Question

1. Provide an explanation of the network detection methods in the chapter, give an example of their importance and discuss the issue(s) associated with each method.

Answer 1

Q.Provide an explanation of the network detection methods in the chapter, give an example of their importance and discuss the issue(s) associated with each method.

-------------------------------------------------------------------------------------------------------------------------------------------

ANSWER:

Network Detection:

Network detection is define as progressive security solution for obtaining full visibility to both known and unknown threats that cross your network. There are two primary methods of network detection :

1)Signature-based detection

2)Anomaly-based detection

1)Signature-based detection method:

• A signature-based detection method examines ongoing traffic, activity, transactions, or behaviour for matches with known patterns of events specific to known attacks. As with antivirus software, a signature based detection requires access to a current database of attack signatures and some way to actively compare and match current behaviour against a large collection of signatures.
• Importance of signature-based detection method:
• A signature-based detection method focused on searching for a “signature,” patterns, or a known identity, of an intrusion or specific intrusion event.
• Most IDS are of this type. It needs regular updates of what signatures or identities are common at the moment to ensure its database of intruders is current. This means signature-based IDS is only as good as how up to date its database is at a given moment.
• Signature-based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known assignatures.
• Signature definitions are modeled on known intrusive activity. So, the user can examine the signature database, and quickly determine which intrusive activitythe misuse detection system is programmed to alert on.
• Misuse detection system begins protecting your network immediately upon installation.
• There are low false positives as long as attacks are clearly defined in advance.
• When an alarm fires, the user can relate this directly to a specific type of activity occurring on the network
• Issues related to signature based detection method:
• Attackers can get around signature-based IDS by frequently changing small things about how the attack takes place, so the databases cannot keep pace. In addition, it means a completely new attack type may not be picked up at all by signature-based IDS because the signature doesn’t exist in the database. Furthermore, the larger the database becomes, the higher the processing load is for the system to analyze each connection and check it against the database.
• One of the issue related to signature-based method for malware detection is that it cannot detect zero-day attacks, that is an attack for which there is no correspondingsignature stored in the repository.
• One of the biggest problem for Signature based NIDS is how to keep up with large volume of incoming traffic when each packet needs to be compared with every signature in the database. So, processing the whole traffic is so time-consuming and will slow down the throughput of the system.

2)Anomaly-based detection method:

• Anomaly-based intrusion detection system, is an intrusion detection system for detecting network misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created
• Importance of Anomaly-based detection method:
• Anomaly-based detection generally needs to work on a statistically significant number of packets, because any packet is only an anomaly compared to some baseline. This need for a baseline presents several difficulties. For one, anomaly-based detection will not be able to detect attacks that can be executed with a few or even a single packet.
• Anomaly-based intrusion detection system. An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous.
• Anomaly-based network intrusion detection plays a vital role in protecting networks against malicious activities.
• Anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities.
• Issues related to anomaly-based detection method:
• Due to the underlying assumptions of anomaly detection mechanisms, their false alarm rates are in general very high compared to misuse detection systems.
• There are other equally obvious advantages to using anomaly-based IDS, it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware