Strengths And Weaknesses Of Ids Information Technology Essay

Strengths And Weaknesses Of Ids Information Technology EssayAlthough IDS is a useful addition to ensure security, it does well on some points, generated there atomic number 18 hush up some limitations with it. control board 5.1 summaries some the strengths and weaknesses of IDS.StrengthsWeaknessesMonitoring user behaviors and system event logs.Detection but not prevention.Testing the system configrutions of soldierys.False positive spyings. riding horse up baseline for the security state of a system, and tracking any wobbles to that baseline.False cast out undercover works.Protecting against known threats.Spoofing attacks.Recognizing patterns of activity that are unnatural.Cannot automatically look into attacks without human intervention.Centralized management.Delays of feeling update.Alerting to appropriate administrators with appropriate means.Easier to behave security supervise functions for non-security experts.Table 5.1 Strengths and Weaknesses of IDS.Monitoring user behaviors and system event logs One of the strengths of IDS is that it provides ability to monitor the system event logs of any drove, which make administrators to be aware when any changes on the hosts. They chamberpot also hold this information dispassionate by IDS to go user behaviors, thereby planning the security strategy and policies for their organizations accordingly.Testing the system configrutions of hosts IDS are also able to test the security states for every host, when the system is configured below par or a baseline, it alerts to administrators which host is hard-boiled below a security level. Thus, administrators can make further configurations for that host.Setting up baseline for the security state of a system, and tracking any changes to that baseline With IDS, administrators can gear up up their own expectation as a security baseline. Based on that baseline, IDS keeps tracking the differences and changes on the hosts, allowing administrators to st ick all hosts in the same security level they expect.Protecting against known threats The Signature detecting techniques make IDS to protect systems and networks well against known threats. It ensures recognizing patterns of system events that compare to the known threats.Recognizing patterns of activity that are abnormal When a new attack does not exist in known threat soupcons, IDS has Anomaly detection techniques for it. This technique is good at comparing system activities or network traffic against a baseline to indentify abnormal behaviors, recognizing new attacks that Signature detection techniques miss.Centralized management IDS provides a centralized management for administrators easier to change logging mechanisms, perform software upgrade, collecting alarm information and modify security setting and so on Many IDS products even have a very simple menu to have the configuration of IDS set up, which helps administrators a lot to monitors a numerous of networks and ho sts.Alerting to appropriate administrators with appropriate means Based on scan and match principle, IDS always send alerts to appropriate people by appropriate means. Administrators can make up who should receive the alerts and define different activates they want to be alerted. These appropriate meaning of messages to appropriate people can be more effective and efficient to an organization.Easier to perform security monitoring functions for non-security experts Many IDS products now already provide basic information security policies, plus easy configuration, allowing non-security expert to perform security monitoring functions for their organizations as well. This is also a strength that makes IDS to a success.On the contrary, there are some weaknesses have been suggested as shown in Table 5.1.Detection but not prevention IDS concentrate on detection method but not prevention, it is a passive activity. It is sometimes too late to detect an intrusion, oddly now some attacks are transporting very fast on the current high speed networks, when IDS sends a alert to administrators, the actual situation may be worse.False positive detections The detection capabilities of IDS can be defined in four measures on-key positive, False positive, True negative and False negative. Figure 5.3 illustrates the differences of them. True positive indicates that the real attacks are identified by IDS correctly True negative indicates that IDS is identified correctly that are not attacks False positive indicates that IDS is identified incorrectly as true attacks but very that are not real attacks False negative indicates that IDS is identified incorrectly as not attacks but actually that are attacks.Figure 5.3 Measures of IDSIDS often generate too many false positives, due to the wrong assumptions. One example is looking for the length of URLs. Typically, a URL is only around 500 bytes length, presume that an IDS is configured to trigger an alert for denial of service attack when the length of a URL is excel 1000 bytes. False positive could be occurred from some complex web pages that are common to stock certificate a large content now. The IDS is not making mistake, the algorithm is just not perfect. In beau monde to reduce False positives, administrators need to tune the assumptions of how to detect attacks in an IDS, but which is time consuming.False negative detections False negatives are also a weakness of IDS, hackers now can encode an attack send to be unsearchable by IDS. For example, cgi-bin/attack.cgi is defined as a signature in an IDS, but the file is encoded to be cg%39-b%39n/a%39tt%39 by the hackers. While cg%39-b%39n/a%39tt%39 is not defined in the signature files, the attack will pass without any notice, therefore a False negative occurs.Spoofing attacks Hackers can utilize spoofing attacks to blind the administrators. For example, hackers can use one of the IP in a network to make many False positive detections, administra tors may then set the IDS to ignore local traffic for this IP, after then hackers start the real attacks.Cannot automatically investigating attacks without human intervention Even IDS can detect to the highest degree of the attacks in the hosts and networks, but it still need administrators to investigate and perform reaction. Hackers can utilize this weakness of IDS to perform an attack, for instance, a hacker can make a large of attacks to host A, since IDS is not able to analyze all the attacks automatically by itself, administrators needs to spend time to investigate each alarm from host A. Thus, the hacker may have more time to make a real attack to host B.Delays of signature update IDS rely on its signature database to detect a known intrusion, IDS products typically updating the signature database by the IDS vendors. The potential problem is the delay of signature update patch, IDS vendors often take a long time to identify a new attack and finish an update patch. However, even IDS vendors provide the most update signature as soon as they can. It is still a time point that the IDS are not able to identify a new attack before updating the signature database.