Lecture 17: 12th November 2019 Flashcards
Intelligent Intrusion Detection Systems
What are Intelligent Intrusion Detection Systems?
Conceptual IDSes that are accurate enough in their detection and classification of instructions to be called intelligent.
What are some types of IDS?
- Host Based (HIDS)
- Network Based (NIDS)
- Hypervisor Based
- Application Based
- Protocol Based
- Server Based
What are HIDS?
Host-Based IDS (HIDS): These look at logfiles to verify Message digests/checksums of key system files. They are effectively an internal system monitor. An intrusion detection system that monitors the computer infrastructure on which it is installed, analyzing traffic and logging malicious behavior.
A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.
What are NIDS?
Network-Based IDS (NIDS): these can be trained to recognise attack signatures via pattern matching (e.g. expressions, bytecode), frequency or threshold crossing (uncommon port usage). IDSes that are intelligently distributed within networks that passively inspect traffic traversing the devices on which they sit and report back to an administrator.
A Network-based IDS (NIDS) looks for attack signatures in network traffic whereas s Host-based IDS (HIDS) looks for attack signatures in log files of hosts.
What are hypervisor-based IDSes?
A proposed cloud-based IDS to overcome the limitations of network load in a cloud.
What are application-based IDSes?
IDSes which control data exchange per application, such as a web browser or email client.
What are protocol-based IDSes?
IDSes which control one protocol, e.g. all HTTP traffic
What are server-based IDSes?
IDSes shared by a subnetwork or server group
What are some methods of intrusion detection used in IDSes? Which of them require a training phase?
- Misuse Based
- Anomaly Based
- Classification Based
- Combination Based or Hybrid Approaches
last 3 require a training phase
What is Misuse Based intrusion detection?
The misuse-based approach uses a set of signatures representing the patterns of already known attacks to filter malicious activities. They are matched against previously defined patterns - can’t be applied to new intrusion types dynamically. Uses general-purpose GPUs.
What is Anomaly Based intrusion detection?
An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on statistics, ML algorithms, or heuristics, rather than discrete patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.
What is Classification Based intrusion detection?
IDSes using classification algorithms or methods such as Binary or Multi-Classification, Decision Trees, SVM, NN, Bayes, KNN (K Nearest Neighbour). These require
pre-phase of labelling but can be applied to new intrustion types.
What is Combination Based/Hybrid Approaches intrusion detection?
use the best of each other type of technique but suffer from high computational costs
Which new technologies might give rise to new types of intrusion detection?
cloud computing and IoT
What is batch processing? What is stream processing? Which types of IDS use each?
Batch processing = load in large chunks of data and then process it.
Stream processing = process data as it comes in.
Traditional ones (all discussed) are almost always batch processing but with cloud and IoT (and large-scale applications) stream processing makes more sense - give you real-time results.