Hunger Games Guide to Technology Geekers

Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits

Whether you need to monitor your own network or Host by connecting them to identify any latest threats, there are some great open source intrusion detection systems (IDSs) one need to know.

So before coming over to the actual topic, let’s gain some knowledge about what an IDS software is?I won’t bore you with the complete brief Blahh... Blahh.. IDS is. It’s simply a security software which is termed to help user or system administrator by automatically alert or notify at any case when a user tries to compromise information system through any malicious activities or at point where violation of security policies is taken.Network IDS - These Detection are operated by inspecting traffic that occurs between hosts.These mechanisms are basically prorated into two major forms.


1. IDS signature detection 2. Anomaly detection1. IDS Signature Detection- This type of detection work well with the threads that are already determined or known. It implicates searching a series of bytes or sequence that are termed to be malicious. One of the most profitable point is that signatures are easy to apply and develop once you will figure out the sort of network behaviour to be find out.

For example, you might use a signature that looks for particular strings that detects attacks that are attempting to exploit a particular system database. Therefore, at this instance the events generated by a signature-based IDS can communicate what caused the alert. Also, pattern matching can be performed very quickly on modern systems so the amount of power needed to perform these checks is minimal.Disadvantages1. Firstly, it’s easy to fool signature-based solutions by changing the ways in which an attack is made.2. Secondly, the more advanced the signature database, the higher the CPU load for the system charged with analysing each signature3. Novel attacks cannot be detected as the only execute for known attacks2. Anomaly detection- The anomaly detection technique is a centralized process that works on the concept of a baseline for network behaviour. This baseline is a description of accepted network behaviour, which is learned or specified by the network administrators, or both. It’s like a guard dog personally interviewing everyone at the gate before they are let down the drive.Its integral part of baselining network is the capability of engine’s to dissect protocols at all layers. For every protocol that is being monitored, the engine must possess the ability to decode and process the protocol in order to understand its goal.


Disadvantages1. One of the major drawbacks of anomaly-detection engines is the difficultly of defining rules. Each protocol being analysed must be defined, implemented and tested for accuracy which is not always an easy task.2. Other of the perils including that if any malicious activity that falls within normal usage patterns is not detected. An activity such as directory traversal on a targeted server doesn’t triggered out of protocol, payload or bandwidth limitation flag if complies with network protocol.3. Anomaly testing requires more hardware that must be spread across the network. Thus go well with only larger networks and, with high bandwidth connections.

Share This Story