IDS and IDPS detection methods include: anomaly detection, signature detection, and a newer method named stateful protocol analysis.
Anomaly detection works using profiles of system service and resource usage and activity. The IDS/IDPS starts by creating a baseline also known as a training period. This baseline is used to compare to current usage and activity as a way to identify suspicious activity. Anomaly detection requires fine tuning profiles to reduce false alarms ((Weaver et al., 2012, pg.267-268).
Signature detection compares activity and behavior to signatures of known attacks. Signature based IDPS is good for organizations concerned with known attacks. Signatures must be updated regularly to be effective ((Weaver et al., 2012, pg.268).
Stateful protocol analysis uses information about the connections between hosts and compares it to entries in a state table. The state table maintains a record of connection between computers to include; source IP address and port, destination IP address and port, and protocols being used. This method looks for sudden or dramatic changes in network activity. Other functions sometimes include protocol state tracking, dynamic application protocol analyses, and IP packet reassembly which prevents IP packet fragments to get through to the internal network ((Weaver et al., 2012, pg.269).
Weaver et al. (2012, pg.268-269) lists the following advantages and disadvantages of anomaly detection.
- Profiles are created in advance so attackers cannot test them to determine what might set off an alarm.
- Profiles can be updated immediately whenever there are updates.
- System can also detect attacks from inside a network.
- Configuring profiles is time consuming.
- Definitions of what is considered normal and abnormal traffic requires constant updating.
- Training the IDS/IDPS can take weeks and require constant adjustment to reduce false positives.
Weaver et al. (2012, pg.268-269) lists the following advantages and disadvantages of signature detection.
- Simpler since it uses signatures of known attacks.
- The device can be and running upon installation.
- Each signature is assigned a number so it can be specified what activity is considered an attack.
- Signatures need to be updated often to be effective.
- Newer attack signatures may not be in the signature database.
- Attackers can make minor changes to attacks to avoid matching an attack signature.
- Might require extensive disk space for storage of database.
IDPS_Info498 (n.d.) provides the following advantages and disadvantages of stateful protocol analysis.
- Identifies unexpected sequences of commands.
- Adds stateful characteristics to regular protocol analysis.
- Reasonableness check thresholds for individual commands.
- Resource intensive, high resource overhead.
- Cannot detect attacks that do not violate the characteristics of generally accepted protocol behavior.
- Conflicts between the protocol model used by IDPS and how protocol is actually implemented.
A hybrid detection engine controls the sensitivity levels of the anomaly and signature based detectors according to a calculated suspicion value. The functions of HDE are as follows:
- Collecting the outputs of anomaly-based detector and signature-based detector.
- Calculating the attack probability.
- Controlling the security levels of the detectors.
- Updating anomaly detector’s normal network model.
- Updating the signature-based detectors rule set.
The HDE calculates the final decision on the probability of an attack by using the collected outputs of the anomaly- and signature-based detectors. The calculation is performed according to a weighted correlation of the two detector inputs (Cepheli, Buyukcorak, & Kurt, 2016).
Cepheli, O., Buyukcorak, S., & Kurt, G. K. (2016). Hybrid Intrusion Detection System for DDoS Attacks. Retrieved April 2, 2017, from https://www.hindawi.com/journals/jece/2016/1075648/.
IDPS_Info498. (n.d.). Stateful protocol analysis detection. Retrieved March 28, 2017, from https://sites.google.com/site/idpsinfo498/home/common-detection-methodologies/stateful-protocol.
Weaver, R., Weaver, D., Farwood, D., & Weaver, R. (2012). Guide to Network Defense and Countermeasures (3rd ed.). Boston, MA: Course Technology, Cengage Learning.