IDSs are hardware or software systems used to detect intruders on your network. IDS systems differ according to where they’re installed: on the host or on the network, as well as how they detect intruders, misuse detection and anomaly detection. While different types of IDS systems exist, each type of IDS has its own benefits and drawbacks.
A host-based IDS consists of software installed on each host. The IDS software monitors the host and its log files looking for intrusive activity. If an attack is performed on the host, alarms are generated and sent to the management platform. The advantage to host-based IDS is its capability to record whether an attack was successful. The disadvantage to a host-based IDS is its inability to detect common reconnaissance attacks against the host or a range of hosts.
Network-based IDS relies on the use of network sensors strategically placed throughout the network. These probes monitor and analyze all network traffic traversing the local network. Network traffic is compared to a signature database or a defined profile to detect intrusive activity. If the monitored traffic matches a profile or signature, an alarm is generated. Additionally, sensors can be configured to take corrective action to stop an attack once it’s been detected. The advantage to a network-based IDS is its macro view of the network. A network-based IDS has the advantage of viewing the entire network and, therefore, isn’t limited to viewing only the traffic to a single host. The drawback to a network-based IDS is its cost. A network-based IDS relies on additional hardware in the form of network probes. Additional drawbacks to network-based IDS are the following:
IDS manipulation with fragmentation and TTL exploits
Encryption
Bandwidth
Although different types of IDS systems exist, each type must support at least one triggering mechanism. Triggering mechanisms are simply how an alarm is generated. There are two types of triggering mechanisms:
Anomaly based
Misuse based
Anomaly-based systems use profiles created by the IDS or the security administrator. These profiles are then used to detect an attack and generate an alarm. Traffic patterns or computer activity that doesn’t match a defined profile generates an alert. The advantage of anomaly detection is it has the capability to detect previously unknown attacks or new types of attacks. The drawback to anomaly detection is an alarm is generated any time traffic or activity deviates from the defined “normal” traffic patterns or activity. This means it’s up to the security administrator to discover why an alarm was generated. Anomaly-based systems have a higher rate of false positives because alarms are generated any time a deviation from normal occurs. Defining normal traffic and activity can be a difficult and time-consuming task.
Profile- or misuse-based IDSs rely on the use of a signature database to discover attacks and generate alarms. Signature files contained within the database are used exactly as virus-detection software uses signatures to discover computer viruses. These signature files are created by highly skilled engineers and are based on rules that match exploits and patterns of known intrusive activity. Once a signature is matched, an alarm is generated listing the type and ?severity of the attack, as well as the specific signature that was matched. Signature-based IDS have a lower occurrence of false positives that are common with anomaly detection. Unlike anomaly detection systems, signature-based systems contain a preconfigured signature database and, therefore, can begin protecting the network immediately. The drawback to signature-based systems is their inability to detect new or previously unknown attacks. If no signature exists to match an attack type, the new attack will go undetected. Therefore, keeping your signature database current is important.
Some vendors attempt to combine both host-based and network-based intrusion detections systems, while also combining anomaly and misuse triggering mechanisms into one overall IDS system. While these types of hybrid IDS provide the most benefits with the least drawbacks, they can be difficult to administer. Combining alarms and data from many different sources and types of sources into one manageable interface is a difficult task.
1.? |
What is the purpose of an intrusion detection system (IDS)?
|
|
2.? |
What are the three phases of an attack?
|
|
3.? |
What are the three types of attacks?
|
|
4.? |
What is the difference between host-based and network-based intrusion detection?
|
|
5.? |
What are the four types of security threats?
|
|
6.? |
What is a false negative?
|
|
7.? |
What type of triggering mechanism is most likely to create a false negative?
|
|
8.? |
What is a false positive?
|
|
9.? |
What type of triggering mechanism is most likely to create a false positive?
|
|
10.? |
Which of the following is a limitation to host-based intrusion detection?
|
|
11.? |
Which of the following is a benefit of host-based intrusion detection?
|
|
12.? |
Which of the following is a limitation of network-based intrusion detection?
|
|
13.? |
Which of the following is a benefit of network-based intrusion detection?
|
|
14.? |
What are the two types of triggering mechanisms used by an IDS?
|
|
15.? |
What is the difference between anomaly detection and misuse detection?
|
|
16.? |
In the context of an IDS, what is an anomaly?
|
|
17.? |
What is a signature and what is it used for?
|
|
18.? |
What are the three ways to build user profiles?
|
|
19.? |
Which of the following is a benefit of misuse detection?
|
|
20.? |
Which of the following is a benefit of anomaly detection?
|
|
21.? |
What is a major drawback to misuse detection?
|
|
22.? |
What is a major drawback to anomaly detection?
|
|
Answers
1.? |
C. To detect intrusions on the network |
2.? |
D. Objective, Reconnaissance, Attack |
3.? |
B. DoS, Reconnaissance, Access |
4.? |
D. Network-based IDSs rely on the use of network probes, while host-based systems rely on software installed on each host |
5.? |
C. Internal, Structured, Unstructured, External |
6.? |
A. A false negative results when an attack or intrusion goes undetected |
7.? |
B. Misuse detection |
8.? |
C. A false positive results when the IDS system reports an alarm, although no actual intrusion occurs on the network |
9.? |
A. Anomaly detection |
10.? |
D. Unable to detect reconnaissance attacks |
11.? |
B. Host-based systems can detect if an attack is successful |
12.? |
A. Network-based intrusion detection can only detect attacks performed over the network |
13.? |
D. A network-based IDS has a complete view of network traffic |
14.? |
B. Misuse and anomaly detection |
15.? |
A. Anomaly detection uses profiles, while misuse detection uses signatures |
16.? |
C. An anomaly is any traffic or activity that isn’t normal |
17.? |
B. A signature is a definition of intrusive activity and is used to detect intrusions |
18.? |
B. Rule-based, neural networks, statistical sampling |
19.? |
B. Easier to install and understand |
20.? |
D. Anomaly detection can be used to detect new attack methods |
21.? |
A. Misuse detection is unable to detect new attack methods |
22.? |
C. Anomaly detection relies on a defined profile defining normal activity |