A standard protection method that most businesses (both large and small) utilize to protect their establishment from theft is a common burglar alarm. Given this fact, it is amazing how many of these same businesses install little if any protection to guard their networks from attack and theft of valuable company information. An intrusion detection system (IDS) is essentially a burglar alarm system for your network. It enables you to monitor your network for intrusive activity. When intrusive activity occurs, your IDS generates an alarm to let you know that your network is possibly under attack. Like regular burglar alarms, however, your IDS can generate "false positives" or "false alarms".
A false positive occurs when your IDS generates an alarm from normal user activity. If your IDS generates too many false positives, then you will lose confidence in the capability of your IDS to protect your network. If you have a burglar alarm that continually goes off incorrectly, the police will become conditioned to the fact that your establishment is prone to false alarms. During an actual break-in, the police may not respond as quickly, thinking that the alarm is just another false alarm. Therefore, it is crucial that you configure your IDS to minimize the number of false positives that it generates.
You IDS may also experience false negatives. In this situation, an attack occurs against your network, and your IDS fails to alarm even though it is designed to detect such an attack. Your IDS should almost never generate false negatives. In fact, it is preferable for your IDS to actually generate more false positives rather than generating any false negatives.
To protect your network, your IDS must generate alarms when it detects intrusive activity on your network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:
- Anomaly detection
- Misuse detection
Besides implementing a triggering mechanism, your IDS must somehow watch for intrusive activity at specific points within your network. Monitoring intrusive activity normally occurs at the following two locations:
Finally, many intrusion detection systems incorporate multiple features into a single system. These systems are known as hybrid systems.
With anomaly detection, you need to create a profile for each user group on your system. These profiles can be built automatically or created manually. How the profiles are created is not important as long as the profiles accurately define the characteristics for each user group or user on your network. These profiles are then used as a baseline to define normal user activity. If any network activity deviates too far from this baseline, then the activity generates an alarm. Because this type of IDS is designed around user profiles, it is also sometimes known as profile-based detection.
Anomaly detection systems offer several benefits. First, they can detect insider attacks or account theft very easily. If a real user or someone using a stolen account starts performing actions that are outside the normal user-profile, it generates an alarm. Second, because the system is based on customized profiles, it is very difficult for an attacker to know with certainty what activity he can do without setting off an alarm. Probably the largest benefit, however, is that intrusive activity is not based on specific traffic that represents known intrusive activity (as in a signature-based IDS). An anomaly detection system can potentially detect an attack the first time it is used. The intrusive activity generates an alarm because it deviates from normal activity, not because someone configured the system to look for a specific stream of traffic.
Like every IDS, anomaly detection systems also suffer from several drawbacks. The first obvious drawback is that the system must be trained to create the appropriate user profiles. During the training period to define what normal traffic looks like on your network, the network is not protected from attack. Just defining "normal" is a challenge in itself. Maintenance of the profiles can also become time-consuming. Nevertheless, the biggest drawback to anomaly detection is probably the complexity of the system and the difficulty of associating an alarm with the specific event that triggered the alarm. Furthermore, you have no guarantee that a specific attack will even generate an alarm. If the intrusive activity is too close to normal user activity, then the attack will go unnoticed. It is also difficult for you to know which attacks will set off alarms unless you actually test the attacks against your network using various user-profiles.
The second major category of IDS triggering is known as misuse detection. Misuse detection is also sometimes referred to as signature-based detection because alarms are generated based on specific attack signatures. These attack signatures encompass specific traffic or activity that is based on known intrusive activity.
Misuse detection provides various benefits. One of the first benefits is that the signature definitions are modeled on known intrusive activity. Furthermore, the user can examine the signature database, and quickly determine which intrusive activity the misuse detection system is programmed to alert on. Another benefit is that the misuse detection system begins protecting your network immediately upon installation. One final benefit is that the system is easy to understand. When an alarm fires, the user can relate this directly to a specific type of activity occurring on the network.
Along with the numerous benefits, misuse detection systems also have their share of drawbacks. One of the biggest problems is maintaining state information for signatures in which the intrusive activity encompasses multiple discrete events (that is, the complete attack signature occurs in multiple packets on the network). Another drawback is that your misuse detection system must have a signature defined for all of the possible attacks that an attacker may launch against your network. This leads to the necessity for frequent signature updates to keep the signature database of your misuse detection system up-to-date. One final problem with misuse detection systems is that someone may set up the misuse detection system in their lab and intentionally try to find ways to launch attacks that bypass detection by the misuse detection system.