|
"No single IDS model can offer
100% intrusion detection."
|
|
|
|
Implementations
of IDS vary based on the security needs of the network or host it is
being implemented on. As we have seen, there isn't a universal
implementation of an IDS model that can provide the best intrusion
detection monitoring in all environments.
Complex architectures require complex IDS implementations - which will
also require a high degree in IDS expertise to deploy and maintain.
However, even with the highest level of IDS expertise, intrusions
cannot be fully shut out.
The IDS techniques themselves do not offer a foolproof system to detect
ALL the intrusions an attack can consist of. The information below
details some of these shortcomings.
Anomaly
Detection Disadvantages
#1) Since anomaly detection operates by defining a "normal" model of
system or network behavior, it usually suffers from a large number of
false alarms due to the unpredictable behaviors of users and networks.
These behaviors may not have malicious intent.
In fact, an anomaly-based IDS that has a detection rate of 20 false
alarms to 1 real intrusion detection is considered good. This is due to
the fact that normal system and network activity is, for the most part,
very dynamic and very difficult to capture and predict.
#2) Anomaly detection approaches often require extensive training sets
of network or system event records in order to characterize normal
behavior patterns. These training sets can consist of various logs that
capture the normal usage of the subject or object being monitored. Once
the training sets are defined, they need to be fed into the anomaly
detection engine to create a model of the normal system usage.
Misuse
Detection Disadvantages
#1) Since misuse detection operates by comparing known intrusive
signatures against the observed log, misuse detectors suffer from the
limitation of only being able to detect attacks that are known.
Therefore, they must be constantly be updated with attack signatures
that represent newly discovered attacks or modified existing attacks.
|
#2) Vulnerable to evasion. Once a security hole has been discovered and
a signature has been written to capture it, several other iterations of
“copycat” exploitations usually surface to take
advantage of the same security hole. Since the attack method is a
variant of the original attack method, it usually goes undetected by
the original vulnerability signature, requiring the constant rewrite of
signatures.
#3) Many misuse detectors are designed to use tightly defined
signatures that prevent them from detecting variants of common attacks.
Host-Based
IDS Disadvantages
#1) The implementation of HIDS can get very complex in large networking
environments. With several thousand possible endpoints in a large
network, collecting and auditing the generated log files from each node
can be a daunting task.
#2) If the IDS system is compromised, the host may cease to function
resulting in a stop on all logging activity. Secondly, if the IDS
system is compromised and the logging still continues to function, the
trust of such log data is severely diminished.
Network-Based
IDS Disadvantages
Network-based intrusion detection seems to offer the most detection
coverage while minimizing the IDS deployment and maintenance overhead.
However, the main problem with implementing a NIDS with the techniques
described in the previous sections is the high rate of false alarms.
Modern day enterprise network environments amplify this disadvantage
due to the massive amounts of dynamic and diverse data that needs to be
analyzed.
All the previously defined IDS techniques have their share of
disadvantages. There just isn't a single IDS model that offers 100%
intrusion detection with a 0% false alarm rate that can be applied in
today's complex networking environment. However, incorporating multiple
IDS techniques can, to a certain extent, minimize many of the
disadvantages illustrated in the previous section.
|
|
|
