When different attacks are identified, IDS vendors write signatures that fit the
patterns of these attacks. These signatures are installed into the IDS software by
the customer so that the product can detect and identify all attacks that are currently
known. This is similar to howanti-virus software products are continually
updated so that they can identify the latest and greatest viruses and malware.
A signature-based IDS, also referred to as rule-based IDS, keeps these signatures
in a database and compares network traffic or host-based activities to the contents
of the database. If a signature is matched to an ongoing activity, the IDS takes
whatever action it is configured to carry out (e-mail or page an individual, reset
connection, or reconfigure perimeter device). So if a network-based IDS sensor
picks up a packet that is fragmented and malformed in a way that matches a signature
in its database, it will conclude that this is an identified attack and will
take the steps it is configured to follow.
There are two types of rule engines that can be used in rule-based IDS systems,
ones that implement a state-based model and another type that implement a
model-based approach. The model-based approach works on the assumption
that attackers use specific known procedures to breach an environment’s security,
as in performing scans and exploiting certain vulnerabilities. The IDS system
looks for these specific activities to identify an intrusion.
A state-based IDS looks at the full exchange of data between source and destination
systems to fully understand the dialog that is going on between the two
systems. This provides amore in-depth look at the possible attack underway instead
of comparing individual packets to a database of individual signatures.
This type of IDS combines the packets and reviews the full conversation to look
for malicious activity.
A behavior-based IDS, on the other hand, compares current traffic to a reference
model of normal behavior. When it sees something out-of-the-ordinary
that does not match its definition of “normal,” it signals an alarm.When a behavior-
based IDS is first installed into an environment, it goes through a process
of learning about the environment, its traffic patterns, user activities, traffic
types, bandwidth use, andmuchmore. This data is collected and a profile for the
current environment is built.After this learning period, all future traffic and activities are compared to this reference profile. Anything that does not match is
seen as an attack. This approach usually produces a lot of false positives.
The behavior-based IDS can detect new attacks, unlike the signature-based
systems, because they are not depending upon matching specific attack signatures
to traffic patterns.
No comments:
Post a Comment