Techniques to Detect Intrusions in Computer Systems

A framework for the detection of intrusions in computer systems and networks are contained in a new ISO technical report, ISO/TR 15947, Information Technology – Security Techniques – IT Intrusion Detection Framework. The document focuses on the security principles behind the intrusion of computer systems by outsiders or trusted employees, and how organizations can establish a framework to enable a comprehensive intrusion detection system.

“One of the problems that businesses have is being able to detect when their systems are being intruded upon in order that effective action can be taken to prevent harm or loss to their assets,” said Ted Humphreys, convenor of the ISO working group that has developed the report. “The development of ISO/TR 15947 is an important step forward in dealing with the growing problem of intrusions and provides a good basis for progressing solutions and implementations.”

Organizations are vulnerable to various kinds of security threats, such as computer viruses, denial of service attacks, and hackers. Typical misuse takes advantage of vulnerabilities in system configuration, user neglect, and carelessness, as well as, design flaws in software, protocols, and operating systems. Outsiders, as well as, trusted insiders (disgruntled employees, trading partners, and temporary employees) can exploit these vulnerabilities.

“It is estimated that intentional attacks on information systems are costing businesses worldwide around $15 billion dollars each year and the cost is rising. In addition, there is the cost of the loss or damage to the corporate reputation, brand names, customer trust and loyalty, and of course, the price of stocks and shares,” noted Ted Humphreys.

Intrusion detection is an important tool for security management used to predict and identify intrusions in computer systems and networks and to raise appropriate alarms during an intrusion attempt. The system enables local collection of information on intrusions, and subsequent consolidation and analysis, as well as, analysis of an organization’s normal IT patterns of behavior and usage.

ISO/TR 15947 describes different methods and combinations of methods of intrusion detection analysis, as well as, the typical activities/actions that need to be taken to respond to the presence of intrusions. It considers the different types of intrusions, including those that are intentional or unintentional, legal or illegal, harmful or harmless, as well as, unauthorized access by insiders and outsiders.

The new technical report provides a generic model of intrusion detection with examples of attempts to explicit system vulnerabilities, the common types of input data that need to be considered, and the resources required to establish an effective intrusion detection capability.

It is expected to assist IT managers with setting up interoperable intrusion detection systems within their organizations and facilitating collaboration among organizations worldwide where cooperation is desired and/or essential to counter intrusion attempts.