Professional Documents
Culture Documents
There is also subset of IDS types. The most common variants are based on signature
detection and anomaly detection.
• Signature-based: Signature-based IDS detects possible threats by looking for
specific patterns, such as byte sequences in network traffic, or known
malicious instruction sequences used by malware. This terminology
originates from antivirus software, which refers to these detected patterns as
signatures. Although signature-based IDS can easily detect known attacks, it
is impossible to detect new attacks, for which no pattern is available.
• Anomaly-based: a newer technology designed to detect and adapt to
unknown attacks, primarily due to the explosion of malware. This detection
method uses machine learning to create a defined model of trustworthy
activity, and then compare new behavior against this trust model. While this
approach enables the detection of previously unknown attacks, it can suffer
from false positives: previously unknown legitimate activity can accidentally
be classified as malicious.
An IPS will typically record information related to observed events, notify security
administrators, and produce reports. To help secure a network, an IPS can
automatically receive prevention and security updates in order to continuously
monitor and block emerging Internet threats.
Intrusion Countermeasures
Many IPS can also respond to a detected threat by actively preventing it from
succeeding. They use several response techniques, which involve:
• Changing the security environment – for example, by configuring a firewall to
increase protections against previously unknown vulnerabilities.
• Changing the attack's content – for example, by replacing otherwise
malicious parts of an email, like false links, with warnings about the deleted
content.
• Sending automated alarms to system administrators, notifying them of
possible security breaches.
• Dropping detected malicious packets.
• Resetting a connection.
• Blocking traffic from the offending IP address.
IPS Classifications
Intrusion prevention systems can be organized into four major types:
• Network-based intrusion prevention system (NIPS): Analyzes protocol
activity across the entire network, looking for any untrustworthy traffic.
• Wireless intrusion prevention system (WIPS): Analyzes network protocol
activity across the entire wireless network, looking for any untrustworthy
traffic.
• Host-based intrusion prevention system (HIPS): A secondary software
package that follows a single host for malicious activity, and analyzes events
occurring within said host.
• Network behavior analysis (NBA): Examines network traffic to identify
threats that generate strange traffic flows. The most common threats being
distributed denial of service attacks, various forms of malware, and policy
abuses. pattern matching to detect attacks. By making slight adjust to the
attack architecture, detection can be avoided.