Behavior based systems use a reference rule of normal behavior and flag deviations from this model as anomalous and potentially intrusive. A behavioral rule aims to define a profile of legitimate activity. Any activity that does not match the profile, including new types of attack, is considered anomalous. As rules are not specific to a particular type of attack, forensic information is not normally very detailed. However, rules can identify malicious behavior without having to recognize the specific attack used. This approach offers unparalleled protection against new attacks ahead of any knowledge being available in the security community. The disadvantage of this model is that it may cause a high number of false-positive alerts.
-False positive: A report of an attack or attempted attack when no vulnerability existed or no compromise occurred.
-False negative: The failure of an IDS to report an instance in which an attacker successfully compromises a host or network.
-Sensor: The computer that monitors the network for intrusion attempts. Sensors usually run in promiscuous mode, often without an IP address.
Useful Links & References
http://www-rnks.informatik.tu-cottbus.de - Intrusion Detection Systems List
http://www.securityfocus.com - Introduction to Intrusion Detection Systems
http://www.lids.org - Linux Intrusion Detection System
http://www.snort.org - The Open Source Network Intrusion Detection System
http://www.sans.org/resources/idfaq/ - Intrusion Detection FAQ
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.