There are different ways of trying to distinguish anomalous or malicious behavior, so different IDS system developers have addressed the problem in different ways. Although the solutions that we can find in the market usually include several of these forms of work, they have traditionally been categorized as follows:
Signature-based detection: This system attempts to locate a previously known chain of information in a communication. Thus, the system analyzes http traffic for request strings that induce a possible SQL Injection attack. The main advantage of this strategy is its high efficiency to detect attacks already known but, as a counterpart, it is practically useless to detect attacks not yet known by the system.
Policy-based detection: This system requires a thorough definition of the type of communication (and not just ports and protocol) between servers or different networks. These are very effective systems that require detailed configuration.
Detection based on anomalies: These systems seek to detect abnormal behaviors in our systems. The main difficulty is defining what is normal and what is not. There are currently two ways to try to register malicious changes:
Statistical detection of abnormalities: The systems analyze the behavior of our network or servers during a certain time. With this information they generate a pattern. When the behavior differs too much from the previously calculated normal pattern, the alarms jump and generate the relevant warnings or actions.
Non-statistical detection of abnormalities: In these teams it is an administrator who defines the normal behavior patterns so they can be very granular and specific although it is very possible that over time false positives will be generated.
More info: ids security
Signature-based detection: This system attempts to locate a previously known chain of information in a communication. Thus, the system analyzes http traffic for request strings that induce a possible SQL Injection attack. The main advantage of this strategy is its high efficiency to detect attacks already known but, as a counterpart, it is practically useless to detect attacks not yet known by the system.
Policy-based detection: This system requires a thorough definition of the type of communication (and not just ports and protocol) between servers or different networks. These are very effective systems that require detailed configuration.
Detection based on anomalies: These systems seek to detect abnormal behaviors in our systems. The main difficulty is defining what is normal and what is not. There are currently two ways to try to register malicious changes:
Statistical detection of abnormalities: The systems analyze the behavior of our network or servers during a certain time. With this information they generate a pattern. When the behavior differs too much from the previously calculated normal pattern, the alarms jump and generate the relevant warnings or actions.
Non-statistical detection of abnormalities: In these teams it is an administrator who defines the normal behavior patterns so they can be very granular and specific although it is very possible that over time false positives will be generated.
More info: ids security
google 4690
ReplyDeletegoogle 4691
google 4692
google 4693
google 4694