Signature Based and Anomaly
Based Network Intrusion
Detection
By Stephen Loftus and Kent Ho
CS 158B
Agenda
• Introduce Network Intrusion Detection (NID)
• Signature
• Anomaly
• Compare and Contrast:
Signature based vs. Anomaly based NID
• Example using Ethereal™
Intrusion Detection Systems
• Intrusion detection begins where the firewall ends.
• Preventing unauthorized entry is best, but not
always possible.
• It is important that the system is reliable and
accurate and secure.
IDS (cont.)
• When designing a IDS, the mission is to protect
the data’s
– Confidentiality- read
– Integrity- read/write
– Availability- read/write/access
• Threats can come from both outside and inside the
network.
Signature
• Signature based IDS are based on looking for
“known patterns” of detrimental activity.
• Benefits:
– Low alarm rates: All it has to do is to look up
the list of known signatures of attacks and if it
finds a match report it.
– Signature based NID are very accurate.
– Speed: The systems are fast since they are only
doing a comparison between what they are
seeing and a predetermined rule.
Signature (cont.)
• Negatives:
– If someone develops a new attack, there will be no
protection.
– “only as strong as its rule set.”
– Attacks can be masked by splitting up the messages.
• Similar to Anti-Virus, after a new attack is recorded, the
data files need to be updated before the network is secure.
• Example:
– Port Scan
– DOS
– Sniffing
Anomaly
• Anomaly based IDS are based on tracking unknown unique
behavior pattern of detrimental activity
• Advantages:
– Helps to reduce the “limitations problem”.
– Conducts a thorough screening of what comes through.
Anomaly (cont.)
• Disadvantages:
– False positives, catches too much because Behavior
based NIDs monitor a system based on their behavior
patterns.
– Painstaking slow to do an exhaustive monitoring, uses
up a lot or resource
After an anomaly has been detected, it may become a
“signature”.
Anomaly vs. Signature
• Which is the best way to defend your network?
– Both have advantages
– Signature can be used as a stand alone system
– Anomaly has a few weak points that prevent it from
being a stand alone system.
• Signature is the better of the two for defending you network
• The best way is to use both!
Example
• Using Ethereal™ to detect a port scan
– A port scan is when a person executes
sequential port open requests trying to find an
open port. Most of these come back with a
“reset”
– Normal TCP/IP port request
– Port request on closed port