±Forensic Focus Partners
|New Today: 2||Overall: 36006|
|New Yesterday: 0||Visitors: 158|
Intrusion Detection System Logs as Evidence and legal aspectsBack to top Back to main Skip to menu
Intrusion Detection System Logs as Evidence and legal aspects
School of Computer and Information Science
Edith Cowan University
E-mail: [email protected]
Modern techniques and methodologies for detecting attacks and malicious activities on computers and networks has evolved a lot over the last couple of years. The need for detecting intrusion attempts before the actual attack simplifies the job of securely administering computer networks. Often an attacker will probe different ports and services on a network to get intelligence about the structure of the network. Afterwards how and what services can be compromised is decided. This is a common strategy applied by most of the attackers and this is where Intrusion Detection Systems (IDS) comes in. They simplify the job of detecting attacks well before the actual attack by tracing the trails that the attacker leaves while gathering intelligence about a network. Government legislations however often act as a barrier in accessing/ monitoring private communications. This paper will particularly focus on the potential of using IDS logs as evidence in legal proceedings. It will also address the Commonwealth Telecommunication Interception Act to identify some conflicting issues that at some extent acts as a barrier for deployment of IDS tools.
Intrusion Detection System (IDS), IDS logs, telecommunication interception.
There is a growing need for use of Intrusion Detection Systems (IDS) in private and public corporations. These systems are very important to safeguard the huge distributed computing environment that a certain organization controls and manages. The log files that IDS generate can be massive depending on the volume of traffic and information they handle. It is important to understand that the use of IDS is a measure for securing the information system of companies and organization and they provide valuable support for diagnosing and reviewing security problems. Government legislators however, don't consider this and they will often pass legislations that will stand on the way of public and private corporations in terms of using IDS as a security tool. The legislators need to understand that it is not only the police and intelligence agencies that need to intercept communications, private and public sector companies also need to intercept not for interception's sake but for the sake of maintaining a secured information system. This paper will try to address these issues in general it will also discuss the recent amendment in the telecommunications interception laws in Australia. AIM
The aim of this paper is to determine the potential of using IDS log files as evidence. This paper will not make any conclusions regarding the matter. However, in certain cases personal arguments will be coming up. It is the intent of this paper to examine the telecommunication legislations particularly in Australia and examine some of the implications for the use of IDS's in protecting computers and networks. Reference will be made to legislation from Australia, the United Kingdom and the United States in order to demonstrate points of potential arguments. It is not the intent of this paper to substitute the considered legal advice. The opinions made in this paper are strictly of the authors and do not reflect any government or political body.
INTRUSION DETECTION SYSTEM (IDS)
What it is
Intrusion Detection is the act of discovering or determining the existence, presence, or fact of the wrongfully entering upon, seizing, or taking possession of the property of another (F.C & Associates 1996). "Intrusion Detection System (IDS) is any system or set of systems that has the ability to detect a change in the status of a system or network" (Lane 2001). There are two major types of IDS's. They are Signature-based IDS and Anomaly-based IDS. The deployment of IDS can be in two forms one is Network-based IDS and the other is Host-based IDS.