The first form of detection or recognition is based on signature; this method is also sometimes called misuse detection. The system compares traffic to known models and when matches are found it reports the attack.
- Pattern matching is the most basic form of detecting and is used in many systems. The process relies on the comparison of known patterns against captured traffic. However, consider the following when implementing a pattern matching system: The most basic form of this mechanism is pattern matching, in which traffic is compared against known binary models. These models may in fact be looking for changes or patterns in the TCP flags on traffic.
- Signature recognition is effective at detecting known attacks and poor at detecting ones not in its database. There is also a slight possibility that other traffic not related to an attack will trigger a false positive.
- Additionally, improper signatures can cause other problems such as false positives and false negatives. As the signature database increases in size, the time it takes to analyze traffic increases, resulting in a reduction in performance. In fact, if enough traffic attempts to pass through the IDS and performance is already impacted, traffic may be dropped and not analyzed.
- Evolution of attacks and minor variations of attacks can result in the need for multiple signatures for a single attack. Just a single bit change can trigger the need for a new signature to be created.
Anomaly detection is different from signature detection in how it detects potential attacks. In this system, any activity that matches something in the database is considered an anomaly. Additionally, any deviation from normal activity is regarded as an attack and triggers further action. Unlike the signature-based system, this type of system must be set up to understand what normal activity on a network is so that it can detect deviations from this baseline. If the system is not configured as to what normal behavior on a network is supposed to be, false positives and negatives can easily become a problem.
Protocol Anomaly Detection
The third type of detection used by IDS systems is protocol anomaly detection. It is based on the anomalies that are specific to a given protocol. To determine what anomalies are present, the system uses known specifications for a protocol and then uses that as a model to compare traffic against. Through use of this design, new attacks may be discovered. This method can detect new attacks before normal anomaly detection or signature detection can. The detection method relies on the use or misuse of the protocol and not the rapidly changing attack method. Unlike the prior two methods, protocol anomaly detection does not require signature updates to be downloaded. Alarms in this type of system are typically presented differently from others, and thus the manufacturers’ guides should be consulted as each may be different.