Host based Intrusion Prevention

Intrusion Detection Systems (IDSs) recognize the presence of malicious code at bottom traffic that flows through the holes punched into the firewall, our first layer of defense. Though, the word intrusion spying is a bit of a misnomer.Ric saturated Kemmerer and Giovanni Vigna of the University Of California, Santa Barbara, elucidate in an article in the IEEE Security and Privacy magazine Intrusion detection systems do not detect intrusions at allthey only identify evidence of intrusion, either charm in progress or after the fact. (Edwin E. Mier, David C. Mier, 2004)An IDS recognizes security threats by detecting s shadows, probes and attacks, however does not shut down these patterns it only reports that they took place. Yet, IDS logged data is invaluable as proof for forensics and incident handling. IDSs as well detect internecine attacks, which argon not seen by the firewall, and they help in firewall audits.IDSs can be divided into 2 master(prenominal) categories, footed on the IDS alarm triggering mechanism unusual person detection-based IDS and misuse detection-based IDS.Anomaly detection based IDSs report deviations from dominion or expected mien. Behavior other than normal is measured an attack and is flagged and recorded. Anomaly detection is as well referred to as profile-based detection. The profile describes a baseline for normal user tasks, and the quality of these user profiles this instant has an effect on the detection capability of the IDS. Techniques for constructing user profiles comprise (Nong Ye, 2003).Rule-based approachNormal user behavior is characterized by creating rules, however analyzing normal traffic is a complicated task. A related approach is protocol unusual person detection.Neural networksThese systems are trained by presenting them with a large amount of data, together with rules regarding data relationships. They past find out if traffic is normal or not abnormal traffic raises an alarm.Statistical approach applic ation profiles describe the behavior of system or user traffic. Any deviation from normal triggers an alarm.The advantage of anomaly detection is that it can identify previously unknown attacks and insider attacks, without the need for signatures that is., predefined attack profiles.One more benefit of anomaly detection is that its impossible for the attacker to know what activity causes an alarm, thus they cannot assume that any particular live up to will go undetected.The disadvantage of anomaly detection is that it produces a large number of false positives that is., alerts that are produced by legitimate activity. In addition, besides being complicated as well as hard to understand, building and updating profiles as well need a lot of work.The other most weighty approach, misuse-detection based IDS (also called signature-based IDS), triggers an alarm when a match is found to a fingerprint-a signature contained in a signature database. These fingerprints are footed on a set of rules that match typical patterns of exploits used by attackers. As there is a known database of exploits, there are few false positives.The disadvantage is that misuse-detection IDSs can merely detect already-known attacks. Besides, the fingerprints database needs to be incessantly updated to keep up with new attacks. The majority IDS products in the market at present use misuse detection.