Please enable JavaScript.

Coggle requires JavaScript to display documents.

Detection Methodologies (IDS (Anamoly Based Detection (limitation…

- - - - Examples
        
        Telnet attempt with root user
        
        Email with subject free pictures but having exe as attachment
      - simplest detection method
    - - Very effective to detect known threats
    - - Largely ineffective to unknown threats
      - simple modification in previously known malware like change in filename might make it undectable
      - have little understanding of many network or application protocols and cannot track and understand the state of complex communications
  - - - profiles can be developed for many behavioral attributes like number of web pages visited by a user, number of failed login attempts for a host, level of processor usage for a host in a given period of time
    - - helpful to detect unknown threats
        
        e.g.suppose a computer gets infected with new type of malware. the malware could consume the computer processing resources, send large number of emails, initiate large number of network connections or perform behavior that would be different from established profile of the computer.
    - - profile can be static or dynamic
        
        once generated, static profile is not changed unless IDPS is specifically directed to generate a new profile
        
        Dynamic profile is adjusted constantly as additional events are observed.
        
        dynamic profile changes as normal behavior changes but are susceptible to evasion attempts from attackes. e.g. attacker can perform small amount of malicious activity occasionally and slowly increase the quantity and frequency of activity. if this process is quite slow then the IDPS might think malicious activity is normal behavior and include it in the profile
    - - Including malicious activity as a part of a profile. e.g. slow malicious evasion
      - can be very challenging to make them accurate
      - can produce many false positives or false negatives
      - often difficult for analysts to determine why the particular alert was generated and validate the alert that it is accurate and not the false positive
  - - - process of compare predefined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.
      - unlike Anamoly based detection, which relies on host or network specific profiles , stateful protofol analysis vendor developed universal profiles that specifies how particular protocol should and should not be used.
      - stateful IDPS is able to track and understand the state of the network, transport and applicaiton protocols that have notion of state.
        
        e.g. when FTP is started, the initial state is unauthenticated and after providing correct credentials, it will be in authenticated state and can send much more commands than the unauthenticated state. if the user perfoms the commands for authenticated state without authenticating, that might be reported as malicious.
      - can identify unexpected sequences of commands. e.g. issuing same command repeatedly, issuing a command whithout first issuing a command which is to be run before that particular command.
      - if a protocol needs authentication, IDPS can keep track of authenticator used for each session and record the authenticator used for suspicious activity. This is helpful whien investigating an incident.
      - it can also keep track of reasonableness of each command e.g. length of parameters. if the username has 1000 characters, then it is already a suspicious activity
      - Uses protocol models which are typically based primarily on protocol standards from software vendors to standard bodies.
      - Problems
        
        many standards have no complete description of protocol, which causes vairation of implementation
        
        many vendors violate standards or add proprietary features, some of which may replace features from standard
        
        for proprietary protocols, complete details about protocol is often not available which makes it difficult for IDPS to perform comprehensive and accurate analysis.
        
        as protocols are revised, vendors alter their protocol implementations which then should be updated in IDPS to reflect those changes.
      - Drawbacks
        
        Resource Intensive because of complexitity of analysis and overhead involved in performing state tracking for many simultaneous sessions.
        
        Cannot detect attacks that do not violate the characteristics of generally accepted protocol behavior such as performing benign actions in short period of time to cause denial of service
        
        protocol models used by IDPS might conflict with the way protocol is implemented in particular versions of specific applications and Operating systems, or how different client or server implementations of the protocol interact.