Table Of Contenti
NAT'L INST. OF STAND & TECH ill
Mist'
NIST Special Publication 800-31 Intrusion Detection Systems
NO" Rebecca Bace and Peter Mell
National Institute of Standards
and Technology
Technology Administration
U.S. Department of Commerce
COMPUTER SECURITY
NIST CINTINNI«ll
rhe
National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in
thedevelopmentoftechnology neededtoimproveproductquality,tomodernizemanufacturingprocesses,
. . .
to ensure product reliability . . . and to facilitate rapid commercialization ... ofproducts based on new scientific
discoveries."
NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's
competitiveness; advance science and engineering; and improve public health, safety, and the environment. One
of the agency's basic functions is to develop, maintain, and retain custody of the national standards of
measurement, and provide the means and methods for comparing standards used in science, engineering,
manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal
Government.
As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and
applied research in the physical sciences and engineering, and develops measurement techniques, test
methods, standards, and related services. The Institute does generic and precompetitive work on new and
advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.
Major technical operating units and their principal activities are listed below. For more information contact the
Publications and Program Inquiries Desk, 301-975-3058.
Office of the Director Chemical Science and Technology
• National Quality Program Laboratory
• International and Academic Affairs • Biotechnology
• Physical and Chemical Properties^
Technology Services • Analytical Chemistry
• Standards Services • Process Measurements
• Technology Partnerships • Surface and Microanalysis Science
• Measurement Services
Physics Laboratory
• Information Services
• Electron and Optical Physics
Advanced Technology Program • Atomic Physics
• Economic Assessment • Optical Technology
• Information Technology and Applications • Ionizing Radiation
• Chemistry and Life Sciences • Time and Frequency'
• Materials and Manufacturing Technology • Quantum Physics'
• Electronics and Photonics Technology Manufacturing Engineering
Laboratory
Manufacturing Extension Partnership
Program • Precision Engineering
• Manufacturing Metrology
• Regional Programs
• Intelligent Systems
• National Programs
• Fabrication Technology
• Program Development
• Manufacturing Systems Integration
Electronics and Electrical Engineering Building and Fire Research
Laboratory Laboratory
• Microelectronics • Applied Economics
• Law Enforcement Standards • Structures
• Electricity • Building Materials
• Semiconductor Electronics • Building Environment
• Radio-Frequency Technology' • Fire Safety Engineering
• Electromagnetic Technology' • Fire Science
• Optoelectronics'
Information Technology Laboratory
Materials Science and Engineering • Mathematical and Computational Sciences^
Laboratory • Advanced Network Technologies
• Intelligent Processing of Materials • Computer Security
• Ceramics • Information Access
• Materials Reliability' • Convergent Information Systems
• Polymers • Information Services and Computing
• Metallurgy • Software Diagnostics and Conformance Testing
• NIST Center for Neutron Research • Statistical Engineering
CO
'At Boulder, 80303.
^Some elements at Boulder, CO.
Intrusion Detection Systems
NIST Special Publication 800-31
Rebecca Bace^ and Peter Mell^
CA
'infidel, Inc., Scotts Valley,
National Institute ofStandards and Technology
COMPUTER SECURITY
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
MD
Gaithersburg, 20899-8930
November 2001
U.S. Department ofCommerce
DonaldL. Evans, Secretary
Technology Administration
Phillip J. Bond, UnderSecretary ofCommercefor Technology
National Institute ofStandards and Technology
Karen H. Brown, Acting Director
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute ofStandards and Technology (NIST)
promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement
and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept
implementations, and technical analyses to advance the development and productive use of information
technology. ITL's responsibilities include the development of technical, physical, administrative, and
management standards and guidelines for the cost-effective security and privacy of sensitive unclassified
information in Federal computer systems. This Special Publication 800-series reports on ITL's research,
guidance, and outreach efforts in computer security, and its collaborative activities with industry, govemment,
and academic organizations.
National Institute of Standards and Technology Special Publication 800-31
Natl. Inst. Stand. Technol. Spec. Publ. 800-31, 48 pages (October 2001)
CODEN: NSPUE2
GOVERNMENT PRINTING OFFICE
U.S.
