(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2011
and solutions of security. This paper focuses on thesystems of prevention of the intrusions capable to takeimmediate measures to tackle the attacks and intrusionswithout manual intervention. The tools of the intrusionsdetection and prevention systems display the followingfeatures:a.
Online machine capable to reliably and accuratelydetect the attacks and to block them with precisionb.
High online velocity without any effect on theperformance or the availability of the network c.
Efficient integration within the environment of thesecurity managementd.
Easy and quick adaptation with and anticipation of the unknown intrusionse.
Accurate and precise interventionf.
Good citizenship on the network g.
Efficient security-based managementAn IDS/IPS system must include flexible andtransparent methods to update its data-base with regard tothe new signatures of attack. Besides, the IDS/IPS systemsmust have methods capable to react to new attacks withoutupdates of signature.The inverse exclusion, where all requests, except of those legitimate for a definite destination, are deleted, thevalidation of protocol, in which the methods of illegitimate requests are deleted, or the independentblockage of the attack, where the attackers are identifiedand the whole traffic that comes is deleted, whether theattacks are known or not.V.
HE FEATURES OF CLASSIFICATION OF THE
IPS.There are a lot of products whose complexity of implementation and degree of integration are varied. Thetools strictly based on behavioural models affect thevelocity. But they are more and more integrated in IDS / IPS initially based on a library of signatures, thanks totheir complementarily. The tools systems are worst facingto the tools networks. The invention of the hybrid toolsthat brings a less partial security in the protection of thesystem of information can solve this dilemma.The first criterion of classification of the IDS/IPS is themethod of analysis. It consists in two approaches.
The approach by script: this approach consists insearching for in the activity of the elementsupervised the prints (or signatures) of knownattacks. This type of IDS/IPS is merely reactive; itcan only detect the attacks of which it possesses thesignature. Therefore, it requires frequent updates.Besides, the efficiency of this detection systemdepends strongly on the precision of its signaturebasis. This is why these systems are vulnerable forthe pirates who use some techniques “escape" thatconsists in making up the used attacks. Thesetechniques have the trend to vary the signatures of the attacks that are not recognized anymore by theIDS/IPS
The behavioural approach: it consists in detectingsome anomalies. The implementation alwaysconsists of a phase of training during which theIDS/IPS is going
functioning of the supervised elements. They areable, thus, to signal the divergences in relation tothe working of the reference. The behaviouralmodels can be elaborated from statistical analyses.They present the advantage to detect new types of attacks. However, frequent adjustments arenecessary in order to evolve the reference model sothat it reflects the normal activity of the users andreduce the number of false alerts generated.Each of these two approaches can drive to
.The intrusion detection and prevention systems becomeindispensable at the time of the setting up of anoperational security infrastructure. Therefore, they alwaysintegrate in a context and in an architecture imposingvarious constraints.The following criteria will be adopted in the classificationof the IPS/IDS:
: The generated alerts must be justified andno intrusion to escape
: An IDS/IPS must be capable to detect andto prevent the new types of attacks as quickly aspossible. Thus, it must constantly self-update.Capacities of automatic update are so indispensable
: AnIDS/IPS must be easy to function and especially toadapt to the context in which it must operate. It isuseless to have an
IDS/IPS giving out
some alertsin less than 10 seconds if the resources necessary to areaction are not available to act in the sameconstraints of time
: the setting up of an IDS/IPS must notaffect the performance of the supervised systems.Besides, it is necessary to have the certainty that theIDS/IPS has the capacity to treat all the information inits disposition because in the reverse case it becomestrivial to conceal the attacks while increasing thequantity of information.These criteria must be taken into consideration whileclassifying an IDS/IPS, as well:
The sources of the data to analyze,
The behaviour of the product after intrusion,
The frequency of use,
The operating system in which operate the tools,
The source of the tools,