Primarily an intrusion detection system is designed as it’s name implies, detect network intrusions. They are utilized to watch for confidentiality, integrity, and availability violations. Automation of real time system events, inspection and audit logs are of primary concern to the administrator.
Some intrusions systems also have the ability to rate the overall network performance.
The two primary types of IDSs are;
- Host-Based IDS
- Network-Based IDS
The
host-based IDS concerns itself with suspicious activity on a single host, where as the network-based IDS watches over the entire network medium.
The host-based IDS has the ability to identify anomalies that the network-based cannot see on that individual system.
The
network-based IDS evaluates network packets as they traverse the network, and is typically installed on a single system within the network. Doing this, enables hardening the system, allows the system to operate transparently on the network, and reduces the number of overall vulnerabilities to the system.
Another significant advantage of the network-based IDS is that it has no impact on network performance where as the host-based IDS may consume considerable system resources.
The two methods in which an IDS can detect a malicious event are;
- The knowledge-based IDS may also be referred to as a signature-based or pattern-matching detection system. A database of signatures is used to identify anomalies by matching them to known events in the database, which is similar to how antivirus software works.
The drawback here, is that the type of attack must be known to be recognized, thus keeping the signature database up to date is imperative.
- The behavior-based IDS is often times referred to as;
- Statistical intrusion detection
- Anomaly detection system
- Heuristics-based detection system
The behavior-based IDS learns about your system as time passes, and identifies normal activities and events, and compares them to abnormal activities.
The behavior-based IDS has the drawback of creating false alarms because the learning process takes a considerable amount of time.
Copyright ©2002-2006 Testbusters.net. All Rights Reserved.
Testbusters.net is not sponsored, endorsed or affiliated by any associated vendor.
Associated venders include, but are not limited to, Microsoft®, Cisco®, CompTIA®, Novell® etc.
