Please enable JavaScript.
Coggle requires JavaScript to display documents.
Intrusion detection systems (IDS) (IDS (Attributes (may prevent problem…
Intrusion detection systems (IDS)
IDS
Attributes
may prevent problem behaviours by increasing the perceived risk
can detect and deal with preambles to attack
provides useful info about intrusions that take place
acts as a quality control for sec design
can detect attacks and other sec violations
IDSs are bad at
investigating attacks without human intervention
dealing effectively with switched networks
detecting new attacks or variants of existing attacks
IDSs are good at
providing a default info sec policy
testing sec states of system configurations
monitoring and analysis of systems events and users behaviours
types of IDS
Host based
Network based
All IDSs use 1 of 3 detection methods
signature based
examines data trafic in search of patterns that match known signitures
Problem is that new attack strategies are identified the db of signatures need to be updated on the regular
statistical anomaly-based
to compare to traffic that is known to be normal
stateful packet inspection
process of comparing predeterminated profiles of benign activity for each protocol state against observed events to identify deviations
Network-based IDS (NIDS)
advantages
Not usually susceptible to direct attack and may not be detectable by attackers
good design and placent of NIDS can enable firm to use a few devices to monitor large netwroks
disadvantages
can be overwhelmed by network volume and fail to recognize attacks
cannot analyse encrypted Packets
Cant reliably ascertain if attack was successful or not
NIDS
it examines packets and a NIDS looks for attack patterns
stays on a computer or appliance connected to a segment of an organisations network and looks for signs
Host-based IDS (HIDSs)
Disadvantages
vulnerable both to direct attacks and attacks against host operating systems.
can use a large amount of disk space
can inflict a performance overhead on its host systems
is only an a particular computer or server and monitors activity only on that system
Advantages
can detect local events on host systems and detect attacks that may elude a network based IDS
functions on host system, where encrypted traffic will have been decrypted and is available for processing