|
"HIDS and anomaly-based NIDS are
usually
implemented together..."
|
|
|
|
Common
implementations of IDS
use a combination of the IDS approaches that have been discussed so
far. The combination of these techniques reduces the limitations that
are associated with a single-method IDS implementation.
For example, misuse-based
HIDS and anomaly-based NIDS are usually
implemented together to form a hybrid Host/Network IDS architecture.
This hybrid IDS allows the correlation between the events on the
network and events of the target host(s).
Some advantages to this dual IDS implementation are:
- Minimization of anomaly-based false alerts. Correlating the alerts
generated in both IDS provide a much greater likelihood that an actual
intrusion is occurring. This type of example minimizes the inherent
disadvantage of anomaly-based IDS – which is the excessive
false alerts.
- Since host-based misuse IDS can’t detect a signature if the
attack is new, hence the signature doesn’t exist, there is an
additional benefit to misuse detection IDS environments by applying a
network-based anomaly IDS that has the ability to capture new attacks
and evasive patterns techniques.
Given that the scope of the host-based and network-based IDS is, for
the majority of the monitoring capability, distinct from each other,
implementations using both techniques provide the broadest coverage of
intrusion detection.
Host-based IDS implementations can be used to monitor the local system
objects (files, process and accounts, etc), while the network-based
implementations monitor the network segment traffic. This dual-based
approach has provided the greatest intrusive detection capabilities in
the majority of real world implementations.
|
|
|
|
