Strengths And Weaknesses Of Ids Information Technology Essay

Although IDS is a useful addition to ensure security, it does well on some points, but there are still some limitations with it. Table 5.1 summaries some the strengths and weaknesses of IDS.

Strengths

Weaknesses

Monitoring user behaviors and system event logs.

Detection but not prevention.

Testing the system configrutions of hosts.

False positive detections.

Setting up baseline for the security state of a system, and tracking any changes to that baseline.

False negative detections.

Protecting against known threats.

Spoofing attacks.

Recognizing patterns of activity that are abnormal.

Cannot automatically investigating attacks without human intervention.

Centralized management.

Delays of signature update.

Alerting to appropriate administrators with appropriate means.

Easier to perform security monitoring functions for non-security experts.

Table 5.1: Strengths and Weaknesses of IDS.

Monitoring user behaviors and system event logs – One of the strengths of IDS is that it provides ability to monitor the system event logs of every host, which make administrators to be aware when any changes on the hosts. They can also utilize this information collected by IDS to analyze user behaviors, thereby planning the security strategy and policies for their organizations accordingly.

Testing the system configrutions of hosts – IDS are also able to test the security states for every host, when the system is configured below par or a baseline, it alerts to administrators which host is set below a security level. Thus, administrators can make further configurations for that host.

Setting up baseline for the security state of a system, and tracking any changes to that baseline – With IDS, administrators can set up their own expectation as a security baseline. Based on that baseline, IDS keeps tracking the differences and changes on the hosts, allowing administrators to have all hosts in the same security level they expect.

Protecting against known threats – The Signature detection techniques make IDS to protect systems and networks well against known threats. It ensures recognizing patterns of system events that compare to the known threats.

Recognizing patterns of activity that are abnormal – When a new attack does not exist in known threat signatures, IDS has Anomaly detection techniques for it. This technique is good at comparing system activities or network traffic against a baseline to indentify abnormal behaviors, recognizing new attacks that Signature detection techniques miss.

Centralized management – IDS provides a centralized management for administrators easier to change logging mechanisms, perform software upgrade, collecting alarm information and updating security setting etc. Many IDS products even have a very simple menu to have the configuration of IDS set up, which helps administrators a lot to monitors a numerous of networks and hosts.

Alerting to appropriate administrators with appropriate means – Based on scan and match principle, IDS always send alerts to appropriate people by appropriate means. Administrators can decide who should receive the alerts and define different activates they want to be alerted. These appropriate meaning of messages to appropriate people can be more effective and efficient to an organization.

Easier to perform security monitoring functions for non-security experts – Many IDS products now already provide basic information security policies, plus easy configuration, allowing non-security expert to perform security monitoring functions for their organizations as well. This is also a strength that makes IDS to a success.

On the contrary, there are some weaknesses have been suggested as shown in Table 5.1.

Detection but not prevention – IDS concentrate on detection method but not prevention, it is a passive activity. It is sometimes too late to detect an intrusion, especially now some attacks are transporting very fast on the current high speed networks, when IDS sends a alert to administrators, the actual situation may be worse.

False positive detections – The detection capabilities of IDS can be defined in four measures: True positive, False positive, True negative and False negative. Figure 5.3 illustrates the differences of them. True positive indicates that the real attacks are identified by IDS correctly; True negative indicates that IDS is identified correctly that are not attacks; False positive indicates that IDS is identified incorrectly as true attacks but actually that are not real attacks; False negative indicates that IDS is identified incorrectly as not attacks but actually that are attacks.

Figure 5.3: Measures of IDS

IDS often generate too many false positives, due to the inaccurate assumptions. One example is looking for the length of URLs. Typically, a URL is only around 500 bytes length, assuming that an IDS is configured to trigger an alert for denial of service attack when the length of a URL is exceed 1000 bytes. False positive could be occurred from some complex web pages that are common to store a large content now. The IDS is not making mistake, the algorithm is just not perfect. In order to reduce False positives, administrators need to tune the assumptions of how to detect attacks in an IDS, but which is time consuming.

False negative detections – False negatives are also a weakness of IDS, hackers now can encode an attack file to be unsearchable by IDS. For example, “cgi-bin/attack.cgi” is defined as a signature in an IDS, but the file is encoded to be “cg%39-b%39n/a%39tt%39” by the hackers. While “cg%39-b%39n/a%39tt%39” is not defined in the signature files, the attack will pass without any notice, then a False negative occurs.

Spoofing attacks – Hackers can utilize spoofing attacks to blind the administrators. For example, hackers can use one of the IP in a network to make many False positive detections, administrators may then set the IDS to ignore local traffic for this IP, after then hackers start the real attacks.

Cannot automatically investigating attacks without human intervention – Even IDS can detect most of the attacks in the hosts and networks, but it still need administrators to investigate and perform reaction. Hackers can utilize this weakness of IDS to perform an attack, for instance, a hacker can make a large of attacks to host A, since IDS is not able to analyze all the attacks automatically by itself, administrators needs to spend time to investigate each alarm from host A. Thus, the hacker may have more time to make a real attack to host B.

Delays of signature update – IDS rely on its signature database to detect a known intrusion, IDS products typically updating the signature database by the IDS vendors. The potential problem is the delay of signature update patch, IDS vendors often take a long time to identify a new attack and finish an update patch. However, even IDS vendors provide the most update signature as soon as they can. It is still a time period that the IDS are not able to identify a new attack before updating the signature database.