Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

there are three types of IDS: Signature Based, Rule Based, and Anomaly Based. Co

ID: 3571552 • Letter: T

Question

there are three types of IDS: Signature Based, Rule Based, and Anomaly Based. Consider three types of Internal or External Threats

a) A Hacker attempts to install a remote administration tool on a corporate network

b) A Criminal attempts to exploit vulnerable ports on a corporate network.

c) An employee is accessing the network during off hours and downloading large files from a shared access area

Explain which of the three types of IDS would be best suited to address each of these threats and why.

Explanation / Answer

what is ids?

Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. This is mainly used for detecting break-ins or misuse of the network. In short, we can say that IDS is the ‘burglar alarm’ for the network because much like a burglar alarm, IDS detects the presence of an attack in the network and raises an alert. An IDS provides three functions: monitoring, detecting and generating an alert.

Intrusion Detection System uses a security policy (or rules) to detect unusual activity. These rules are defined by the administrator based on the needs of the organization. Any activity that violates this security policy will be considered a security threat and will be reported to the administrator via email or as page or as SNMP traps. These policies must be updated regularly to keep up with the threats and needs.

Of the security incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder come from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure. Intrusion detection systems remain the only proactive means of detecting and responding to threats that stem from both inside and outside a corporate network. These are the internal attack types

Types of IDS

Signature-Based IDS
Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.

These types of systems are normally presumed to be able to detect only attacks “known” to its database. Thus, if the database is not updated with regularity, new attacks could slip through. It can, however, detect new attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous.

Also, signature based IDS’s may affect performance in cases when intrusion patterns match several attack signatures. In cases such as these, there is a noticeable performance lag. Signature definitions stored in the database need to be specific so that variations on known attacks are not missed. This sometimes leads to building up of huge databases which eat up a chunk of space

Rule based IDS:

It uses IF/THEN programing, but is ineffective at detecting new zero day attack.

Rule based IDSes are best complemented by being combined with other type of ids systems.

Anomaly Based IDS
Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies.

It works on the notion that “attack behavior” differs enough from “normal user behavior” such that it can be detected by cataloging and identifying the differences involved.

In most anomaly-based IDS’s the system administrator defines the baseline of normal behavior. This includes the state of the network's traffic load, breakdown, protocol, and typical packet size.

Anomaly detectors monitor network segments to compare their state to the normal baseline and look for current behavior which deviate statistically from the normal. This capability theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for which signatures have been created.

On the other hand, anomaly-based IDS systems have been known to be prone to a lot of false positives. In these cases, the attacks are reported based on changes to the current system on which the IDS is installed. This is because there is a change in the normal state of the system which is not perceived by the IDS.

Sometimes, anomaly-based IDS systems can cause heavy processing overheads on the computer system they are installed on. It takes a short period of time for anomaly-based systems to create statistically significant baselines. During this period, they are relatively open to attack.

Related Questions

then answer the question based on what you see there. A. 5. (This problem is fro
Question #2307342
then calculate Power (W) assuming 1 m away then calculate Intensity of 100,000 f
Question #1437150
then determine the value of gcd(a/d, b/d). Repeat Exercise (7a) with a = 10 and
Question #3084480
then determine the value of gcd(a/d, b/d). Repeat Exercise (7a) with a = 10 and
Question #3087081
then filled with an unknown gas to a final pressure equal to atmospheric pressur
Question #1500844
then lulhent is true, then prove it, and if it is false, then explain why in why
Question #3061369
then released and oscillates about an equilibrium position. Its motion is descnb
Question #2122482
then we should observe which of the following when an individual who is heterory
Question #270445

Navigate

Previous
there are three questions under number 13 about this senario You notice a change
Next
there are two attachments need answer to 29 ALGEBRA 2 Alternate Exam 4 continued

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.