0
8.3kviews
Explain the significance of intrusion detection system for securing a network. Compare signature based and anomaly based IDS
1 Answer
2
366views
  • Security is an important issue for all the networks of companies and institutions at the present time
  • The main reason behind the advent of IDS is that firewalls and access control on their own do not provide an adequate defense against attack.
  • Intrusion prevention is the information security analog of locking the doors on a car. But even if the doors on the car are locked, it might still get stolen.
  • In information security, no matter how much effort is put into intrusion prevention the bad guys will be successful and an intrusion will occur.
  • When intrusion prevention fails Intrusion detection systems (IDS) are a relatively recent development in information security. The purpose of such a system is to detect attacks before, during, and after they occur.
  • Intrusion detection systems look for attack signatures which are specific patterns that usually indicate
  • Intrusion detection function include:
    • Monitoring and analyzing both user and system activities
    • Analyzing system configuration and vulnerabilities.
    • Accessing system and file integrity.
    • Ability to recognize patterns typical of attacks.
    • Tracking user policy violations.
  • Intrusion detection actually deals with information passing on the wire between hosts. They are also known as “packet sniffers”
  • Once captured the packets are analysed in number of different ways as shown in table below:
Signature based detection Anomaly based detection Specification based detection
This type of detection is very effective against known attacks, and it depends on the receiving of regular updates of patterns and will be unable to detect unknown previous threats or new releases 1.It depends on the classification of the network to the normal and anomalous, as this classification is based on rules or heuristics rather than patterns or signatures 2.For the implementation of this system we first need to know the normal behavior of the network. This type of detection systems is responsible for monitoring the processes and matching the actual data with the program and in case of any Abnormal behavior will be issued an alert and must be maintained and updated

IDS’ are also classified based on their point of installation:

Host based IDS Network based IDS Hybrid based IDS
Placed on server or workstation where data is collected and analyzed locally. Kept at strategic point on a network infrastructure ; also referred as “sniffer” because its sniffs upon the medium. Based on combined methods on above two; a centralized control unit is achieved.
Signature based IDS Anomaly based IDS
Use patterns of well-known attacks Use statistical measures, heuristics and system features
Cannot detect previously unknown attacks Can detect previously unknown attacks
The efficiency depends on new-ness of the signature file, its size. Efficiency depends on how the IDS evolve itself as the time progresses.
The number of inaccurate results are very few on none. Often generates false alarms (high false positive rate)
Please log in to add an answer.