Hi, everybody. Ed Amoroso here. And I want to spend some time with you, giving the basics of a discipline known as Intrusion Detection. Now, I get very excited about this in the mid 90s. I'd sort of first seen these devices that were popping up from some commercial companies. There was one called the WheelGroup. They had a product called, NetRanger. There was a company called ISS, later bought by IBM. They had these devices called RealSecure. There's a bunch of others in the 90s. What they would do basically, is they would take data that was fed to them. They called it essentially, Packet Collection or sniffing. Take the data, and try to make some determination based on a set of signatures. So pre-determined descriptions of attack patterns that we would code right into the Intrusion Detection, or we call them IDS. We coded right into the IDS, and then with ding an alarm. And there's basically four steps that we saw. It's seems kind of diagram here that kind of lays them out. In an example, you can see that the first step is there's some attack activity that goes on, and we could say, for example, it might be user guessing a bunch of passwords. In the second step, concurrent with that, IDS is pulling the traffic from this, it's detecting what's happening as the server sends back a bunch of incorrect notices. Alice says, "Hey, my password." Bob says, "No." Alice says, "Password." Bob says, "No." So, the IDS is watching this. And then based on a signature that we might have written that says, "You know how many you would guess. Three, five." We'd say, "Hey. Have you ever see three, let's say three. You guessed your password wrong. Within a very short period of time, ding a bell." That makes sense? It seems very straightforward. And I certainly got excited. I thought this is a really good idea. Because why not? What can it hurt? You can passively sit on a network. You can do it in kind of a stealth mode. Now, let's remember what stealth means. Stealth means, you're not being obvious or up front about the fact that you're there. You're just very quietly latching on to packets, and you're observing activity, and dinging a bell if something looks like it's not really following whatever policy you've set up. Kind of an interesting concept. So, we'll get to, in some subsequent discussions, the real weaknesses associated with signatures. But for now, let's concentrate on some of the value. One is that there's two ways that this can be implemented in a typical system. The first is as we've shown, we call that, a Network Intrusion Detection System, NIDS, N-I-D-S. Second possibility is you can embed this capability right into a host, and we call that HIDS, Host Intrusion Detection Systems. So, NIDS, sits on a network. HIDS, sits on a host. Both of them collect data. Both of them have signatures. Both observe traffic or compute activity. And both, if a signature is matched, will notify some security server, or the security team, or sound the bell. So, you follow? Pretty simple sort of case for how that would work, right? Again, I wrote a big textbook about this in the late 90s. I was again so excited. I thought that this was going to change cybersecurity. In some sense it did. And it's still the vestige of this, is still there. Let's look at our next chart. This one gives you an idea of passwords. Let's look at how the progression, the time progression against the signature would work. On a network HIDS, I mean, we just call it IDS. So first thing, if you represent time as sort of this vertical arrow going down in time, you can see that at some initial time, password is guessed. At some time, t plus, whatever Delta t, later time, a second password is guessed. Third would be, that password is guessed. The third time, we see that within a minute. And we know that if we're detecting what's going on here, within the minute, then you know we're in pretty good shape. However, if the passwords are guessed over a period of time that maybe extends out a little bit, so think about that. I guess one bad. Then I guess another bad. And then, I wait six hours and guess the third one. The question is, will the IDS, after an hour just go, "Give up." And say, "All right. Whatever it is, it's gone. Forget it. Clear the cache. Clear the buffers. Were good." And then you guessed a third time but it's sort of outside the pattern or the signature you've decided. That gives you a hint as to one of the challenges we have. And again, in subsequent discussions, we'll dig more deeply into this. But the idea is, that you want to develop signatures that are going to match the attacks. So, you could make the case that, heck, if I'm telling an attacker they have to wait six hours, or some long period of time, in order to be outside the signature, then maybe that's fine. In fact, maybe that's what cybersecurity is all about. Just making an attacker change their behavior in order to not be caught in some signature that I've designed. When we change that behavior, what we call that, the word we use, is variant. Do you follow? So, an attack either matches or doesn't match a signature. One of the ways it might not match a signature is that the attack was specifically changed or extended in time to not match a signature that might be time bound. The bad guys would say, "Ha, ha, ha. I developed a variant to get around your signature." The good guys would say, "Ha, ha, ha. I made you change your attack tactic." Does that make sense? They're both can make a case that they're sort of doing the right thing. It's that whole cat and mouse that we see in cybersecurity. Very interesting way of thinking about this IDS. It's effective or potentially easy to get around. So, just sort of as an additional consideration here as you think through and reflect on your learning, I want you think about the relative effectiveness of that kind of thing, dealing with variants or not, on a host or on a network. Which do you think would be a more effective place? Or does it really not matter? Let's say, we're thinking of ourselves as the defender, and I want my IDS to be super effective. Do you think it's easier to detect variants on a network? Or is it easier to detect variants on a host? What do you think about that. I think you may come to the conclusion that it sort of doesn't matter. In fact, a lot of times in cybersecurity, the underlying technology is less important than the foundational items. That's why on these videos, as we go through them, we try and pull out something that I think is fundamental. And the fundamental issue here is that concept of variant, attacker changes behavior, defender is pleased that they made the attacker change behavior. But the attacker might be pleased that they can get around your signature pretty easily. We'll come back to that in subsequent discussions, but I hope this has been a useful concept for you as you continue to learn about cyber.
