Checksums

A packet's content (data) might not only get modified intentionally by hackers, but might also suffer from naturally-occurring transmission errors, such as the change of a bit (from 0 to 1, or from 1 to 0.)

Whether the change is due to intrusion or due to an error, the goal of an Anomaly-Based IDS is to detect that it happened and let the system, or sometimes the user, know it happened.

To detect changes to data, an IDS expects to receive and use at least one of the following along with the packet:

  1. A Parity Bit. This bit, which is sent along with the packet, tells whether the number of 1 bits in the data is even (in which case the parity bit is 0) or odd (in which case the parity bit is 1).
    • Advantage: only one extra bit is sent with the packet, so not much space is consumed.
    • Disadvantage: if an even number of changes/errors happened, the parity bit won't detect them. Example: The parity bit of each of 10101 and 10011 is 1, despite these string being different.
      • Parity bits are, therefore, not highly-reliable for detecting intrusion/errors.
These notes by Miriam Briskman are licensed under CC BY-NC 4.0 and based on sources.