|
"Misuse detection-based
IDS function in much the same way as computer
anti-virus applications."
|
|
|
|
Misuse
detection IDS models function in very much the same sense as
high-end computer anti-virus applications. That is, misuse detection
IDS models
analyze the system or network environment and compare the activity
against signatures (or patterns) of known intrusive computer and
network behavior.
These signatures
must be updated over time to include the latest attack patterns, much
like computer anti-virus applications.
Misuse detection has its share of advantages as well:
- If the target deployment is only a few computer systems, then a
misuse-based IDS is easy to implement, update and deploy. However, if
the scope of deployment is large (many computer systems), the
implementation, updating and deployment could be quite a task, which
would be a disadvantage.
- Misuse-based IDS can be used very quickly. There isn’t a
need for the IDS to “learn” the network behavior
before it can be of use.
- The signature matching also provides fewer false alarms (false
positives) than other IDS methods.
- If the signatures of attacks used by the misuse detection system are
reliable, then attacks that match those signatures are very quickly
identified, which makes the determination of corrective measures easier.
- Computer administrators can write their own signatures in accordance
with the organizations security policy.
Like anti-virus software, the signatures containing the attck patterns
are constantly changing. Good computer and network hackers are well
aware of the patterns of known exploits. These patterns can be modified
to decrease the chances of raising any red flags.
Intrusion detection systems that follow the misuse detection model need
to be constant updated to stay a step ahead of the hackers.
|
|
|
|
