Host based Intrusion Prevention
Intrusion Detection Systems (IDSs) recognize the presence of malicious code within traffic that flows through the holes punched into the firewall, our first layer of defense.Though, the word “intrusion detection” is a bit of a misnomer.
Richard Kemmerer and Giovanni Vigna of the University Of California, Santa Barbara, elucidate in an article in the IEEE Security and Privacy magazine: “Intrusion detection systems do not detect intrusions at all–they only identify evidence of intrusion, either while in progress or after the fact.” (Edwin E.Mier, David C.
An IDS recognizes security threats by detecting scans, probes and attacks, however does not block these patterns; it only reports that they took place. Yet, IDS logged data is invaluable as proof for forensics and incident handling. IDSs as well detect internal attacks, which are not seen by the firewall, and they help in firewall audits.
IDSs can be divided into 2 main categories, footed on the IDS alarm triggering mechanism: anomaly detection-based IDS and misuse detection-based IDS.
Anomaly detection based IDSs report deviations from “normal” or expected behavior. Behavior other than “normal” is measured an attack and is flagged and recorded. Anomaly detection is as well referred to as profile-based detection. The profile describes a baseline for normal user tasks, and the quality of these user profiles directly has an effect on the detection capability of the IDS. Techniques for constructing user profiles comprise: (Nong Ye, 2003).
Rule-based approach–Normal user behavior is characterized by creating rules, however analyzing normal traffic is a complicated task. A related approach is protocol anomaly detection.
Neural networks–These systems are trained by presenting them with a large amount of data, together with rules regarding data relationships. They then find out if traffic is normal or not; abnormal traffic raises an alarm.
Statistical approach–Activity profiles describe the behavior of system or user traffic. Any deviation from normal triggers an alarm.
The advantage of anomaly detection is that it can identify previously unknown attacks and insider attacks, without the need for “signatures”– that is., predefined attack profiles.
One more benefit of anomaly detection is that it’s impossible for the attacker to know what activity causes an alarm, thus they cannot assume that any particular action will go undetected.
The disadvantage of anomaly detection is that it produces a large number of “false positives”– that is., alerts that are produced by legitimate activity. In addition, besides being complicated as well as hard to understand, building and updating profiles as well need a lot of work.
The other most important approach, misuse-detection based IDS (also called signature-based IDS), triggers an alarm when a match is found to a “fingerprint”-a signature contained in a signature database. These “fingerprints” are footed on a set of rules that match typical patterns of exploits used by attackers. As there is a known database of exploits, there are few false positives.
The disadvantage is that misuse-detection IDSs can merely detect already-known attacks. Besides, the “fingerprints” database needs to be incessantly updated to keep up with new attacks. The majority IDS products in the market at present use misuse detection.