Signature-Based or Anomaly-Based Intrusion Detection: TheMerits and Demerits

Whether you need to monitor your own network or Host byconnecting them to identify any latest threats, there are some greatopen source intrusion detection systems (IDSs) one need to know.

So before coming over to the actual topic, let’s gain someknowledge about what an IDS software is?

I won't bore you with the complete brief Blahh... Blahh.. IDS is.It’s simply a security software which is termed to help user orsystem administrator by automatically alert or notify at any casewhen a user tries to compromise information system through anymalicious activities or at point where violation of security policiesis taken.

Network IDS - These Detection are operated by inspectingtraffic that occurs between hosts.

These mechanisms are basically prorated into two major forms.

1. IDS signature detection 2. Anomaly detection

1. IDS Signature Detection- This type of detection work wellwith the threads that are already determined or known. Itimplicates searching a series of bytes or sequence that are termedto be malicious. One of the most profitable point is that signaturesare easy to apply and develop once you will figure out the sort ofnetwork behaviour to be find out.

For example, you might use a signature that looks for particularstrings that detects attacks that are attempting to exploit aparticular system database. Therefore, at this instance the events

generated by a signature-based IDS can communicate what causedthe alert. Also, pattern matching can be performed very quickly onmodern systems so the amount of power needed to perform thesechecks is minimal.

Disadvantages

1. Firstly, it's easy to fool signature-based solutions by changingthe ways in which an attack is made.

2. Secondly, the more advanced the IDS Signature database, thehigher the CPU load for the system charged with analysing eachsignature

3. Novel attacks cannot be detected as the only execute for knownattacks

2. Anomaly detection- The anomaly detection technique is acentralized process that works on the concept of a baseline fornetwork behaviour. This baseline is a description of acceptednetwork behaviour, which is learned or specified by the networkadministrators, or both. It’s like a guard dog personallyinterviewing everyone at the gate before they are let down thedrive.

Its integral part of baselining network is the capability of engine'sto dissect protocols at all layers. For every protocol that is beingmonitored, the engine must possess the ability to decode andprocess the protocol in order to understand its goal. and to carryout IDS Update much batter way.

Disadvantages

1. One of the major drawbacks of anomaly-detection engines isthe difficultly of defining rules. Each protocol being analysedmust be defined, implemented and tested for accuracy which is notalways an easy task

2. Other of the perils including that if any malicious activity thatfalls within normal usage patterns is not detected. An activity suchas directory traversal on a targeted server doesn't triggered out ofprotocol, payload or bandwidth limitation flag if complies withnetwork protocol.

3. Anomaly testing requires more hardware as compared to theIDS Signature method, that must be spread across the network.Thus go well with only larger networks and, with high bandwidthconnections.