WASHINGTON:
2001
For sale by the Superintenden—t ofDocuments, U.S. Gov—emment Printing Office
Internet: bookstore.gpo.gov Phone: (202) 512-1800 Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
NIST Special Publication 800-31, Intrusion Detection Systems
Intrusion Detection Systems
L Introduction 1
2. Overview of Intrusion Detection Systems 1
2.1. What Is Intrusion Detection? 1
Why
2.2. Should I use Intrusion Detection Systems? 1
2.2.1. Preventing Problems by Increasing the Perceived Risk ofDiscovery and
Punishment of Attackers 2
2.2.2. Detecting Problems that Are Not Prevented by Other Security Measures .2
2.2.3. Detecting the Preambles to Attacks (Often Experienced as Network
Probes and Other Tests for Existing Vulnerabilities) 3
2.2.4. Documenting the Existing Threat 3
2.2.5. Quality Control for Security Design and Administration 3
2.2.6. Providing Useful Information about Actual Intrusions 4
2.3. Major Types of IDSs 4
2.3.1. Process Model for Intrusion Detection 4
2.3.2. How Do I Distinguish Between Different Intrusion Detection
Approaches? 4
2.3.3. Architecture 4
2.3.4. Goals 5
2.3.5. Control Strategy 5
2.3.6. Timing 8
2.3.7. Information Sources 9
2.3.8. IDS Analysis 12
2.3.9. Response Options for IDSs 14
2.4. Tools that Complement IDSs 17
2.4.1. Vulnerability Analysis or Assessment Systems 17
2.4.2. File Integrity Checkers 20
2.4.3. Honey Pot and Padded Cell Systems 21
3. Advice on Selecting IDS Products 22
3.1. Technical and Policy Considerations 22
3.1.1. What Is Your System Environment? 22
3.1.2. What Are Your Security Goals and Objectives? 23
3.1.3. What Is Your Existing Security Policy? 24
3.2. Organizational Requirements and Constraints 24
3.2.1. What Are Requirements that are Levied from Outside the Organization?25
3.2.2. What Are Your Organization's Resource Constraints? 25
iii
NIST Special Publication 800-31, Intrusion Detection Systems
3.3. IDS Product Features and Quality 26
3.3.1. Is the Product Sufficiently Scalable for Your Environment? 26
3.3.2. How Has the Product Been Tested? 26
3.3.3. What Is the User Level ofExpertise Targeted by the Product? 26
3.3.4. Is the Product Designed to Evolve as the Organization Grows? 26
3.3.5. What Are the Support Provisions for the Product? 27
4, Deploying IDSs 28
4.1. Deployment Strategy for IDSs 28
4.2. Deploying Network-Based IDSs 29
DMZ
4.2.1. Location: Behind Each External Firewall, in the Network 29
4.2.2. Location: Outside an External Firewall 30
4.2.3. Location: On Major Network Backbones 30
4.2.4. Location: On Critical Subnets 30
4.3. Deploying Host-Based IDSs 30
4.4. Alarm Strategies 31
5, Strengths and Limitations of IDSs 31
5.1. Strengths of Intrusion Detection Systems 31
5.2. Limitations of Intrusion Detection Systems 32
6, Advice on Dealing with IDS Output 32
6.1. Typical IDS Output 32
6.2. Handling Attacks 33
7, Computer Attacks and Vulnerabilities 33
7.1. Attack Types 33
7.2. Types of Computer Attacks Commonly Detected by IDSs 34
7.2.1. Scanning Attacks 34
7.2.2. Denial of Service Attacks 35
7.2.3. Penetration Attacks 36
7.2.4. Remote vs. Local Attacks 36
7.2.5. Determining Attacker Location from IDS Output 37
7.2.6. IDSs and Excessive Attack Reporting 37
7.3. Types of Computer Vulnerabilities 38
7.3.1. Input Validation Error: 38
7.3.2. Access Validation Error: 39
7.3.3. Exceptional Condition Handling Error: 39
7.3.4. Environmental Error: 39
7.3.5. Configuration Error: 39
7.3.6. Race Condition: 39
8, The Future of IDSs 40
iv
NIST Special Publication 800-31, Intrusion Detection Systems
9. Conclusion 40
Appendix A - Frequently Asked Questions about IDSs 41
Appendix B - IDS Resources 43
V
NIST Special Publication 800-31, Intrusion Detection Systems
Intrusion Detection Systems
Rebecca Bace\ Peter Mell''
Introduction
1.
