0
8.4kviews
Describe the different types of IDS and their limitations.
1 Answer
2
80views

IDS and their Limitations

  • The primary focus of computer security is intrusion prevention, where the goal is to keep the attackers out of users system or network.
  • Authentication can be viewed as a means to prevent intrusions while firewalls are certainly a form of intrusion prevention, as are most types of virus protection.
  • Intrusion prevention is the information security analog of locking the doors on a car. But even if the doors on the car are locked, it might still get stolen.
  • In information security, no matter how much effort is put into intrusion prevention the bad guys will be successful and an intrusion will occur.
  • When intrusion prevention fails Intrusion detection systems (IDS) are a relatively recent development in information security. The purpose of such a system is to detect attacks before, during, and after they occur. The basic approach employed by IDSs is to look for "unusual" activity.
  • There are also two basic architectures for IDSs where the first is a Host-based IDS which applies detection method or methods to activity that occurs on hosts. These systems have the potential to detect attacks that are visible at hosts. The second is a Network-based IDS that applies their detection methods to network traffic. These systems are designed to detect attacks such as denial of service, port scans, probes involving malformed packets, etc.
  • There are two approaches to intrusion detection which are:

1. Signature-Based IDS

  • Failed login attempts may be indicative of a password cracking attack, so IDS might consider N failed login attempts in M seconds as an indication or signature of an attack. Then anytime that N or more failed login attempts occur within M seconds, the IDS would issue a warning that a password cracking attack is suspected to be in progress.
  • If Trudy happens to know that Alice's IDS issues a warning whenever N or more failed logins occur within M seconds, then Trudy can safely guess N — 1 passwords every M seconds.
  • In this case, the signature detection would slow Trudy's password guessing attack, but it would not completely prevent the attack. A concern with such a scheme is that N and M must be set so that the number of false alarms is not excessive.
  • Many techniques are used to make signature-based detection more robust, where the usual approach is to detect almost signatures. If N login attempts occur in about M seconds, then the system could warn of a possible password cracking attack, perhaps with a degree of confidence based on the number of attempts and the time interval.

Strengths of signature-based detection:

  • This detection includes simplicity, efficiency and an excellent ability to detect known attacks. The warning that is issued is specific, since the signature matches a specific attack pattern. With a specific warning, an administrator can quickly determine whether the suspected attack is real or a false alarm and, if it is real, the admin can usually respond appropriately.
  • A signature-based IDS will provide the administrator with precise information about the nature of the suspected attack

Limitations of signature detection:

  • These include the fact that the signature file must be current, the number of signatures may become large thereby reducing efficiency, and most importantly, the system can only detect known attacks.
  • Even slight variations on known attack will likely be missed by signature-based systems.

2. Anomaly-Based IDS:

  • Anomaly-based IDS looks for unusual or abnormal behavior. First the decision needs to be made of what constitutes as a normal behavior for a system, and this must occur when the system is behaving normally.
  • Next the definition of normal must adapt as system usage changes and evolves, otherwise the number of false alarms will grow.
  • Third is that there are difficult statistical threshold issues involved. A fair idea of how far abnormal is away from normal is needed.
  • No baseline measurements should be set during an attack or else an attack will be considered normal. Measuring abnormal or determining how to separate normal variations in behavior from an attack, is an equally challenging problem. Abnormal must be measured relative to some specific value of normal.

Strengths of anomaly detection:

  • There is a chance of detecting previously unknown attacks.
  • Anomaly detection can be more efficient than signature detection, particularly if the signature file is large.

Limitations of Anomaly detection:

  • Robust anomaly detection is a difficult problem as system usage and user behavior constantly evolves and, therefore, so must the anomaly detector. Without allowing for
    such changes in behavior, false alarms would soon overwhelm the administrator, who would quickly lose confidence in the system.
  • Another issue with anomaly detection is that a warning of abnormal behavior may not provide any useful specific information to the administrator. A vague warning that the system may be under attack could make it difficult to take concrete action.
Please log in to add an answer.