Thursday, August 15, 2019
Host based Intrusion Prevention
Intrusion Detection Systems (IDSs) recognize the presence of malicious code within traffic that flows through the holes punched into the firewall, our first layer of defense. Though, the word ââ¬Å"intrusion detectionâ⬠is a bit of a misnomer.Richard Kemmerer and Giovanni Vigna of the University Of California, Santa Barbara, elucidate in an article in the IEEE Security and Privacy magazine: ââ¬Å"Intrusion detection systems do not detect intrusions at allââ¬âthey only identify evidence of intrusion, either while in progress or after the fact.â⬠(Edwin E. Mier, David C. Mier, 2004)An IDS recognizes security threats by detecting scans, probes and attacks, however does not block these patterns; it only reports that they took place. Yet, IDS logged data is invaluable as proof for forensics and incident handling. IDSs as well detect internal attacks, which are not seen by the firewall, and they help in firewall audits.IDSs can be divided into 2 main categories, footed on t he IDS alarm triggering mechanism: anomaly detection-based IDS and misuse detection-based IDS.Anomaly detection based IDSs report deviations from ââ¬Å"normalâ⬠or expected behavior. Behavior other than ââ¬Å"normalâ⬠is measured an attack and is flagged and recorded. Anomaly detection is as well referred to as profile-based detection. The profile describes a baseline for normal user tasks, and the quality of these user profiles directly has an effect on the detection capability of the IDS. Techniques for constructing user profiles comprise: (Nong Ye, 2003).Rule-based approachââ¬âNormal user behavior is characterized by creating rules, however analyzing normal traffic is a complicated task. A related approach is protocol anomaly detection.Neural networksââ¬âThese systems are trained by presenting them with a large amount of data, together with rules regarding data relationships. They then find out if traffic is normal or not; abnormal traffic raises an alarm.Stat istical approachââ¬âActivity profiles describe the behavior of system or user traffic. Any deviation from normal triggers an alarm.The advantage of anomaly detection is that it can identify previously unknown attacks and insider attacks, without the need for ââ¬Å"signaturesâ⬠ââ¬â that is., predefined attack profiles.One more benefit of anomaly detection is that it's impossible for the attacker to know what activity causes an alarm, thus they cannot assume that any particular action will go undetected.The disadvantage of anomaly detection is that it produces a large number of ââ¬Å"false positivesâ⬠ââ¬â that is., alerts that are produced by legitimate activity. In addition, besides being complicated as well as hard to understand, building and updating profiles as well need a lot of work.The other most important approach, misuse-detection based IDS (also called signature-based IDS), triggers an alarm when a match is found to a ââ¬Å"fingerprintâ⬠-a signa ture contained in a signature database. These ââ¬Å"fingerprintsâ⬠are footed on a set of rules that match typical patterns of exploits used by attackers. As there is a known database of exploits, there are few false positives.The disadvantage is that misuse-detection IDSs can merely detect already-known attacks. Besides, the ââ¬Å"fingerprintsâ⬠database needs to be incessantly updated to keep up with new attacks. The majority IDS products in the market at present use misuse detection.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment