Security applications programs are designed to protect computer files, operating systems, and program software, particularly on computers that are connected to networks or are otherwise subject to attack from outside locations. Security programs may be designed to detect the effects of intrusive activity, identify intrusive activity while it is occurring, look for vulnerabilities that might be exploited by an intruder, or help prevent intrusive activity.
Intrusive activity can take place directly, as in the case of an unauthorized user sitting down at an unattended computer and taking some action that affects the data, system, or program software in some way. More commonly, however, computer intruders gain unauthorized access through network or online connections. An intruder may alter programs or data contained in the computer, either as an end in itself or to allow future break-ins. An intruder may also install processes on the attacked machine to use in attacking other computers. Distributed Denial of Service (DDoS) tools that flood a victim with large amounts of network traffic are an example of the latter.
The best known tool for detecting modified program or data files is Tripwire. Tripwire computes a cryptographic checksum for each file that is to be protected and stores this information in a safe place, preferably on write-protected removable media. Periodically, and especially when an intrusion is detected, Tripwire is used to recalculate the file checksums. A change in the checksum indicates a change in the file. If an intrusion has occurred, it may be necessary to examine disks and run Tripwire from a clean copy of the operating system because clever intruders can replace programs, including Tripwire, with versions that have been designed to hide their tracks.
Intrusion detection systems are programs that examine a network or a computer for signs of intrusive activity. Signature-based systems have a built-in model of intrusive activity; they attempt to detect activity known to be intrusive. Anomaly-based systems, by comparison, use a model of normal activity; abnormal activities then become a trigger for suspecting an intrusion. Either form of intrusion detection system (IDS) may rely on a variety of sources of information.
Network-based IDSs examine the packets that flow over a segment of a local network. Host-based IDSs get their information from system logs or from information supplied by individual applications. Each approach has strengths and weaknesses. Network-based systems cannot see inside encrypted packets such as those used by Secure Sockets Layer (SSL) or Virtual Private Networks (VPNs) . In addition, network-based systems have difficulty in keeping up with the high speed (100 base T and gigabit) networks that are becoming common.
Host-based systems cannot easily detect activities such as probes that attempt to discover which hosts are on the network and which ports they support. Signature-based systems can, in general, only detect attacks that are both known and encoded into the program's model of intrusive activity. Anomaly-based systems can only report unusual activity, but there is no assurance that unusual means intrusive. False alarms and missed attacks are problems for both kinds of programs. Signatures that are too general will trigger alarms for non-intrusive activities, while signatures that are too specific will miss minor variations on known attacks. Similarly, an inadequate characterization of "normal" may lead to excessive false alarms, missed intrusions, or both. In addition, intrusion detection programs may be attacked, causing them to miss attacks or issue false alarms.
Virus detection programs are another form of security application that detects intrusive activity. The original virus detection programs looked for the artifacts of infections, examining files for the signatures of known viruses. Modern virus detection programs retain this functionality but also act like host-based intrusion detection systems, checking newly imported files, including e-mail attachments, for known viruses and removing them before they can be executed and do damage.
There are a number of security applications that examine a system for vulnerabilities that might be exploited by an attacker. One of the first was the program COPS, developed at Purdue University. COPS is a suite of security applications that checks a UNIX system for common security vulnerabilities. Most of these involve inappropriate permission settings on system files that might allow an ordinary user to obtain root or "superuser" privileges. Other vulnerabilities detected include poorly formatted group and password files, individual login scripts that could be modified by others, and weak passwords.
Good systems administrators regularly run tools such as COPS and CRACK against their systems to detect security problems and patch them; however, such tools are two-edged swords since they could help a potential intruder find system weaknesses. While COPS and CRACK are host-specific, security applications such as SATAN and NMAP are intended to discover vulnerabilities in machines that are connected to the network. SATAN looks for a set of known problems and offers suggestions for fixing them. NMAP is capable of exploring a subnet and reporting on the computers that are present. It will attempt to identify the operating system and services offered by each computer. Both SATAN and NMAP are useful to systems administrators but may be even more useful to potential attackers since the information provided may identify an attack that is likely to succeed. As a result, considerable controversy has surrounded their public release, and their developers have been both praised and criticized for their actions.
Firewall programs are examples of protective security applications. Firewalls restrict the network traffic that can pass between a computer and the network by limiting the addresses with which the computer can communicate and by identifying the protocols that can be used for communication. Firewalls can be implemented on their own hardware platforms (typically the case when an enterprise is being protected), made part of a network interface component such as a cable or DSL modem, or deployed directly on the protected computer. Personal firewalls of the latter sort are sold as a component of security packages that include virus protection.
see also Internet; Security Hardware; Security Software.
Branstad, D. Security Aspects of Computer Networks. Proceedings of the AIAA Computer Network Systems Conference, Paper 73-427, Huntsville, AL, April 1973.
Farmer, Daniel, and Eugene H. Spafford. The COPS Security Checker System. Purdue
University Technical Report CSD-TR-993, September 1991.
Kim, Gene, and E. H. Spafford. Monitoring File System Integrity on Unix Platforms. Purdue University Technical Report Coast TR 93-02, July 1993.
Farmer, Dan, and Wietse Venema. "Improving the Security of Your Site by Breaking Into it." <http://www.fish.com/satan/admin-guide-to-cracking.html>
Muffett, Alec. CRACK. <http://www.users.dircon.co.uk/~crypto/>
NMAP: The Network Mapper. <http://www.insecure.org/nmap/>