The Computer as the Decision Maker

Many intrusion detection systems are founded on the philosophy that
the computer is smart enough to recognize an attack when it is coming
in. In order for that to be true, an experienced security expert must “predefine”
classic attack patterns that the computer can recognize and flag
as real attacks. This is similar to creating attack strategies in chess;
however, as with any computer, the strategy can be defeated by a real
human being who uses a unique strategy to win the game or attack the
host system, as the case may be.

When the computer makes decisions, it assigns each hacking strategy
into a specific category that specifies exactly what type of attack occurs.
Each attack is then classified into a severity event—measuring the
severity of the attack on a scale from 1 (the least problematic) to 5 (melt
down). Most systems are configured to send an alert to the administrator
when an event of level 3 or greater occurs. Under this type of system,
the computer must have accurate data regarding each attack. The database
of “attack signatures” should be updated on a frequent basis by the
vendor, in much the same way as virus signatures are updated when a
new virus is discovered.

Some computers are now using what is called “fuzzy logic,” which can
dynamically identify an incoming attack and measure it loosely against
the attack signatures in the database. Hacker attacks are not straightforward;
in fact most of them involve diverse strategies that do not
match up “exactly” with preprogrammed attack scenarios. The computer
can use fuzzy logic to approximate incoming wireless network activity to
determine if security is being breached. If the activity does appear suspicious, the IDS will then generate an e-mail to alert the administrator
to the suspect activity. All these actions occur quickly, since no human
intervention is needed to identify problematic network attacks; this
gives the administrator greater time to catch a hack “in progress” and
take the necessary steps to stop the attack or backtrack it to its source,
for the potential prosecution of the malicious party.

A company called Intrusion.com builds systems like the one described
above. In the majority of cases, hacker activity does not happen all at
one time. Many hackers attempt to access your systems a little each
day. Sometimes these probing activities last for days or even weeks.
When a hacker probes your network only a little each day, it is done
with the intent to stay below the radar screen of your IDS. The hacker
has no desire to be caught, and he knows that only spikes of activity
indicate a possible attack.

These computer IDSs are, however, prepared for low-level hacker
activities. The systems keep a log for a period of approximately 28 days
looking for discernible patterns. This is done on the philosophy that a
hacker will “make his move” within a month of initiating attacks on
your systems. With such a large time frame, the computer has a good
foundation to draw upon in order to make decisions about potential
threats to your computer network.