Wednesday, May 11, 2011

What You Need to Know About Intrusion Detection Systems

Source from: http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html
IDS systems vary according to a number of criteria. By explaining those criteria, we can explain what kinds of IDSs you’re likely to encounter and how they do their jobs. First and foremost, it’s possible to distinguish IDSs on the basis of the kinds of activities, traffic, transactions, or systems they monitor. In this case, IDSs may be divided into network-based, host-based, and application-based IDS types. IDSs that monitor network backbones and look for attack signatures are called network-based IDSs, whereas those that operate on hosts defend and monitor the operating and file systems for signs of intrusion and are called host-based IDSs. Some IDSs monitor only specific applications and are called application-based IDSs. (This type of treatment is usually reserved for important applications such as database management systems, content management systems, accounting systems, and so forth.) Read on to learn more about these various types of IDS monitoring approaches:
Network-based IDS characteristics
Pros: Network-based IDSs can monitor an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network. Network-based IDSs are mostly passive devices that monitor ongoing network activity without adding significant overhead or interfering with network operation. They are easy to secure against attack and may even be undetectable to attackers; they also require little effort to install and use on existing networks.
Cons: Network-based IDSs may not be able to monitor and analyze all traffic on large, busy networks and may therefore overlook attacks launched during peak traffic periods. Network-based IDSs may not be able to monitor switch-based (high-speed) networks effectively, either. Typically, network-based IDSs cannot analyze encrypted data, nor do they report whether or not attempted attacks succeed or fail. Thus, network-based IDSs require a certain amount of active, manual involvement from network administrators to gauge the effects of reported attacks.
Host-based IDS characteristics
Pros: Host-based IDS can analyze activities on the host it monitors at a high level of detail; it can often determine which processes and/or users are involved in malicious activities. Though they may each focus on a single host, many host-based IDS systems use an agent-console model where agents run on (and monitor) individual hosts but report to a single centralized console (so that a single console can configure, manage, and consolidate data from numerous hosts). Host-based IDSs can detect attacks undetectable to the network-based IDS and can gauge attack effects quite accurately. Host-based IDSs can use host-based encryption services to examine encrypted traffic, data, storage, and activity. Host-based IDSs have no difficulties operating on switch-based networks, either.
Cons: Data collection occurs on a per-host basis; writing to logs or reporting activity requires network traffic and can decrease network performance. Clever attackers who compromise a host can also attack and disable host-based IDSs. Host-based IDSs can be foiled by DoS attacks (since they may prevent any traffic from reaching the host where they’re running or prevent reporting on such attacks to a console elsewhere on a network). Most significantly, a host-based IDS does consume processing time, storage, memory, and other resources on the hosts where such systems operate.
Application-based IDS characteristics
Pros: An application-based IDS concentrates on events occurring within some specific application. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. Sometimes application-based IDS can even track unauthorized activity from individual users. They can also work with encrypted data, using application-based encryption/decryption services.
Cons: Application-based IDSs are sometimes more vulnerable to attack than the host-based IDS. They can also consume significant application (and host) resources.
In practice, most commercial environments use some combination of network- and host- and/or application-based IDS systems to observe what’s happening on the network while also monitoring key hosts and applications more closely.
IDSs may also be distinguished by their differing approaches to event analysis. Some IDSs primarily use a technique called signature detection. This resembles the way many antivirus programs use virus signatures to recognize and block infected files, programs, or active Web content from entering a computer system, except that it uses a database of traffic or activity patterns related to known attacks, called attack signatures. Indeed, signature detection is the most widely used approach in commercial IDS technology today. Another approach is called anomaly detection. It uses rules or predefined concepts about “normal” and “abnormal” system activity (called heuristics) to distinguish anomalies from normal system behavior and to monitor, report on, or block anomalies as they occur. Some IDSs support limited types of anomaly detection; most experts believe this kind of capability will become part of how more IDSs operate in the future. Read on for more information about these two kinds of event analysis techniques:
Signature-based IDS characteristics
Pros: A signature-based IDS examines ongoing traffic, activity, transactions, or behavior for matches with known patterns of events specific to known attacks. As with antivirus software, a signature-based IDS requires access to a current database of attack signatures and some way to actively compare and match current behavior against a large collection of signatures. Except when entirely new, uncataloged attacks occur, this technique works extremely well.
Cons: Signature databases must be constantly updated, and IDSs must be able to compare and match activities against large collections of attack signatures. If signature definitions are too specific, signature-based IDS may miss variations on known attacks. (A common technique for creating new attacks is to change existing, known attacks rather than to create entirely new ones from scratch.) Signature-based IDSs can also impose noticeable performance drags on systems when current behavior matches multiple (or numerous) attack signatures, either in whole or in part.
Anomaly-based IDS characteristics
Pros: An anomaly-based IDS examines ongoing traffic, activity, transactions, or behavior for anomalies on networks or systems that may indicate attack. The underlying principle is the notion that “attack behavior” differs enough from “normal user behavior” that it can be detected by cataloging and identifying the differences involved. By creating baselines of normal behavior, anomaly-based IDS systems can observe when current behavior deviates statistically from the norm. This capability theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for which signatures have been created.
Cons: Because normal behavior can change easily and readily, anomaly-based IDS systems are prone to false positives where attacks may be reported based on changes to the norm that are “normal,” rather than representing real attacks. Their intensely analytical behavior can also impose sometimes-heavy processing overheads on systems where they’re running. Furthermore, anomaly-based systems take a while to create statistically significant baselines (to separate normal behavior from anomalies); they’re relatively open to attack during this period.

