Friday, February 28, 2020

Common detection methodologies

Signature-Based Detection: A signature is a pattern that corresponds to a known threat, for example: a telnet attempt with root user. This method is very effective in detecting known threats but is not useful in detecting unknown threats. Nor is it effective against threats that use evasion techniques. This method is the simplest because it only compares the current activity with a list of signatures using string comparison operations.

Anomaly-Based Detection: consists in comparing definitions of what activity is considered normal against the observed events with the purpose of identifying important deviations. A system that uses this method has defined profiles that represent normal behavior for different things such as users, network connections or applications. Profiles are created by monitoring the characteristics during a certain period of time of normal activity. For example, the profile of a network can show that the bandwidth used by email traffic during business hours is 13%. The IDPS uses statistical methods to compare the characteristics of the current activity with threshold values ​​associated with the profile and alert the administrator when significant deviations are detected.

The greatest benefit of this method is that it can be very effective in detecting unknown threats. One of the most common problems presented by this method is that during the system training period, that is, the observation period used to generate the profile, it may include malicious activity and be incorporated into the profile as normal activity. This method produces a high number of false positives, a product of legitimate activity that departs significantly from the profiles.


Analysis of protocol states (Stateful Protocol Analysis): it is the process by which profiles of definitions generally accepted as legitimate activity for each protocol are compared against the observed events to identify deviations. Unlike anomaly-based detection, this method uses universal profiles, defined by third parties, that specify how they should be used and how different protocols should not be used. One of the main disadvantages of this method is that, given the complexity of the analysis, it is a method that makes intensive use of resources. Another major disadvantage lies in the inability to detect attacks that do not violate the characteristics of a generally acceptable behavior for a protocol,


Classification of IDPS:

Network-Based: They monitor network traffic, some segments or equipment in particular and analyze the activity to identify suspicious activity.

Wireless (Wireless): Monitor wireless networks to identify suspicious activity that involves wireless network protocols.

Network behavior analysis (NBA): Examines network traffic to identify intruders that generate unusual traffic, such as distribution of denial of service (DDoS), some forms of malware, and security policy violations.

Host-Based: Monitor the characteristics of a single host and the events that occur on it in search of suspicious activity.

Read More:    ids/ips

No comments:

Post a Comment