Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 1 - 3 out of 3 pages.
Another type of intrusion detection system is a rule-based intrusion detection system (IDS). Read the section on intrusion detection systems, focusing on rule-based IDSes and how they function. What are two techniques used by rule-based IDSes? What are two downsides to a rule-based IDS?
Last modified: Sunday, November 22, 2020, 12:36 AM
Page 2
Learn new skills or earn credit towards a degree at your own pace, with no deadlines, using free courses from Saylor Academy. We're committed to removing barriers to education and helping you build essential skills to advance your career goals. Choose a course below, or check out our full course catalog.
Log in or Sign up to enroll in courses, track your progress, gain access to final exams, and get a free certificate of completion!
The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?
A statistics-based IDS builds a distribution model for normal behaviour profile, then detects low probability events and flags them as potential intrusions. Statistical AIDS essentially takes into account the statistical metrics such as the median, mean, mode, and standard deviation of packets. In other words, rather than inspecting data traffic, each packet is monitored, which signifies the fingerprint of the flow. Statistical AIDS are employed to identify any type of differences in the present behavior from normal behavior. Statistical IDS normally use one of the following models.
Univariate: "Uni” means "one”, so it means the data has only one variable. This technique is used when a statistical normal profile is created for only one measure of behaviours in computer systems. Univariate IDS look for abnormalities in each individual metric (Ye et al., 2002).
Multivariate: It is based on relationships among two or more measures in order to understand the relationships between variables. This model would be valuable if experimental data show that better classification can be achieved from combinations of correlated measures rather than analysing them separately. Ye et al. examine a multivariate quality control method to identify intrusions by building a long-term profile of normal activities (Ye et al., 2002). The main challenge for multivariate statistical IDs is that it is difficult to estimate distributions for high-dimensional data.
Time series model: A time series is a series of observations made over a certain time interval. A new observation is abnormal if its probability of occurring at that time is too low. Viinikka et al. used time series for processing intrusion detection alert aggregates (Viinikka et al., 2009). Qingtao et al. presented a method for detecting network abnormalities by examining the abrupt variation found in time series data (Qingtao & Zhiqing, 2005). The feasibility of this technique was validated through simulated experiments.
Page 2
Learn new skills or earn credit towards a degree at your own pace, with no deadlines, using free courses from Saylor Academy. We're committed to removing barriers to education and helping you build essential skills to advance your career goals. Choose a course below, or check out our full course catalog.
Log in or Sign up to enroll in courses, track your progress, gain access to final exams, and get a free certificate of completion!
changing to adapt to attackers' ever-evolving strategies.
Developed around the same time as antivirus systems, a typical early signature-based IDS was used for monitoring network traffic to detect attack signatures -- patterns of activity or malicious code that correspond to known attacks. A signature-based IDS works well against attackers using the same attack signatures, and such defenses are helpful for screening out low-skill attackers.
As attackers have continued to develop new threats with new attack signatures, signature-based IDSes have been hard-pressed to keep up with identifying and codifying attacks before they can be used widely. IDS developers have supplemented their systems by enabling them to monitor for anomalies, or patterns of network behavior that are strongly linked with malicious activity.
There was a time when security professionals had to do detailed comparisons to understand the difference between an anomaly-based IDS and a signature-based IDS, but defenders increasingly need only be aware of the existence of the different techniques, since vendors are often using both approaches in modern IDS offerings.
While it may no longer be necessary to decide between anomaly-based IDS or signature-based IDS, security professionals need to understand the difference between the two approaches, as well as the ways in which the two techniques can complement each other.
A signature-based IDS conducts ongoing monitoring of network traffic and seeks out sequences or patterns of inbound network traffic that matches an attack signature. An attack signature can be identified based on network packet headers, destination or source network addresses; sequences of data that correspond to known malware or other patterns, sequences of data or series of packets that are known to be associated with a particular attack.
The concept of attack signature was originally developed by antivirus developers whose systems scanned files for evidence that they originated from a malicious actor. A signature-based IDS can be very effective at monitoring inbound network traffic, and it can usually process a high volume of network traffic very efficiently.
