Detection Method of IDS
When it comes to detection of intrusion, both NIDS(Network-based Intrusion Detection System) and HIDS( Host-based Intrusion Detection System) take either a signature-based approach or anomaly-based approach. Some IDS can even combine both detection methods( signature and anomaly-based) to come up with a more extensive approach. The HIDS does this by monitoring the network traffic reaching NIC( Network Interface Card ), while NIDS does this by monitoring the traffic on the network.
Signature Based Detection
Signature-based IDS, also known as definition-based IDS, detects the attack based on specific patterns or already known malicious sequence(signature) that is used by malware. These IDSs use a database of known vulnerabilities for known attack signatures. Let’s understand this with an SYN flood attack example.
[ In an SYN flood attack, the client sends overwhelming numbers of SYN requests and intentionally never responds to the server's SYN-ACK messages. This leaves the server with open connections awaiting further communication from the client. ]
So let's say an attacker launches an SYN flood attack on the server by simply entering the IP address of the system to attack. The attack tool then floods the target with SYN or synchronized packets but never completes a three-way TCP( Transmission Control Protocol) handshake as it never sends the final acknowledge(ACK) packet. In this, it keeps on consuming more and more resources of the target system, ultimately causing it to crash.
Source: ScienceDirect
However, if the attack is detected earlier, this can be blocked. The good part is these types of attacks are generally common and have specific patterns associated with them. Like in the above example, IDS can easily detect a pattern(signature) of successive SYN packets from one IP to another IP. You need to update both IDS signatures antivirus definitions from time to time to protect you from current threats.
The drawback of Signature-Based Detection is that it is not applicable to the unknown malware attacks. So for this, we require Anomaly-Based Detection.
Anomaly-Based Detection
Anomaly-based IDSs work quite differently than signature-based; they are designed to detect unknown malware or new malware attacks which are out of the database of known threat signatures. This kind of detection is also known as heuristic or behavior-based detection because it identifies a normal behavior or operation first then creates a performance baseline under normal conditions.
When the baseline under normal conditions has been created, IDS monitors the system or network and compares the current network behavior against the baseline. When the IDS detects abnormal behavior or activity outside normal boundaries defined by the baseline, it alerts indicating a potential threat.
This kind of detection pattern can be associated with the working of heuristic-based antivirus, both examine activity and make decisions outside the signature's scope, but the internal methods of working are different for both.
Example: Anomaly-based detection effectively discovers zero-day exploits(a zero-day vulnerability is defined as a vulnerability that is unknown to the vendor). In some cases, an administrator can define a zero-day exploit; the vendor may know about vulnerability but has not written or released a patch for the vulnerability. In these cases, the system is unprotected, and attackers can exploit the vulnerabilities. However, these attacks create abnormal traffic, which allows an anomaly-based system to detect it.
Note: Whenever an administrator makes significant changes to a system or network that causes normal behavior to change, he should re-create the baseline. Otherwise, the IDS will constantly alert on normal behavior since the baseline is the same.
Also read anomalies in database
FAQs
-
What is a signature, and how is it helpful in detecting intrusions?
A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity. It is helpful in determining specific pattern or sequences related to a particular threat.
-
What is an intrusion?
Intrusion can be defined as a breach in a network. It's unauthorized access by the attacker who doesn't have legitimate permission to access the network or system.
-
What is IPS detection?
IPS or Intrusion Prevention System is an automated network security device used to monitor and respond to potential threats.
-
How is an IDS different from IPS?
The primary difference between the two is that IPS can control and protect the system from intrusions, whereas IDS only monitors and alarms.
-
What are two major types of intrusion detection systems?
There are two main types of IDSs based on where the security team sets them up: Network intrusion detection system (NIDS). Host intrusion detection system (HIDS).
Key Takeaways
In this article, we have extensively discussed detection methods of Intrusion Detection systems. There are mainly two types of intrusion detection methods signature-based and anomaly-based, and we understood both with a working example.
We hope that this blog has helped you enhance your knowledge regarding IDS detection methods, and if you would like to learn more, check out our articles, Cyber Security Principle, What is Cryptography, and Cyber attacks and their Types. Do upvote our blog to help other ninjas grow.
Happy Learning!
84+ registered