376 Chapter 16 ■ Evading IDSs, Firewalls, and Honeypots
An IDS functions in the following way:- The IDS monitors network activity for anomalies—that is, signatures or behaviors that
may indicate an attack or other malicious behavior. If the activity detected matches
signatures that the IDS has on record or a known attack, the IDS reports the activity
to an administrator for them to decide what to do. Based on the configuration in place
on the IDS, the system can also take additional actions, such as sending text messages,
paging someone, or sending an e-mail. - If the packet passes the anomaly stage, then stateful protocol analysis is done.
IDS Detection Methods
So what mechanisms allow an IDS to determine what is an attack and what is not? What
works with the rule engine? Well, one of three methods will be used: signature, protocol, or
anomaly detection.Signature Detection
The first form of detection or recognition is based on signature; this method is also
sometimes called misuse detection. The system compares traffic to known models and
when matches are found it reports the attack.
■ Pattern matching is the most basic form of detecting and is used in many systems. The
process relies on the comparison of known patterns against captured traffic. However,
consider the following when implementing a pattern matching system: The most basic
form of this mechanism is pattern matching, in which traffic is compared against
known binary models. These models may in fact be looking for changes or patterns in
the TCP flags on traffic.
■ Signature recognition is effective at detecting known attacks and poor at detecting
ones not in its database. There is also a slight possibility that other traffic not related to
an attack will trigger a false positive.
■ Additionally, improper signatures can cause other problems such as false positives and
false negatives.
■ As the signature database increases in size, the time it takes to analyze traffic increases,
resulting in a reduction in performance. In fact, if enough traffic attempts to pass
through the IDS and performance is already impacted, traffic may be dropped and not
analyzed.
■ Evolution of attacks and minor variations of attacks can result in the need for multiple
signatures for a single attack. Just a single bit change can trigger the need for a new
signature to be created.
Although these problems may seem to bar the implementation of such systems, or at
least cause some concern, this type of IDS is widely deployed.