6 comments:

huanglin said...

hollister
gucci handbags
jrodan retro
jordan shoes
chanel handbags
louis vuitton handbags
abercrombie & fitch
jeremy scott adidas
michael kors
hollister clothing
michael kors outlet
burberry outlet online
abercrombie
tods shoes
christian louboutin outlet
burberry outlet online
oakley sunglasses outlet
mulberry handbags
christian louboutin sale
fitflop shoes
tory burch outlet
coach outlet
christian louboutin
kate spade outlet
mulberry uk
marc jacobs handbags
abercrombie and fitch new york
michael kors uk
michael kors outlet online
michael kors bag
coach outlet stores
tod's shoes
ralph lauren sale
tory burch outlet online
gucci outlet online
coach outlet store online
concords 11
cheap jordans
mont blanc
beats solo
caihuanglin20150613

Chen Jeje said...

tiffany jewellery
ralph lauren polo shirts
louis vuitton handbags
http://www.nikedunks.us.org
michael kors outlet online
discount oakley sunglasses
oakley sunglasses
tiffany and co outlet
ugg outlet
black huaraches
air huarache shoes
oakley vault
chrome hearts wholesale
http://www.raybanglasses.in.net
fitflops sale
michael kors outlet
christian louboutin outlet
nfl jerseys
nike kobe sneakers

mmjiaxin said...

cheap oakley sunglasses
fitflop sandals
http://www.jordansforcheap.us.com
kobe sneakers
michael kors outlet online
http://www.rayban-sunglasses.uk
tiffany and co outlet
adidas nmd
michael kors handbags
michael kors outlet store online
jordans for cheap
tiffany and co
fitflop sandals
retro jordans
oakley sunglasses
Cheap NFL Jerseys China
christian louboutin outlet
cheap tiffanys
air huarache shoes
http://www.chromeheartsonline.us.com
gg

chenlina said...

chenlina20160607
louis vuitton outlet
cheap jordan shoes
ray ban sunglasses
nike trainers men
air jordans
caoch outlet
oakley sunglasses
jordan 6
oakley sunglasses
kate spade handbags
gucci handbags
coach outlet
ray ban sunglasses
true religion
michael kors outlet
ralph lauren
true religion jeans
michael kors outlet
adidas superstars
toms shoes
jordan 11 concord
louis vuitton outlet
jordans for sale
abercrombie and fitch new york
ray ban sunglasses outlet
cheap jordan shoes
nike roshe run women
hollister kids
nike roshe run
nike outlet
tory burch outlet
toms outlet
coach outlet store online
michael kors outlet store
true religion jeans sale
ray ban wayfarer
coach outlet
timberland outlet
jordan 8
juicy couture
as

Gege Dai said...

jianbin0702
montblanc pens
fitflops uk
toms outlet store
rolex watches
kate spade uk outlet
chaussure louboutin
coach outlet online
coach outlet
ghd uk
louis vuitton neverfull sale
tory burch outlet online
cartier uk
louis vuitton sunglasses
dior sunglasses
ray ban sunglasses sale
true religion outlet
fitflops clearance
cartier watches
adidas uk store
oakley sunglasses
cheap nba jerseys
nike store uk
soccer jerseys wholesale
true religion jeans outlet
tiffany outlet
nike air max 90
true religion outlet
longchamp pliage
adidas outlet store
michael kors outlet
rolex watches
ray-ban sunglasses
michael kors outlet
ray-ban sunglasses
coach outlet store
tory burch outlet

姚嘉 said...

atlanta falcons jersey
nike air huarache
ghd hair straighteners
ecco shoes
new balance shoes
texans jerseys
nike air max 90
dolce and gabbana outlet
oklahoma city thunder
bears jerseys