New Topic/Question
Posted 20 July 2009 - 11:41 AM
Are there advantages of signature based vs. behavior based systems?
6 Replies - 3028 Views - Last Post: 27 August 2009 - 07:35 PM
MultiQuoteReplies To: Intrusion Detection Systems
#2
kewlkreator
- D.I.C Lover
-
Reputation: 39
- Posts: 1,068
- Joined: 25-March 09
Re: Intrusion Detection Systems
Posted 20 July 2009 - 12:56 PM
What?
Please remove this. Wrong forum
Please remove this. Wrong forum
Was This Post Helpful?
0
#4
skyhawk133
- Head DIC Head
-
Reputation: 1981
- Posts: 20,434
- Joined: 17-March 01
Re: Intrusion Detection Systems
Posted 20 July 2009 - 04:02 PM
I'm actually going to stick it in Networking as it's more of a networking topic. Or I could just close it since the OP couldn't take the time to even explain what he was interested in or provide any context for his post.
Was This Post Helpful?
0
#5
kewlkreator
- D.I.C Lover
-
Reputation: 39
- Posts: 1,068
- Joined: 25-March 09
Re: Intrusion Detection Systems
Posted 20 July 2009 - 07:53 PM
Well stop torchering the guy! XD
Was This Post Helpful?
0
#7
mattman059
- Epic Awesomeness
-
Reputation: 15
- Posts: 538
- Joined: 23-October 06
Re: Intrusion Detection Systems
Posted 27 August 2009 - 07:35 PM
Wow...i did my senior seminar paper on IDSs...
okay well
first things first ...Neither system is perfect
As no2Pencil said signatures can indeed be faked, but behavior based systems share a similar con. An attacker can slowly infiltrate himself into a system, performing small insignificant acts that get through the IDS like pings and trace routes and such. Over time the system begins to learn that these are normal activities, and when these activities are thought of as normal, the attacker can then flood the system with ping packets and thus you have a DoS attack on the server. The best kind of intrusion detection system is one that (in my opinion) is one that uses behavior based tactics coupled with a well designed Data Mining engine or Neural Network structure so that it can rank the level of "normal-ness" through the use of fuzzy logic. So that over time if the number of ping requests increases, the log will show that for example one day a ping with 10 packets showed as 10% normal however three days later a ping with 100 packets could be shown as 2% normal flagging the event and hopefully preventing any further attempts to flood the server.
okay wellfirst things first ...Neither system is perfect
As no2Pencil said signatures can indeed be faked, but behavior based systems share a similar con. An attacker can slowly infiltrate himself into a system, performing small insignificant acts that get through the IDS like pings and trace routes and such. Over time the system begins to learn that these are normal activities, and when these activities are thought of as normal, the attacker can then flood the system with ping packets and thus you have a DoS attack on the server. The best kind of intrusion detection system is one that (in my opinion) is one that uses behavior based tactics coupled with a well designed Data Mining engine or Neural Network structure so that it can rank the level of "normal-ness" through the use of fuzzy logic. So that over time if the number of ping requests increases, the log will show that for example one day a ping with 10 packets showed as 10% normal however three days later a ping with 100 packets could be shown as 2% normal flagging the event and hopefully preventing any further attempts to flood the server.
Was This Post Helpful?
0
Page 1 of 1
| 