Signature-Based IDS
The most prevalent form of intrusion detection is through
signature matching. Referred to as signature-based IDS, these systems monitor
the network or server and match packet traffic attributes against a set of
predetermined attack lists or signatures. Should a particular network
conversation match a signature configured on the IDS, the system alerts
administrators or takes other pre-configured action.
Signature-based IDS can be quite effective in security monitoring,
yet they have several drawbacks. To detect most potential attacks, the signature
database on the IDS must be large. As the speed of networks increases, it is
difficult for signature-based IDS to keep pace with network traffic. Typically,
signature-based IDS must be de-tuned by removing some of the signatures from the
active database before use. While this permits the IDS to function properly, it
does so at the risk of missing potential attacks. Similarly, because these IDS
only alert administrators as to potential attacks for which it has a signature,
new vulnerabilities and exploits will not be detected until the vendors or
administrators develop new signatures.
|
Note |
Intrusion detection systems must be properly tuned once
they're in the network environment. Because each signature within an IDS
consumes system resources, it may not be advisable to load all signatures based
on your network requirements and services. For instance, if you don't run a
specific service or block access to the service at perimeter security devices,
it might not be necessary to monitor for potential attacks against that service.
|
Sections
Comments (0 posted)
Syndication
