Question about IDS's

itrorevitrorev Member Posts: 9 ■□□□□□□□□□
Hi again guys

I have a few questions regarding IDS's.

I'm aware of Pattern-Matching and Behavior type IDS's, but I've ran into 3 other types I've never heard of, nor have been able to find an adequate description of:

Heuristic Analysis IDS
Protocol-Decode Analysis IDS
Stateful Inspection IDS

Can anyone provide a bit of a description of these?


  • supertechCETmasupertechCETma Member Posts: 377
    You can think of protocol decode-based signatures as an intelligent extension of pattern matching. With this type of signature, the IDS searches for protocol violations, as defined by Requests for Comment (RFCs), and might also incorporate pattern matches for a particular field.

    For example, consider an attack that runs over a hypothetical Multicast over Satellite Protocol (MSP) and uses an illegal argument xyz in the MSP Type field. Suppose also that the MSP has an Options field for which the valid options are qrs, tuv, and xyz. In the case of simple or stateful pattern matching, a high number of false positives would result because xyz is a valid value for the Options field. With protocol decode-based analysis, the IDS decodes MSP and only reports xyz values in the Type field.

    Stateful pattern matching adds to pattern-matching by searching for unique sequences that might be distributed across several packets within a stream.

    A heuristic-based signature uses an algorithm to determine whether an alarm should be fired. An example of this type of analysis and warning would be a signature that fires an alarm if a threshold number of unique ports are scanned on a particular host. The signature can also be limited to, say, SYN packets that are from a particular source, such as a perimeter router. Although heuristic-based signatures can be the only way to detect certain types of attacks, they require tuning and modification to better conform to their unique network environment. Moreover, heuristic scanning is CPU- and resource-intensive, so be sure to carefully weigh the benefits and drawbacks against your network security needs before implementing a large-scale heuristic-based solution.

    (Intrusion Detection Overview
    By Daniel Newman, Kristina M. Manalo, Ed Tittel.)
    Electronic Technicians Association-International
    The Fiber Optic Association
    Home Acoustics Alliance®
    Imaging Science Foundation
  • itrorevitrorev Member Posts: 9 ■□□□□□□□□□
    Thanks alot!

    That helps a bunch!
Sign In or Register to comment.