Question about IDS's
Hi again guys
I have a few questions regarding IDS's.
I'm aware of Pattern-Matching and Behavior type IDS's, but I've ran into 3 other types I've never heard of, nor have been able to find an adequate description of:
Heuristic Analysis IDS
Protocol-Decode Analysis IDS
Stateful Inspection IDS
Can anyone provide a bit of a description of these?
I have a few questions regarding IDS's.
I'm aware of Pattern-Matching and Behavior type IDS's, but I've ran into 3 other types I've never heard of, nor have been able to find an adequate description of:
Heuristic Analysis IDS
Protocol-Decode Analysis IDS
Stateful Inspection IDS
Can anyone provide a bit of a description of these?
Comments
-
supertechCETma
Member Posts: 377
You can think of protocol decode-based signatures as an intelligent extension of pattern matching. With this type of signature, the IDS searches for protocol violations, as defined by Requests for Comment (RFCs), and might also incorporate pattern matches for a particular field.
For example, consider an attack that runs over a hypothetical Multicast over Satellite Protocol (MSP) and uses an illegal argument xyz in the MSP Type field. Suppose also that the MSP has an Options field for which the valid options are qrs, tuv, and xyz. In the case of simple or stateful pattern matching, a high number of false positives would result because xyz is a valid value for the Options field. With protocol decode-based analysis, the IDS decodes MSP and only reports xyz values in the Type field.
Stateful pattern matching adds to pattern-matching by searching for unique sequences that might be distributed across several packets within a stream.
A heuristic-based signature uses an algorithm to determine whether an alarm should be fired. An example of this type of analysis and warning would be a signature that fires an alarm if a threshold number of unique ports are scanned on a particular host. The signature can also be limited to, say, SYN packets that are from a particular source, such as a perimeter router. Although heuristic-based signatures can be the only way to detect certain types of attacks, they require tuning and modification to better conform to their unique network environment. Moreover, heuristic scanning is CPU- and resource-intensive, so be sure to carefully weigh the benefits and drawbacks against your network security needs before implementing a large-scale heuristic-based solution.
(Intrusion Detection Overview
By Daniel Newman, Kristina M. Manalo, Ed Tittel.)
Electronic Technicians Association-International www.eta-i.org
The Fiber Optic Association www.thefoa.org
Home Acoustics Alliance® http://www.homeacoustics.net/
Imaging Science Foundation http://www.imagingscience.com/