- Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS.
- Bandwidth theft/denial of service: these attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS.
"An IDS before the firewall is an Attack detection and after the firewall is Intrusion detection.... In a switched network, since we don't have broadcasting, we have two better options on deploying the NIDS, using a hub to force a broadcast or using a mirroring-port in the switch."
Application Based IDS
Application Based IDS monitor only specific applications such as database management systems, content management systems, accounting systems etc. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. Sometimes application-based IDS can even track unauthorized activity from individual users. They can also work with encrypted data, using application-based encryption/decryption services.
Knowledge based systems use signatures about attacks to detect instances of these attacks. Knowledge based systems is the most-used IDS model. Signatures are patterns that identify attacks by checking various options in the packet, like source address, destination address, source and destination ports, flags, payload and other options. The collection of these signatures composes a knowledge base that is used by the IDS to compare all packet options that pass by and check if they match a known pattern. Signatures have the same limitations as a patch - it is not possible to write the signature until the hack has materialized.
Behavior based systems use a reference rule of normal behavior and flag deviations from this model as anomalous and potentially intrusive. A behavioral rule aims to define a profile of legitimate activity. Any activity that does not match the profile, including new types of attack, is considered anomalous. As rules are not specific to a particular type of attack, forensic information is not normally very detailed. However, rules can identify malicious behavior without having to recognize the specific attack used. This approach offers unparalleled protection against new attacks ahead of any knowledge being available in the security community. The disadvantage of this model is that it may cause a high number of false-positive alerts.
-False positive: A report of an attack or attempted attack when no vulnerability existed or no compromise occurred.
-False negative: The failure of an IDS to report an instance in which an attacker successfully compromises a host or network.
-Sensor: The computer that monitors the network for intrusion attempts. Sensors usually run in promiscuous mode, often without an IP address.
Useful Links & References