3.1 IDS techniques
Intrusion detection typically uses one of two techniques: anomaly detection or misuse detection.
Anomaly detection depends on the system having a model of the expected ‘normal’ network behaviour of users and applications. The basic assumption of anomaly detection is that attacks differ from normal behaviour. This approach has the advantage of being able to detect previously unknown attacks by simply looking for patterns that deviate from the expected normal behaviour.
For example, consider a user who normally logs on to his computer at 9am each weekday and spends most of the morning accessing an order processing application, before taking a break for lunch. Subsequently the user accesses a number of supplier websites each afternoon before logging off at 5pm. If the intrusion detection system logs the user accessing the system at 3am and installs new software on his machine, the anomaly detection algorithm would flag this activity as suspicious.
Of course a potential disadvantage of this approach would be that some legitimate activities might be incorrectly identified as being suspicious.
Misuse detection depends on the system having a set of attack patterns, or ‘signatures’, against which all network activity can be compared. The patterns of normal behaviour and attacks are configured by an administrator. Whenever there is a match between users’ activities and one of the attack signatures, or a mis-match between users’ activities and a configured normal use pattern, the system will flag that an attack is underway.
This approach has the advantage of minimising the occurrences of legitimate activity being identified as being suspicious. However, it also has the disadvantage of only being able to identify attacks where there is a known pattern, so attacks of a new unknown pattern can be easily missed.
To find out more about attacks, honeypots are used.