Question

As a penetration tester and security consultant, you have been engaged by a company to assist them in selecting an Intrusion Detection System (IDS) for their infrastructure. They're considering installing a signature or anomaly based IDS product. They've asked you to provide a concise analysis of the strengths and potential weaknesses of each of the IDS types.

Discuss and explain the strengths and weaknesses of each type of IDS and any considerations they should make in selecting one over the other.

Answer 1

An Intrusion Detection System is a software product that not only keeps a check on the system for malicious events and activities but also monitors policy violations if any. It is under the direct control of the system administrator and only he can configure the events and activities associated with the intrusion detection system.

Intrusion Detection Systems lie in a wide variety of ranges depending upon the complexity of networks that a system might be involved in. Network Intrusion Detection Systems are the most common ones along with the host-based intrusion detection system. Some of them are also signature-based detection systems and anomaly-based intrusion detection systems.

Different types of Intrusion Detection Systems include:-

1. Signature-based Intrusion Detection System:- It's functioning is very similar to the way a virus scanner works. A virus scanner basically keeps a track of a sequence of steps that a virus may follow while penetrating into the system. These serve as the basis of testing further attempts and are stored as signatures or so called rules.

Advantages

• It has high accuracy and speed against the attacks already attempted in the past.
• It has low false positive means that it would not warn in case the file is virus free.

Disadvantages

• Since it works on the a certain set of rules it wont be able to detect the attacks that are new or for which the rules are not made.

2. Anomaly-based Intrusion Detection System:- It works by recognizing unusual patterns in the sequence of activities. It can give an indication of whether someone is checking or sweeping the network. It can thus keep one informed of an immediate attack. Example:- Multiple password changed requests or multiple failed login attempts.

Signature-Based vs. Anomaly-Based IDS

The anomaly-based intrusion detection system is quite slow as compared to signature-based intrusion detection system whereas a signature-based intrusion detection system can only operate on the basis of signature or rules that have been predefined. So all in all to have a good intrusion system to be in place in an organization an intrusion detection system that offers the abilities of both should be considered because both of these have their demerits. Having an intrusion detection system following the dual approach will compensate for each other's demerits.

Other kind of classifications of intrusion detection system include:-

Network-based Intrusion Detection System:- These systems monitor a network for all the incoming and   outgoing traffic. If it detects any pattern in the incoming/outgoing traffic or if any other abnormal behaviour is observed it sends a warning message to the administrator. A warning is also sent if any packet differentiates itself from the standard traffic over the network.

Advantages

• It is easy to implement over an existing network with very few changes.
• These are usually not visible to attackers and cannot be attacked directly.

Disadvantages

• It cannot handle large traffic volumes.
• It does not work well over encrypted data.

Host-based Intrusion Detection System:- This system monitors the data on the system where the important data is kept. It will keep a check on the host machine for any suspicious activity and take snapshots at regular time intervals. If any change is discovered upon analyzing the images, an alert is issued to the admin.

Advantages

• It works well with encrypted packets.
• It can monitor audit logs in order to track any suspicious activity

Disadvantages

• It cannot bear a direct attack on the host system.
• It occupies a large amount of space on the host machine.

Network-based Vs Host-based Intrusion Detection System

These are very different in the way they operate. One works on the real-time traffic and reports issues as and when occurred while the other works on checking a set of historical data. It works well to detect the hackers that use conventional ways to get into the systems and hide from the modern-day devices. Here also a combination of both of these types of intrusion detection systems will work well for the organization and complement each other in the way they operate. A network-based system may secure online traffic while a host-based system will secure a breach from within the organization.

Hope this helps :)