Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data.
As rumors of a layoff began to spread, the IDS alerted the network administrator that access to
sensitive client files had risen far above normal. Which of the following kind of IDS is in use?
A.
Protocol based
B.
Heuristic based
C.
Signature based
D.
Anomaly based
Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that
they operate in much the same way as a virus scanner, by searching for a known identity – or
signature – for each specific intrusion event. And, while signature-based IDS is very efficient at
sniffing out known methods of attack, it does, like anti-virus software, depend on receiving regular
signature updates, to keep in touch with variations in hacker technique. In other words, signaturebased IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should
consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more
complex creature. In network traffic terms, it captures all the headers of the IP packets running
towards the network. From this, it filters out all known and legal traffic, including web traffic to the
organization’s web server, mail traffic to and from its mail server, outgoing web traffic from
company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it
detects any traffic that is new or unusual, the anomaly method is particularly good at identifying
sweeps and probes towards network hardware. It can, therefore, give early warnings of potential
intrusions, because probes and scans are the predecessors of all attacks. And this applies equally
to any new service installed on any item of hardware – for example, Telnet deployed on a network
router for maintenance purposes and forgotten about when the maintenance was finished. Thismakes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies
to mis-formed attacks, where the URL is deliberately mis-typed.