Detection Methods
What are commonly-used detection methods by an IDS?
- Signature-Based Detection searches for a known patterns of threats called signatures in a packet. Such patterns are stored in the signature database of the IDS. Signature-based detection is the simplest form of detection because it just compares the traffic with the database. If a match is found, an alert is generated; if no match is found, traffic flows without any problem. Example: a virus code in a packet's body.
- Anomaly-Based Detection protects against unknown threats. An anomaly is anything that is abnormal. Anomalies include protocol issues, such as erroneous source and destination port numbers, illegal protocol commands, and corrupt checksums, and Denial of Service and Buffer overflow attacks. Example: HTTP traffic on a non-standard port.
- We'll focus on checksums in the next slides.
- Stateful Protocol Analysis Detection is similar to the anomaly-based detection, except that statistics on what constitutes 'normal data flow' are created by the vendors who supply the detection sensor equipment. "Stateful" means that it has the capability to keep track of the state of the protocol both in network and application layers.
These notes by Miriam Briskman are licensed under CC BY-NC 4.0 and based on sources.