Home » Forums » SecGuru Forums » Technical Discussion

Difference between Signature Based and Anomaly Based Detection in IDS

Points: 237 views Comments: 2 Comments Tag: , Submitted by Amiable on Tue, 2007-02-27 15:12.

Recently, I have started working with IDS and noticed a lot of debate over anomaly based and signature based approach. Majority of the commercial products are based on signatures which examine the traffic looking for well known patterns of attack. This means that for every vulnerability and exploit technique, the IDS engineer would code a pattern match for the IDS system. An example for this would be to detect every packet on the wire for the pattern "/cgi-bin/phf?", which might indicate somebody attempting to access this vulnerable CGI script on a web-server.

However, with Anomaly based detection the IDS system would detect statistical anomalies in the network traffic. The idea behind this approach is to measure a "baseline" of such stats as smtp traffic, dns traffic and so forth. Then, the system can trigger when there is a deviation from this baseline. The benefit of this approach is that it can detect the anomalies without having to understand the underlying cause behind the anomalies.

This brings to my questions :

  • What are the pro and cons of each method?
  • Under what circumstances we use one over the other?
  • Name of some products which perform anomaly based detection?
  • Will anomaly based detection work on protocols which it cannot understand?

Thanks in Advance

‹ What type of programmer are you? Buffer Overflow - Easy to understand primer ›

Anomaly vs. Signature base IDS

Submitted by Param on Tue, 2007-02-27 15:52.

Amiable, one of the prime factor which is considered while buying an IDS used to be whether to go with a signature or anomaly detection engine. However, these days you will find that IDS vendors are becoming aware of the benefits of each method of operation and are incorporating both in their products. In real world, signature and anomaly detection generally complement each another.

Signature Detection

  • PRO - Key advantage of using signature based detection method is that signatures are easy to develop and understand if you know what network behavior you're trying to identify (that is, if you already have a copy of the exploit). However, with tools like Metasploit and new obfuscation techniques it provides this task is becoming difficult but still achievable to some extent.
  • PRO - The events generated by a signature-based IDS can very precisely inform you about what caused the alert. Some of the modern logging systems also allow you to attach packet-captures with every event triggered making it easy to research on the issue
  • PRO - Signature based rules are based on Pattern matching, and with modern day systems pattern-matching can be performed very quickly. This is very important for Multi-Gigabit IDS systems.
  • PRO - You can easily tweak signature based rulesets. For example, if your network is only having DNS, HTTP and SMTP traffic, all other signatures can be removed from the policy files.
  • CON - Since, signature based IDS can only detect known attacks, a signature must be created for every attack, and 0-day attacks cannot be detected. It becomes a PITA when you have to create a new signature for every variant. Also, more signatures you have slower your detection engine will be.
  • CON - Signature based IDS systems are also prone to false positives since they are commonly based on regular expressions and string matching. This is specially true for new javascript based web signatures.
  • CON - Since they are based on pattern match, signatures usually don't work that great against attacks with self-modifying behavior. Such attacks are usually generated by humans and polymorphic worms. It become more difficult if nop generators, payload encoders and encrypted data channel techniques are used

Anomaly Detection

  • PRO - Ability to detect 0-day attacks, if it falls out of normal traffic patterns. Works very good against IRC based botnets and other worm like activities.
  • PRO - Lower false positives
  • PRO - Very scalable, due to its architecture and method of operation. No need to create new signatures for every attack and variant.
  • CON - Anomaly detection engine should be able to decode and process the network protocols being analyzed in order to understand its goal and the payload. This is computationally very expensive.
  • CON - Very difficult to define anomaly based rules, as every protocol analyzed by the system must be defined, baselined and tested for precise thresholds. Moreover, most network protocols are implemented in a different way by different Operating Systems.
  • CON - Custom protocols (outside RFC's realm) need to analyzed, reverse engineered and require a lot of effort.
  • CON - Malicious activity which fall under normal usage pattern wont be detected by anomaly engine. Take an example of XSS injection attack, for an anomaly detection engine this will go unnoticed as most XSS attacks are not out-of-protocol, payload or any other http protocol limitations.

Hope this helps.

»

great art.

Submitted by eee on Thu, 2007-03-01 15:08.

very nice , thanks.

e.

»

Post new comment

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <quote> <img>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.