Intrusion Detection Systems

attack representation. If an appropriate abstraction can be found, signaturebased systems can identify previously unseen attacks that are abstractly equivalent to known patterns. They are inherently unable to detect truly novel attacks and suffer from false alarms when signatures match both intrusive and nonintrusive sensor outputs. Signatures can be developed in a variety of ways, from hand translation of attack manifestations to automatic training or learning using labeled sensor data. Because a given signature is associated with a known attack abstraction, it is relatively easy for a signature-based detector to assign names (such as Smurf or Ping-of-Death) to attacks. Anomaly-based detectors equate “unusual” or “abnormal” with intrusions. Given a complete characterization of the noise distribution, an anomaly-based detector recognizes as an intrusion any observation that does not appear to be noise alone. The primary strength of anomaly detection is its ability to recognize novel attacks. Its drawbacks include the necessity of training the system on noise with the attendant difficulties of tracking natural changes in the noise distribution. 5. Changes can cause false alarms, while intrusive activities that appear to be normal can cause missed detections. Anomalybased systems have difficulty classifying or naming attacks. We can also classify IDSs based on the phenomenology that they sense. Network-based systems look at packets on a network segment, typically one serving an enterprise or a major portion of one. While network-based systems can simultaneously monitor numerous hosts, they can suffer from performance problems, especially with increasing network speeds. Many network-based systems make simplifying assumptions about such network pathologies as packet fragmentation and can suffer from resource exhaustion problems when they must maintain attackstate information for many attacked hosts over a long period of time. 6. In spite of these deficiencies, they are popular because they are easy to deploy and manage as standalone components and they have little or no impact on the protected system’s performance. Host-based systems operate on the protected host, inspecting audit or log data to detect intrusive activity. A variety of log and audit functions can serve to drive ID algorithms; these can be supplemented by sensors that monitor the interaction of applications with the host operating system. Host-based systems can monitor specific applications in ways that would be difficult or impossible in a network-based system. They can also detect intrusive activities that do not create externally observable behavior. Because they consume resources on the protected host, they can affect performance substantially. Successful intrusions that gain high levels of privilege might be able to disable host-based IDSs and remove traces of their operation. Installing and effectively using IDSs on networks and hosts requires a broad understanding of computer security.