Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As rumors
of a layoff began to spread, the IDS alerted the network administrator that access to sensitive client files had
risen far above normal. Which of the following kind of IDS is in use?
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in
much the same way as a virus scanner, by searching for a known identity – or signature – for each specific
intrusion event. And, while signature-based IDS is very efficient at sniffing out known methods of attack, it does,
like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in
hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we
call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic
terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all
known and legal traffic, including web traffic to the organization’s web server, mail traffic to and from its mail
server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any
traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards
network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are
the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware –
for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the
maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies
and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.