Techniques Used by IDSs

• Misuse detection

  • Compares monitored activities with signatures of known attacks
  • If an attack is recognized the IDS issues an alert and discards the packet
  • Challenge: keep database current

• Anomaly detection

  • Operates in stable computing environments
  • Looks for major deviations from the “normal” parameters of network operation
    • e.g., a large number of failed logins
  • When detected, an alert is issued, packets discarded
  • Problem: false alarms (valid traffic different from normal)

Previous slide

Next slide

Back to first slide

View graphic version