Integrating More Intelligence into Your IDS - Part 1

The more an intrusion detection system (IDS) knows about the network it is trying to protect, the better it will be able to protect the network. This is the fundamental principle behind target-based intrusion detection, where an IDS knows about the hosts on the network.

This article explores how artificial intelligence (AI) is influencing IDS development, and what capabilities a popular IDS has with respect to intelligent intrusion detection. Snort is the IDS in question and this article describes some of its features that users might not be taking advantage of that would allow the IDS to adapt to networks and detect anomalies. AI alleviates some of the security professionals' work load by first learning about a network and gauging reactions from a security professional to reduce false positives, and second, by adapting to changes in the network to identify new attacks.

Such knowledge is important, for example, in identifying packet fragmentation attacks, where the hosts on a network have different policies for reassembling fragments. The packet fragmentation issue was discussed by Thomas Ptacek and Timothy Newsham roughly eight years ago in their paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Since then, Snort developers have implemented a preprocessor for Snort that attempts to address the fragmentation issue. Judy Novak of Sourcefire published a paper in 2005 titled Target-Based Fragmentation Reassembly (pdf). Readers interested in more detail in this topic should read both papers.