So what happens when there’s an attack on a computer network? Chances are that you’ve seen a movie or TV programme where the administrators rush to their keyboards and frantically begin typing, lights flash, sirens sound – it’s all very exciting – but does anything like this happen in real life?
As you might suspect, the answer is, no, not really. Computer networks are regularly attacked, but the response is rarely as exciting as film makers would like you to believe.
An IDS may be a dedicated device or software and are typically divided into two types depending on their responsibilities:
- Network Intrusion Detection System (NIDS) is responsible for monitoring data passing over a network.
- Host Intrusion Detection System (HIDS) is responsible for monitoring data to and from a computer.
Intrusion detection may be considered passive – it identifies that an intrusion is taking place and informs an administrator who must take appropriate action. However, they can also be reactive – as well as informing the administrator, the IDS can actively attempt to stop the intrusion, in most case by blocking any further data packets sent by the source IP address. These systems are also referred to as an Intrusion Prevention or Protection System (IPS).
Weaknesses
Automated intrusion detection systems have a number of weaknesses. They can be too sensitive, falsely reporting that an intrusion is under way, for example if a network is incorrectly configured or a buggy program begins issuing large numbers of packets.
Conversely, they are sometimes not sensitive enough to certain types of attack that proceed very slowly and do not generate enough traffic data to raise the alarm. Finally, signature IDS relies on the software suppliers issuing regular updates to the list of known signatures, until the IDS receives the update it is effectively blind to the attack.
How an IDS works in practice
Intrusion detection typically uses one of two techniques: anomaly detection or misuse detection.
Anomaly detection
Anomaly detection depends on the system having a model of the expected ‘normal’ network behaviour of users and applications. The basic assumption of anomaly detection is that attacks differ from normal behaviour. This approach has the advantage of being able to detect previously unknown attacks by simply looking for patterns that deviate from the expected normal behaviour.
For example, consider a user who normally logs on to his computer at 9am each weekday and spends most of the morning accessing an order processing application, before taking a break for lunch. Subsequently the user accesses a number of supplier websites each afternoon before logging off at 5pm. If the intrusion detection system logs the user accessing the system at 3am and installs new software on his machine, the anomaly detection algorithm would flag this activity as suspicious.
Of course a potential disadvantage of this approach would be that some legitimate activities might be incorrectly identified as being suspicious.
Misuse detection
Misuse detection depends on the system having a set of attack patterns, or ‘signatures’, against which all network activity can be compared. Some intrusion systems also support patterns of normal network activity to be specified. Whenever there is a match between users’ activities and one of the attack signatures, or a mis-match between users’ activities and a normal use pattern, the system will flag that an attack is underway.
This approach has the advantage of minimising the occurrences of legitimate activity being identified as being suspicious. However, it also has the disadvantage of only being able to identify attacks where there is a known pattern.
© The Open University
https://www.futurelearn.com/courses/introduction-to-cyber-security/8/steps/83131
No comments:
Post a Comment