Intrusion detection systems (IDSs) are software or hardware systems that automate the
process ofmonitoring the events occurring in a computer system or network, analyzing
them for signs ofsecurity problems. As network attacks have increased in number and
severity over the past few years, intrusion detection systems have become a necessary
addition to the security infrastructure ofmost organizations. This guidance document is
intended as a primer in intrusion detection, developed for those who need to understand
what security goals intrusion detection mechanisms serve, how to select and configure
intrusion detection systems for their specific system and network environments, how to
manage the output ofintrusion detection systems, and how to integrate intrusion detection
functions with the rest ofthe organizational security infrastructure. References to other
information sources are also provided for the reader who requires specialized or more
detailed advice on specific intrusion detection issues.
2. Overview of Intrusion Detection Systems
What
2.1. Is Intrusion Detection?
Intrusion detection is the process ofmonitoring the events occurring in a computer
system or network and analyzing them for signs of intrusions, defined as attempts to
compromise the confidentiality, integrity, availability, or to bypass the security
mechanisms of a computer or network. Intrusions are caused by attackers accessing
the systems from the Internet, authorized users ofthe systems who attempt to gain
additional privileges for which they are not authorized, and authorized users who
misuse the privileges given them. Intrusion Detection Systems (IDSs) are software or
hardware products that automate this monitoring and analysis process.
Why
2.2. Should I Use Intrusion Detection Systems?
Intrusion detection allows organizations to protect their systems from the threats that
come with increasing network connectivity and reliance on information systems.
Given the level and nature ofmodem network security threats, the question for
security professionals should not be whether to use intrusion detection, but which
intrusion detection features and capabilities to use.
IDSs have gained acceptance as a necessary addition to every organization's security
infrastructure. Despite the documented contributions intrusion detection technologies
make to system security, in many organizations one must stilljustify the acquisition
ofIDSs. There are several compelling reasons to acquire and use IDSs:
1. To prevent problem behaviors by increasing the perceived risk ofdiscovery
and punishment for those who would attack or otherwise abuse the system,
2. To detect attacks and other security violations that are not prevented by other
security measures.
CA
^ Infidel, Inc., Scotts Valley,
National Institute ofStandards and Technology
I
NIST Special Publication 800-31, Intrusion Detection Systems
3. To detect and deal with the preambles to attacks (commonly experienced as
network probes and other "doorknob rattling" activities),
4. To document the existing threat to an organization
5. To act as quality control for security design and administration, especially of
large and complex enterprises
6. To provide useful information about intrusions that do take place, allowing
improved diagnosis, recovery, and correction ofcausative factors.
2.2.1. Preventing Problems by Increasing the Perceived Risk of
Discovery and Punishment ofAttackers
A
fundamental goal ofcomputer security management is to affect the
behavior ofindividual users in a way that protects information systems from
security problems. Intrusion detection systems help organizations accomplish
this goal by increasing the perceived risk ofdiscovery and punishment of
attackers. This serves as a significant deterrent to those who would violate
security policy.
2.2.2. Detecting Problems that Are Not Prevented by Other Security
Measures
Attackers, using widely publicized techniques, can gain unauthorized access
to many, ifnot most systems, especially those connected to public networks.
This often happens when known vulnerabilities in the systems are not
corrected.
Although vendors and administrators are encouraged to address
vulnerabilities (e.g. through public services such as ICAT,
http://icat.nist.gov) lest they enable attacks, there are many situations in
which this is not possible:
• Li many legacy systems, the operating systems cannot be patched or
updated.
• Even in systems in which patches can be applied, administrators
sometimes have neither sufficient time nor resource to track and
install all the necessary patches. This is a common problem,
especially in environments that include a large number ofhosts or a
wide range ofdifferent hardware or software environments.
• Users can have compelling operational requirements for network
services and protocols that are known to be vulnerable to attack.
• Both users and administrators make errors in configuring and using
systems.
• In configuring system access control mechanisms to reflect an
organization's procedural computer use policy, discrepancies almost
always occur. These disparities allow legitimate users to perform
actions that are ill advised or that overstep their authorization.
In an ideal world, commercial software vendors would minimize
vulnerabilities in their products, and user organizations would correct all
reported vulnerabilities quickly and reliably. However, in the real world, this
seldom happens thanks to our reliance on commercial software where new
flaws and vulnerabilities are discovered on a daily basis.
2
