Skip to main content

Security Applications

Security Applications

Security applications programs are designed to protect computer files, operating systems, and program software, particularly on computers that are connected to networks or are otherwise subject to attack from outside locations. Security programs may be designed to detect the effects of intrusive activity, identify intrusive activity while it is occurring, look for vulnerabilities that might be exploited by an intruder, or help prevent intrusive activity.

Intrusive activity can take place directly, as in the case of an unauthorized user sitting down at an unattended computer and taking some action that affects the data, system, or program software in some way. More commonly, however, computer intruders gain unauthorized access through network or online connections. An intruder may alter programs or data contained in the computer, either as an end in itself or to allow future break-ins. An intruder may also install processes on the attacked machine to use in attacking other computers. Distributed Denial of Service (DDoS) tools that flood a victim with large amounts of network traffic are an example of the latter.

The best known tool for detecting modified program or data files is Tripwire. Tripwire computes a cryptographic checksum for each file that is to be protected and stores this information in a safe place, preferably on write-protected removable media. Periodically, and especially when an intrusion is detected, Tripwire is used to recalculate the file checksums. A change in the checksum indicates a change in the file. If an intrusion has occurred, it may be necessary to examine disks and run Tripwire from a clean copy of the operating system because clever intruders can replace programs, including Tripwire, with versions that have been designed to hide their tracks.

Intrusion detection systems are programs that examine a network or a computer for signs of intrusive activity. Signature-based systems have a built-in model of intrusive activity; they attempt to detect activity known to be intrusive. Anomaly-based systems, by comparison, use a model of normal activity; abnormal activities then become a trigger for suspecting an intrusion. Either form of intrusion detection system (IDS) may rely on a variety of sources of information.

Network-based IDSs examine the packets that flow over a segment of a local network. Host-based IDSs get their information from system logs or from information supplied by individual applications. Each approach has strengths and weaknesses. Network-based systems cannot see inside encrypted packets such as those used by Secure Sockets Layer (SSL) or Virtual Private Networks (VPNs) . In addition, network-based systems have difficulty in keeping up with the high speed (100 base T and gigabit) networks that are becoming common.

Host-based systems cannot easily detect activities such as probes that attempt to discover which hosts are on the network and which ports they support. Signature-based systems can, in general, only detect attacks that are both known and encoded into the program's model of intrusive activity. Anomaly-based systems can only report unusual activity, but there is no assurance that unusual means intrusive. False alarms and missed attacks are problems for both kinds of programs. Signatures that are too general will trigger alarms for non-intrusive activities, while signatures that are too specific will miss minor variations on known attacks. Similarly, an inadequate characterization of "normal" may lead to excessive false alarms, missed intrusions, or both. In addition, intrusion detection programs may be attacked, causing them to miss attacks or issue false alarms.

Virus detection programs are another form of security application that detects intrusive activity. The original virus detection programs looked for the artifacts of infections, examining files for the signatures of known viruses. Modern virus detection programs retain this functionality but also act like host-based intrusion detection systems, checking newly imported files, including e-mail attachments, for known viruses and removing them before they can be executed and do damage.

There are a number of security applications that examine a system for vulnerabilities that might be exploited by an attacker. One of the first was the program COPS, developed at Purdue University. COPS is a suite of security applications that checks a UNIX system for common security vulnerabilities. Most of these involve inappropriate permission settings on system files that might allow an ordinary user to obtain root or "superuser" privileges. Other vulnerabilities detected include poorly formatted group and password files, individual login scripts that could be modified by others, and weak passwords.

Good systems administrators regularly run tools such as COPS and CRACK against their systems to detect security problems and patch them; however, such tools are two-edged swords since they could help a potential intruder find system weaknesses. While COPS and CRACK are host-specific, security applications such as SATAN and NMAP are intended to discover vulnerabilities in machines that are connected to the network. SATAN looks for a set of known problems and offers suggestions for fixing them. NMAP is capable of exploring a subnet and reporting on the computers that are present. It will attempt to identify the operating system and services offered by each computer. Both SATAN and NMAP are useful to systems administrators but may be even more useful to potential attackers since the information provided may identify an attack that is likely to succeed. As a result, considerable controversy has surrounded their public release, and their developers have been both praised and criticized for their actions.

Firewall programs are examples of protective security applications. Firewalls restrict the network traffic that can pass between a computer and the network by limiting the addresses with which the computer can communicate and by identifying the protocols that can be used for communication. Firewalls can be implemented on their own hardware platforms (typically the case when an enterprise is being protected), made part of a network interface component such as a cable or DSL modem, or deployed directly on the protected computer. Personal firewalls of the latter sort are sold as a component of security packages that include virus protection.

see also Internet; Security Hardware; Security Software.

John McHugh

Bibliography

Branstad, D. Security Aspects of Computer Networks. Proceedings of the AIAA Computer Network Systems Conference, Paper 73-427, Huntsville, AL, April 1973.

Farmer, Daniel, and Eugene H. Spafford. The COPS Security Checker System. Purdue

University Technical Report CSD-TR-993, September 1991.

Kim, Gene, and E. H. Spafford. Monitoring File System Integrity on Unix Platforms. Purdue University Technical Report Coast TR 93-02, July 1993.

Internet Resources

Farmer, Dan, and Wietse Venema. "Improving the Security of Your Site by Breaking Into it." <http://www.fish.com/satan/admin-guide-to-cracking.html>

Muffett, Alec. CRACK. <http://www.users.dircon.co.uk/~crypto/>

NMAP: The Network Mapper. <http://www.insecure.org/nmap/>

Cite this article
Pick a style below, and copy the text for your bibliography.

  • MLA
  • Chicago
  • APA

"Security Applications." Computer Sciences. . Encyclopedia.com. 20 Oct. 2018 <http://www.encyclopedia.com>.

"Security Applications." Computer Sciences. . Encyclopedia.com. (October 20, 2018). http://www.encyclopedia.com/computing/news-wires-white-papers-and-books/security-applications

"Security Applications." Computer Sciences. . Retrieved October 20, 2018 from Encyclopedia.com: http://www.encyclopedia.com/computing/news-wires-white-papers-and-books/security-applications

Learn more about citation styles

Citation styles

Encyclopedia.com gives you the ability to cite reference entries and articles according to common styles from the Modern Language Association (MLA), The Chicago Manual of Style, and the American Psychological Association (APA).

Within the “Cite this article” tool, pick a style to see how all available information looks when formatted according to that style. Then, copy and paste the text into your bibliography or works cited list.

Because each style has its own formatting nuances that evolve over time and not all information is available for every reference entry or article, Encyclopedia.com cannot guarantee each citation it generates. Therefore, it’s best to use Encyclopedia.com citations as a starting point before checking the style against your school or publication’s requirements and the most-recent information available at these sites:

Modern Language Association

http://www.mla.org/style

The Chicago Manual of Style

http://www.chicagomanualofstyle.org/tools_citationguide.html

American Psychological Association

http://apastyle.apa.org/

Notes:
  • Most online reference entries and articles do not have page numbers. Therefore, that information is unavailable for most Encyclopedia.com content. However, the date of retrieval is often important. Refer to each style’s convention regarding the best way to format page numbers and retrieval dates.
  • In addition to the MLA, Chicago, and APA styles, your school, university, publication, or institution may have its own requirements for citations. Therefore, be sure to refer to those guidelines when editing your bibliography or works cited list.