Page 1215 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1215

Real-time traffic is matched against the database, and if the IDS finds
               a match, it raises an alert. The primary drawback for a knowledge-

               based IDS is that it is effective only against known attack methods.
               New attacks, or slightly modified versions of known attacks, often go
               unrecognized by the IDS.

               Knowledge-based detection on an IDS is similar to signature-based
               detection used by anti-malware applications. The anti-malware
               application has a database of known malware and checks files against

               the database looking for a match. Just as anti-malware software must
               be regularly updated with new signatures from the anti-malware
               vendor, IDS databases must be regularly updated with new attack
               signatures. Most IDS vendors provide automated methods to update
               the signatures.

               Behavior-Based Detection The second detection type is behavior-
               based detection (also called statistical intrusion detection, anomaly

               detection, and heuristics-based detection). Behavior-based detection
               starts by creating a baseline of normal activities and events on the
               system. Once it has accumulated enough baseline data to determine
               normal activity, it can detect abnormal activity that may indicate a
               malicious intrusion or event.

               This baseline is often created over a finite period such as a week. If the
               network is modified, the baseline needs to be updated. Otherwise, the

               IDS may alert you to normal behavior that it identifies as abnormal.
               Some products continue to monitor the network to learn more about
               normal activity and will update the baseline based on the observations.

               Behavior-based IDSs use the baseline, activity statistics, and heuristic
               evaluation techniques to compare current activity against previous
               activity to detect potentially malicious events. Many can perform
               stateful packet analysis similar to how stateful inspection firewalls

               (covered in Chapter 11) examine traffic based on the state or context of
               network traffic.

               Anomaly analysis adds to an IDS’s capabilities by allowing it to
               recognize and react to sudden increases in traffic volume or activity,
               multiple failed login attempts, logons or program activity outside
               normal working hours, or sudden increases in error or failure
   1210   1211   1212   1213   1214   1215   1216   1217   1218   1219   1220