The Application of Intrusion Detection Systems in a Forensic Environment

Over the past three or four years there has been some controversy regarding the applicability of intrusion detection systems (IDS) to the forensic evidence collection process. Two points of view, essentially, have emerged. One perspective views forensic evidence collection and preservation in the case of a computer or network security incident to be inappropriate for an intrusion detection system. Another perspective submits that the IDS is the most likely candidate for collecting forensically pristine evidentiary data in real or near real time. This extended abstract describes, briefly, the framework for a research project intended to explore the applicability of intrusion detection systems to the evidence collection and management process. The project will review the performance and forensic acceptability of several types of intrusion detection systems in a laboratory environment. 1.0 Background and Problem Statement Intrusion detection, as a discipline, is fairly immature. Most of the serious work in intrusion detection is being carried on in the academic, commercial and government research communities. Commercially available examples of successful intrusion detection systems are limited, although the state of the art is progressing rapidly. However, as new approaches to intrusion detection are introduced, there is one question that seems to emerge continuously: should we be using intrusion detection systems to gather forensic evidence in the case of a detected penetration or abuse attempt. The whole concept of mixing investigation with detection of intrusion or abuse attempts begs a number of questions. First, can an IDS perform adequately if it also has to manage evidentiary data appropriately to meet legal standards? Second, what is required to automate the management of data from an evidentiary perspective? Third, what measures need to be added to an IDS to ensure that it not only can perform as an IDS (including performance requirements for the type of system in which it is implemented), but that it can manage evidence appropriately? It is not appropriate to ask any system to do double duty, performing additional tasks which may or may not be related to its primary function, at the expense of the results of its primary mission. This idea – that of combining evidence gathering with system protection – has generated considerable discussion over recent years. There is reasonable conjecture as to whether the presence of an IDS during an attack provides an appropriate evidence gathering mechanism. There appears to be general agreement, informed or otherwise, in the courts that such is the case. Today, in the absence of an alternative, the IDS probably is the best source of information about an attack. Whether that information is forensically pristine or not is an entirely different question. Sommer [SO98], however, reports that the NSTAC Network Group Intrusion Detection Subgroup found in December 1997 that: • “Current intrusion detection systems are not designed to collect and protect the integrity of the type of information required to conduct law enforcement investigations.” • “There is a lack of guidance to employees as to how to respond to intrusions and capture the information required to conduct a law enforcement investigation. The subgroup discussed the need to develop guidelines and training materials for end users that will make them aware of what information law enforcement requires and what procedures they use to collect evidence on an intrusion.” This finding implies strongly that there is a disconnect between the use of intrusion detection systems and the collection of forensically appropriate evidence during an intrusion attempt. On the other hand, Yuill et al [YU99] propose that an intrusion detection system can collect enough information during an on-going attack to profile, if not identify, the attacker. The ability of an IDS to gather significant information about an attack in progress without materially affecting the primary mission of the intrusion detection system suggests that an IDS could be deployed that would provide both detection/response and forensically pristine evidence in the case of a security incident. 1.1 Problem Statement Fundamentally, this project seeks to answer the question: “Is it practical and appropriate to combine intrusion detection and response with forensic management of collected data within a single IDS in today’s networks?”. The issue we will address in this research is three-fold. First, can an IDS gather useful forensic evidence during an attack without impacting its primary mission of detect and respond? Second, what is required to provide an acceptable case file of forensic information? And, finally, in a practical implementation, can an IDS be implemented that will accomplish both its primary mission and, at the same time, collect and manage forensically pure evidence that can be used in a legal setting? There are several difficulties in addressing these issues. First, the theoretical requirements of an IDS in terms of performing its primary mission may be at odds with the requirements of collecting and preserving forensic evidence. The primary mission of an IDS is to detect and respond to security incidents. The definition of a security incident should be, at least in part, determined by the organization’s security policy. Therefore, the detailed definition of the IDS’ primary mission is partially determined by the security policy, not by some overarching standard or generic procedure. The result is that there can be a wide disparity among requirements for an IDS from organization to organization. That contrasts significantly with the relatively static set of requirements for developing and managing evidence for use in a legal proceeding. A second difficulty is that the IDS, by design, does not manage its information in the sense that a forensics system does. There is a requirement within a forensic system (automated or not) for, among other things, the maintenance of a chain of custody whereby all evidence can be accounted for and its integrity attested to from the time of its collection to the time of its use in a legal proceeding. The third difficulty deals with the architecture of the IDS. The ability of a program to perform widely disparate tasks (in this case detection and response as well as forensic management of data) implies an architecture that may or may not be present currently in an IDS. Thus, there develops the need for a standard architecture for intrusion detection systems that also are capable of forensic data management.