IDS Techniques

This posting will summarize the interesting techniques used in IDS system for both software IDS and hardware IDS (appliance).


Signature Detection
In this technique known representations of intrusions are stored in the IDS and are then compared to the system activity. When a known intrusion matches these signatures, an alert is raised. Signatures must be created to exactly match the characteristics (protocols or the contents of traffic) of a specific intrusion and no other activities to avoid false positives. This technique is most accurate for detecting known attacks e.g. DoS attack.

Signature engines also have their disadvantages. Because they only detect known attacks, a signature must be created for every attack, and novel attacks cannot be detected. Signature engines are also prone to false positives since they are commonly based on regular expressions and string matching. Both of these mechanisms merely look for strings within packets transmitting over the wire.


Anomaly Detection
An Anomaly-Based IDS, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls outwith normal system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created.

Anomaly detection detects a misuse by measuring norm overtime and then generating alert when a pattern differs from a norm. In this technique a set of data is gathered from the system activity of the user and this data set is base lined. If the flow of traffic deviates from the base lined data set pattern an alarm is raised.

A disadvantage of anomaly-detection engines is the difficultly of defining rules. Each protocol being analyzed must be defined, implemented and tested for accuracy. The rule development process is also compounded by differences in vendor implementations of the various protocols. Custom protocols traversing the network cannot be analyzed without great effort. Moreover, detailed knowledge of normal network behavior must be constructed and transferred into the engine memory for detection to occur correctly. On the other hand, once a protocol has been built and a behavior defined, the engine can scale more quickly and easily than the signature-based model because a new signature does not have to be created for every attack and potential variant.


Target Monitoring
Target monitoring works by means of generating a cryptographic hash for every file on the system and periodically comparing that hash to the original file to ensure that no change has occurred. This type of system is the easiest to implement, because it does not require constant monitoring by the administrator. Integrity checksum hashes can be computed at whatever intervals we wish on either all files or just the critical files.


Stealth Probes
Stealth probe technique attempts to detect any attackers that choose to carry out their mission over prolonged periods of time. Attackers, for example, will check for system vulnerabilities and open ports over a two-month period, and wait another two months to actually launch the attacks. This technique will collect a wide-variety of data throughout the system, checking for any methodical attacks over a long period of time. They take a wide-area sampling and attempt to discover any correlating attacks.


Conclusion
However, anomaly detection has an advantage over signature-based engines in that a new attack for which a signature does not exist can be detected if it falls out of the normal traffic patterns. The best example of this is how such systems detect new automated worms. When a new system is infected with a worm it usually starts scanning for other vulnerable systems at an accelerated or abnormal rate flooding the network with malicious traffic, thus triggering a TCP connection or bandwidth abnormality rule.