Please enable JavaScript.

Coggle requires JavaScript to display documents.

IDS (IDS limitations (What to do next? (When the attack has been detected…

- - - - Anomaly detection
      - Complex: Requires defining what good behaviour is
    - - Reputation-based detection
      - Signature-based detection
      - Simpler:Only check the current Blacklist/signature database
- - - - Alarm motion sensor -> IDS network traffic and/or activity analysis
      - Alarm horn -> IDS alerts the security administrator and may even perform automatic response (IPS)
- - - - Eavesdrop all traffic of the local host
        
        NIC in non-promiscuous mode: I only care about my own traffic
        
        May also consider logs, system calls and other host activities
        
        IDS fine-tuned for local service only
    - - eavesdrops communications of a network
        
        NIC in promiscuous mode:Not only traffic to my MAC Address
        
        Connected to mirror/span ports of local switch or tapping the link
        
        Be aware of full-duplex rate
        
        Two sensor ports are usually employed
        
        Tap is preferred for high loaded links
        
        Placed at strategic locations
        
        Choke points (FW)
        
        DMZ
        
        Internal subnets
        
        In-line placement also possible
        
        Enables intrusion prevention
        
        But beware of DoS or Compromise
    - - Multiple probes send events to a centralised manager
        
        Probes: NIDs and HIDs
        
        Manager: Correlates disperse events
        
        Use a dedicated network or VLAN for Probes-Manager traffic
      - A subnet of Security Information and Event Management (SIEM)
  - - - Detection of hosts communicating with external hosts with "bad reputation"
        
        Simple IOC == IP address
        
        Based on (public or private) blacklists
        
        Malware serving domains
        
        Spam relays
        
        Phishing sites
        
        Botnet trackers
        
        Tor exit nodes list
    - - Check each packet/flow against the attack signature database
        
        Public and/or commercial signature databases
        
        Sensor performance matters: Number and complexity of rules is critical
      - IDS rules are not standardized
    - - Based on heuristics and behavior changes instead of on known attack signatures
        
        Looks for anomalous traffic
        
        Protocol anomaly: Overlapping IP or TCP fragments.
        
        Misuse of service ports: Non-HTTP traffic on port 80
        
        DoS attacks: More UDP/ICMP than TCP traffic
        
        Buffer overflow: Binary user passwords or shell code
        
        Application anomaly: PC sending more data than receiving
        
        Learning what is a "normal" behavior involves AI and statistical techniques and requires continuous adaptation: New Apps, traffic patterns change
        
        Able to detect previously unknown attacks: Prone to generate false positives
- - - - Legally unclear
      - False positives make you the attacker
      - Defense mechanisms can be used against you