Intrusion Detection Flashcards
What is a definition for an intrusion detection system?
An intrusion detection system (IDS) is an additional component to protect a system during operation. The IDS monitors selected aspects of the system’s behavior and raises an alarm if it observes suspicious behavior.
What are the 5 relevant aspects for an IDS?
- Time and Resources
- Location and Connection
- Intrusion and Suspiciousness
- Model Complexity and Observed Data
- Response to an alarm
What different approaches are there regarding Time and Resources? What are the trade-offs?
- monitor during runtime
- monitor post mortem (asynchrounously)
challenges, trade-offs:
- higher value from detecting attacks?
- is detection fast enough? does it scale?
- is a full analysis of all observed events necessary?
What different approaches are there regarding Location and Connection? What are the trade-offs?
- host-based monitoring
- network-based monitoring
challenges, trade-offs:
- depends on architecture of monitored system
- depends on availability of monitored information
What different approaches are there regarding Intrusion and Suspiciousness?
- signature based: explicit rules or stochastic profiles
- anomaly based: aberrations from defined normal behavior
- hybrids
What different approaches are there regarding Model Complexity and Observed Data?
- rule-based
- statistical model
- machine learning
What different approaches are there regarding Response to an alarm?
- Security information and event management (SIEM): central collection and management of incident reports
- Intrusion detection and prevention systems (IDPS): immediate reaction in the monitored system