Interpreting the differences between IDS and IPS)

IDS technology

IDS can be classified into IDSHost-based IDS (HIDS) and network-based IDSNetwork-based IDS (NIDS) based on different data sources ).

Both HIDS and NIDS can detect intrusion behaviors that the other party cannot detect and complement each other. The perfect IDS product should combine the two. Currently, mainstream IDS products use a hybrid IDS architecture that combines HIDS and NIDS.

Traditional intrusion detection technologies include:

1. Pattern Matching

Pattern matching is to compare the collected information with the known network intrusion and system misuse pattern databases to detect intrusions that violate security policies. An attack mode can be expressed by a process or an output.

This detection method only needs to collect relevant data sets for judgment, which can reduce system usage. Moreover, the technology is quite mature and the detection accuracy and efficiency are quite high. However, this technology needs to be constantly upgraded to deal with emerging attack methods, and cannot detect unknown attack methods.

2. Exception Detection

Exception detection first creates a statistical description for the System Object users, files, directories, and devices, including the measurement attributes for normal use, such as the number of visits, operation failures, and latency. The average value of the measurement attribute is used to compare with the behavior of the network and system. When the observed value is out of the normal value range, IDS will determine whether an intrusion occurs. The advantage of exception detection is that it can detect unknown intrusions and complex intrusions. The disadvantage is that it has a high false positive rate and a high false negative rate.

3. Integrity Analysis

Integrity Analysis focuses on whether a file or object is tampered with. It mainly depends on the content and attributes of the file and directory. This detection method is particularly effective in detecting applications that have been changed and implanted with Trojan horses. Integrity analysis uses the encryption mechanism of the message digest function to identify minor changes. The advantage is that no matter whether the pattern matching method or the statistical analysis method can detect intrusion, integrity analysis can be found as long as the attack causes a change to the file or object. Integrity Analysis is generally implemented in batches and is not used for real-time response.

Problems faced by Intrusion Detection

1. False positives and false negatives

The IDS system often sends many false alarms. The main causes of false and false alarms are as follows:

● Currently, the main detection technology used by IDS is pattern matching. The Pattern Library is simple, not timely, and incomplete, and lacks the ability to detect unknown attacks;

● With the expansion of the network scale and the adoption of heterogeneous platforms and different technologies, especially the rapid growth of network bandwidth, the analysis and processing speed of IDS becomes increasingly difficult to keep up with network traffic, resulting in packet loss;

● The increasing number of network attack methods and the complexity of attack technologies and techniques also increase the false positives and false negatives of IDS.

2. DoS Attacks

IDS is a failed Open Fail Open mechanism. When IDS suffers a Denial-of-Service attack, this feature enables hackers to launch attacks without being discovered.

3. insert and circumvent

Insert attacks and avoidance attacks are two types of attacks that evade IDS detection. Insert attacks: You can customize some wrong data packets to the data stream, so that IDS is mistaken for attacks. On the contrary, attackers can bypass IDS detection to reach the target host.

The intention of the insert attack is to make frequent alerts and false alerts by IDS), but in fact there is no attack, which can confuse administrators. The intention to avoid attacks is to truly escape the detection of IDS and initiate attacks on the target host. Hackers often change attack features to cheat pattern-based IDS.