Unfortunately, a signature-based IDS will only be able to detect known attacks. As a result, attackers quickly learned to use a variety of techniques to modify their attacks to avoid detection. One tactic is to modify malware so that it has a unique and novel attack signature; another is to encrypt network traffic to bypass signature-based malware detection tools entirely.
As attackers have become more sophisticated -- and as machine learning and artificial intelligence have been applied to malware detection -- new approaches to intrusion prevention have resulted in anomaly-based IDSes that are able to go beyond the attack signature model and detect malicious patterns of behavior rather than specific patterns of data.
An anomaly-based IDS focuses on monitoring behaviors that may be linked to attacks, so it will be far more likely than a signature-based IDS to identify and provide alerts about an attack that has never been seen before.
Anomaly testing techniques that flag malicious behaviors have been bolstered by improvements in machine learning and artificial intelligence. While anomaly-based IDSes require greater processing resources than signature-based IDSes, they are far more effective at detecting novel or previously undetected attacks.
While there may still be instances where an organization needs to choose between an anomaly-based IDS and a signature-based IDS, there is a broad range of intrusion detection and prevention products that combine both approaches.
Even so, anomaly-based IDSes from different vendors may use different technologies and strategies to detect and identify behavioral anomalies linked to attacks. Likewise, signature-based IDSes can vary widely in terms of their effectiveness based on how often their signature databases are updated, the types of signatures they screen and the sources they use for threat intelligence.
Similarities
The primary similarity shared by signature-based and anomaly-based IDSes is that they are all intrusion detection systems designed to identify and alert security staff when potentially malicious network traffic is detected.
Any IDS -- anomaly-based or signature-based -- will have mechanisms for tuning the system to make it more or less sensitive to flag network traffic as malicious or questionable, as well as enabling administrators to review alerts, configure actions on specific alerts and provide an administrative interface to manage the system.
Differences
The primary difference between an anomaly-based IDS and a signature-based IDS is that the signature-based IDS will be most effective protecting against attacks and malware that have already been detected, identified and categorized. Any IDS that depends entirely on signatures will have this limitation.
Likewise, a purely anomaly-based IDS will be far more likely to identify new types of attack than a signature-based IDS -- but it may miss some types of attack that appear to behave "normally" but that have signatures associated with them.
As IDS vendors increasingly deploy both strategies for intrusion detection in their products, the difference between using behavior cues and signatures for detecting intrusions will undoubtedly evaporate and customers will be able to evaluate IDSes based on how well they are able to detect actual intrusions.
Use cases
Any type of IDS should be considered an integral component of defense in depth strategy for protecting organizational computing, networking and data resources. That often means using different types of security systems together in order to optimally secure all valuable or proprietary resources.
A signature-based IDS may be appropriate as part of the defenses against attacks on systems that handle huge volumes of traffic on a limited set of internet protocols, and where one of the goals is to screen out high volumes of potentially malicious traffic that use attacks for which there are signatures. For example, it may be appropriate to use a signature-based IDS to protect systems accepting protocol requests for services such as DNS, the Internet Control Message Protocol or the Simple Mail Transfer Protocol.
By the same token, an anomaly-based IDS may be appropriate for protecting networks where there is a greater variety of network traffic and where performance of the IDS is sufficient for the volume of network traffic to be monitored.
For most large organizations, an assortment of IDSes with capabilities for both behavior-based and signature-based detections will be appropriate. Likewise, an IDS that supports both approaches will be optimal for many organizations.
In any case, the type of IDS should not matter as much as whether the IDS is being deployed as part of an overall security strategy that enables defenders to detect intrusions in a timely manner and independent of whether one or more components is disabled or bypassed.
As vendors increasingly incorporate both technologies in their products, the importance of comparing signature-based IDSes with anomaly-based IDSes will become less important than comparing IDSes from different vendors that combine both technologies.
Even more important will be comparing the effectiveness of the two strategies for a particular deployment. Evaluators should focus on determining which is better for the use case: to use an IDS that supports both approaches or to use multiple IDSes that support one approach or the other.