Intrusion Detection Systems: Behavioral Characteristics and Network Risks

Behavioral Characteristics of Intrusion Detection Systems

Prev Question Next Question

Question

Which of the following types of Intrusion Detection Systems uses behavioral characteristics of a systems operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

There are two basic IDS analysis methods: pattern matching (also called signature analysis) and anomaly detection.

Anomaly detection uses behavioral characteristics of a systems operation or network traffic to draw conclusions on whether the traffic represents a risk to the network or host.

Anomalies may include but are not limited to: Multiple failed log-on attempts - Users logging in at strange hours Unexplained changes to system clocks Unusual error messages - The following are incorrect answers: Network-based ID Systems (NIDS) are usually incorporated into the network in a passive architecture, taking advantage of promiscuous mode access to the network.

This means that it has visibility into every packet traversing the network segment.

This allows the system to inspect packets and monitor sessions without impacting the network or the systems and applications utilizing the network.

Host-based ID Systems (HIDS) is the implementation of IDS capabilities at the host level.

Its most significant difference from NIDS is that related processes are limited to the boundaries of a single-host system.

However, this presents advantages in effectively detecting objectionable activities because the IDS process is running directly on the host system, not just observing it from the network.

This offers unfettered access to system logs, processes, system information, and device information, and virtually eliminates limits associated with encryption.

The level of integration represented by HIDS increases the level of visibility and control at the disposal of the HIDS application.

Signature AnalysisSome of the first IDS products used signature analysis as their detection method and simply looked for known characteristics of an attack (such as specific packet sequences or text in the data stream) to produce an alert if that pattern was detected.

For example, an attacker manipulating an FTP server may use a tool that sends a specially constructed packet.

If that particular packet pattern is known, it can be represented in the form of a signature that IDS can then compare to incoming packets.

Pattern-based IDS will have a database of hundreds, if not thousands, of signatures that are compared to traffic streams.

As new attack signatures are produced, the system is updated, much like antivirus solutions.

There are drawbacks to pattern-based IDS.

Most importantly, signatures can only exist for known attacks.

If a new or different attack vector is used, it will not match a known signature and, thus, slip past the IDS.

Additionally, if an attacker knows that the IDS is present, he or she can alter his or her methods to avoid detection.

Changing packets and data streams, even slightly, from known signatures can cause an IDS to miss the attack.

As with some antivirus systems, the IDS is only as good as the latest signature database on the system.

For additional information on Intrusion Detection Systems - http://en.wikipedia.org/wiki/Intrusion_detection_system Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21)

Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 3623-3625, 3649-3654, 3666- 3686)

Auerbach Publications.

Kindle Edition.

The correct answer is B. Anomaly Detection.

Intrusion Detection Systems (IDS) are security tools that monitor network and system activity to identify potential security breaches or attacks. IDS can be classified into three types: network-based IDS (NIDS), host-based IDS (HIDS), and hybrid IDS (HIDS/NIDS).

Behavior-based IDS, also known as Anomaly Detection, uses the behavioral characteristics of system operations or network traffic to identify abnormal activity. These IDS use statistical models, machine learning algorithms, or expert systems to build a baseline of normal activity and then compare new activity against the baseline.

If the activity deviates from the baseline, the system generates an alert, indicating that there may be a security risk. Behavior-based IDS can detect previously unknown attacks that signature-based IDS may miss.

Network-based IDS (A) analyze network traffic to detect suspicious activity. They monitor network traffic on the wire, looking for specific signatures or patterns of known attacks.

Host-based IDS (C) are installed on individual hosts and monitor system activity to identify signs of compromise. They look for suspicious activity, such as unexpected modifications to system files or the creation of new users.

Signature analysis (D) involves identifying known patterns of attacks, which are stored in a database of signatures. When network traffic matches a signature, the IDS generates an alert.

In summary, behavior-based IDS, or Anomaly Detection, uses statistical models, machine learning algorithms, or expert systems to build a baseline of normal activity and then compares new activity against the baseline to identify abnormal activity that may represent a security risk.