GSA launches intrusion-detection net

The General Services Administration last week asked industry for information about emerging security technology for detecting unauthorized users on agency networks, with the goal of building a government intrusion-detection system by the end of next year.

In building the Federal Intrusion Detection Network (Fidnet), GSA hopes to find security tools vendors are developing that overcome the weaknesses of existing technology. By keeping ahead of the latest technology, GSA hopes to leave agency defenses less vulnerable to hackers, agency officials said.

"We want to encourage people to develop new technologies that will help us keep neck and neck with the perpetrator," said David Jarrell, program manager for the GSA portion of Fidnet in the Federal Technology Service's Office of Information Security and technical director of the Federal Computer Incident Response Capability.

OIS will look not only to established intrusion-detection vendors but to new companies and people that "we haven't even heard of," Jarrell said.

"I think there are people out there that are significantly brilliant enough to solve this and we hope that this [request for information] will cause them to come forward," he said.

GSA plans to use the vendor-provided information to develop prototypes by the first quarter of fiscal 2000, said Tom Burke, GSA's assistant commissioner of information security. Down the line, OIS may even pay some of the vendors to put together a long-term, real-world demonstration of their capabilities at an agency, he said.

GSA particularly is interested in finding intrusion-detection systems that are more capable of detecting attacks as they happen instead of after the fact.

The problem is that most intrusion-detection solutions work the same way anti-virus protection does: They check network-use patterns against a known list of intrusion "signatures" and send out alerts when they come across a match.

But as vendors and users have known for years, this method will not catch intrusions that are not on that list. Also, most products just now are advancing to the point where they alert administrators at the time an intrusion takes place.

"We find that many of the off-the-shelf products that are available today are really a response to the intrusions, and they are always a step behind the intruder," Jarrell said. "We want to look to the future and some artificial intelligence that will learn as it goes about the attacks that are being launched."

This type of capability would be more than welcome to agencies, especially if they are enabled to respond more quickly at the local level, said one senior civilian agency official.

Others recognized the potential benefits of sharing attack "experience" across government.

"What I would hope this next-generation intrusion detection could bring to us is the capability not only to monitor [intrusions] but to put together the information in a history for reference," said Sarah Jane League, Defense Department liaison at the Critical Infrastructure Assurance Office. "It should bring that pattern recognition and learn as it goes...so that over time it will have the ability to recognize" not only attacks but what could be attacks, she said.

Vendors have been working on this type of product, sometimes called anomaly detection, for some time.

"ISS has a lot of research efforts in place to advance the intrusion-detection market," said Mark Wood, intrusion-detection product manager at Internet Security Systems Inc., maker of the Real-Secure intrusion-detection product line. "Having a pre-defined list of signatures is nice, but you'd like to detect novel attacks, things you don't know about."

One major problem vendors are struggling with in producing this type of solution is the large number of "false positives" - incorrectly perceived attacks - that are generated when a network is scanned, Wood said. Despite this, a commercially viable solution could be available within the next year, he said.

"It's certainly worthwhile that someone like the GSA is driving this; it's absolutely necessary," Wood said. "Perhaps this will help coordinate the industry so that they will provide something sooner than they would have."

The need for this type of solution across government has been underscored by the more than 40 federal World Wide Web sites that have been hacked in the last two months, including at least six last week. And these attacks are only the most noticeable types of intrusions into government networks, according to federal experts testifying before Congress last week [see related story on the Web at www.fcw.com].

However, in the end, while many would wish otherwise, keeping up with attackers instead of one step behind really is the best that anyone can do, Jarrell said. "There is no silver bullet; there is no perfect solution when it comes to intrusion detection," he said. "As I've said before, if you build a better mousetrap, a better mouse will evolve."