Intrusion detection systems are used for security purpose. More information on IDS/IPS can be found here. These IDS/IPS use different techniques in order to detect intruder or their actions. The following are the most common Intrusion Detection Techniques that are been used:-
- Behaviour Based
- Signature Based
- Anomaly Based
- Heuristic Approach
Behaviour Based IDS
These are based on the establishment of rules or can also be stated as defining what is wrong and what is right. These behaviour based can be stated as a form of anomaly based but instead of using database for rules or detecting anomalies, real time recording of activity is used. Once the baseline is been established then IDS would detect the anomalies varying from standard of normal. One of the biggest advantage of this technique is that it can detect any type of change or difference and also attack even previously unseen like zero-day exploits etc. Weakness to this technique is that it is difficult to define what is normal. Determining what is benign or malicious under non standard normal condition is not an easy task
Signature Based IDS
Signature based techniques includes matching pattern of known attacks which are in the database.
One of the biggest advantages of this techniques that it can detect quickly and accurately any known attack from the IDS database. On the other hand there a weakness in which it can only detect known attacks not new attacks or called Zero-day exploits. In order to overcome this weakness, constant updation of database needs to be done for more improved detection.
Anomaly Based IDS
This techniques watches the ongoing activity for detecting abnormal occurrences.
Techniques relies on definitions of all valid form of activity. These known set of database are then use to detect anomalies. This kind of techniques are mostly used for protocols because all valid and legal form of a protocol are been known and can be easily defined, thus any variation from these valid standards would result in anomalies. However, just because any traffic of events that are under normal values doesn’t need to be malicious free in content.
This techniques functions by comparing suspicious or new programs against known attacks examples of malware. There are various ways in which this comparison can be done. One of the method is to run the new program in the virtual machine or sandbox and match the activities with the malicious program and if they matches then the program is malicious or else not.