Goals for Intrusion Detection Systems
The two styles of intrusion
detectionpattern matching and heuristicrepresent different approaches, each of
which has advantages and disadvantages. Actual IDS products often blend the two
approaches.
Ideally, an IDS should be
fast, simple, and accurate, while at the same time being complete. It should
detect all attacks with little performance penalty. An IDS could use someor
allof the following design approaches:
Filter on packet headers
Filter on packet content
Maintain connection state
Use complex, multipacket
signatures
Use minimal number of
signatures with maximum effect
Filter in real time, online
Hide its presence
Use optimal sliding time
window size to match signatures
Responding to Alarms
Whatever the type, an
intrusion detection system raises an alarm when it finds a match. The alarm can
range from something modest, such as writing a note in an audit log, to
something significant, such as paging the system security administrator.
Particular implementations allow the user to determine what action the system
should take on what events.
What are possible responses?
The range is unlimited and can be anything the administrator can imagine (and
program). In general, responses fall into three major categories (any or all of
which can be used in a single response):
Monitor, collect data,
perhaps increase amount of data collected
Protect, act to reduce
exposure
Call a human
Monitoring is appropriate for
an attack of modest (initial) impact. Perhaps the real goal is to watch the
intruder, to see what resources are being accessed or what attempted attacks
are tried. Another monitoring possibility is to record all traffic from a given
source for future analysis. This approach should be invisible to the attacker.
Protecting can mean increasing access controls and even making a resource
unavailable (for example, shutting off a network connection or making a file
unavailable) . The system can even sever the network connection the attacker is
using. In contrast to monitoring, protecting may be very visible to the
attacker. Finally, calling a human allows individual discrimination. The IDS
can take an initial defensive action immediately while also generating an alert
to a human who may take seconds, minutes, or longer to respond.
False Results
Intrusion detection systems
are not perfect, and mistakes are their biggest problem. Although an IDS might
detect an intruder correctly most of the time, it may stumble in two different
ways: by raising an alarm for something that is not really an attack (called a
false positive, or type I error in the statistical community) or not raising an
alarm for a real attack (a false negative, or type II error). Too many false
positives means the administrator will be less confident of the IDS's warnings,
perhaps leading to a real alarm's being ignored. But false negatives mean that
real attacks are passing the IDS without action. We say that the degree of
false positives and false negatives represents the sensitivity of the system.
Most IDS implementations allow the administrator to tune the system's
sensitivity, to strike an acceptable balance between false positives and
negatives.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.