Honeypots, IDSs, and Firewalls 377
Signature-based IDSs also have another potential drawback: the fact that
the signature files must be updated regularly. If a signature database is not
updated regularly, false negatives will start to occur with more regularity.
What this means is that attacks that should have been caught by the IDS
have passed through undetected.Anomaly Detection
Anomaly detection is different from signature detection in how it detects potential attacks.
In this system, any activity that matches something in the database is considered an
anomaly. Additionally, any deviation from normal activity is regarded as an attack and
triggers further action. Unlike the signature-based system, this type of system must be set
up to understand what normal activity on a network is so that it can detect deviations from
this baseline. If the system is not configured as to what normal behavior on a network is
supposed to be, false positives and negatives can easily become a problem.
It is not uncommon to observe anomaly-based systems installed initially in
a learning type mode that allows them to learn how your specific network
looks over a period of time. Once a sufficient period of observation has
passed and enough of a profile of typical traffic has been established, you
can switch the device into an active mode and it acts just like a normal IDS.Protocol Anomaly Detection
The third type of detection used by IDS systems is protocol anomaly detection. It is based
on the anomalies that are specific to a given protocol. To determine what anomalies are
present, the system uses known specifications for a protocol and then uses that as a model
to compare traffic against. Through use of this design, new attacks may be discovered.
This method can detect new attacks before normal anomaly detection or signature
detection can. The detection method relies on the use or misuse of the protocol and not the
rapidly changing attack method. Unlike the prior two methods, protocol anomaly detection
does not require signature updates to be downloaded. Alarms in this type of system are
typically presented differently from others, and thus the manufacturers’ guides should be
consulted as each may be different.
Signs of an Intrusion
So what type of activities are indications of a potential attack? What type of actions can an
IDS respond to? Let’s take a look at activities that may indicate an intrusion has occurred.
There is another variety of IDS known as an intrusion prevention system
(IPS). These systems work very much like an IDS, but with the added
capability of being able to either shut down an attack by reconfiguring
firewalls and routers, or lock down a system at the host level, thus
thwarting the attack.