements and we should be able to identify where and how each security requirement is fulfilled. The security architectural process involves a sequence of steps.

  • Requirements. We must begin by defining explicit security requirements.

  • Design. We must device a concept for satisfying each requirement and translate it into a component in the design that satisfies the requirement.

  • Implementation. We must select security products and implement the design in accordance with the security architecture.

  • Configuration. We must configure each component to achieve the desired protections.

  • Test. We must test the design to verify that it as constructed and configured as planned, and that its functionality provides the required protections.


In operating the solution, we must recognize that it is satisfying the complete information security operation, not just intrusion detection. We have effectively broadened the problem to solve it.

  • Network Mapping. This activity provides the information system context for the information assurance operation. Through this function we understand the extent and topology of our information systems, their interconnections, the location of servers hosting valuable information or services.

  • Vulnerability Assessment. This activity provides an understanding of the exposures and vulnerabilities that need to be monitored and protected.

  • Boundary Protection. The boundary protection systems provide controls on the traffic and activity that can enter or leave protected domains or enclaves. Understanding where these systems are and managing their operation is one of the most important functions. These are the control points where security policies are enforced and updated based on observed activity.

  • Intrusion Detection. Once the above security functions are satisfied, effective intrusion detection can be conducted, with the full ability to interpret security events and recognize intrusion attempts and attacks.

  • Response. Effective and timely action must be taken on detected intrusion events, or their benefits will be lost.

  • Enterprise Management. Enterprise systems need to manage all of the above information assurances processes to ensure that the required interactions are being provided, and that the operation is self-optimizing with the resulting control loops.


The ideas on volume, velocity, and variety in this paper are based on ideas discussed by Dr. Eric Hazeltine in a talk on Informatics sponsored by the Anne Arundel County at the Chartwell Country Club, 2005.