Analysis of Methods of Attack Detection and Prevention Systems
Download 0.59 Mb.
|
Paper Tashev 2022
IDS OVERVIEWMost IDPS use either abuse detection and prevention or irregular pattern detection and prevention. The abuse detection method is used to detect known intrusions and/or signature patterns. Due to the fact that the system is based on signatures, its detection rate is quite high and has a low false positive rate [27, 30]. But at the same time, the anomaly-based method is able to detect unknown intrusions due to its intelligent detection behavior. This method is based on profiles that represent the typical behavioral activity of users, systems, network connections, and applications. These profiles are extended to track attributes of typical activity over a period of time [16, 27, 29]. Profiles can be generated based on a number of behavioral attributes such as the number of emails generated by the user, the number of failed login attempts for the host, and the level of CPU usage for the host in a given time period. Defining profiles is a very important step. If the profiles are not defined properly or are defined broadly, some attacks may be detected but will result in a slow detection rate for the computer system. On the contrary, if the profiles are defined too narrowly, then various common activities can be detected and considered as an intrusion. The functional components of an integrated IDPS are: an event management module, a data storage module, an analysis engine, and a response manager. Event management collects information about events (such as warnings or blocking events) to and from the monitored system (Figure 1) and sends it to the database source. The database source stores multiple events collected using event management. The analysis engine collects data from the data source to analyze and determine if it is free from policy violations or other attacks. This mechanism can use anomaly detection/statistics, misuse detection/signature based, or both. The parsing engine handles events and sends alerts. The response manager neutralizes an attack after it is detected, reacting to events and stopping intrusions [30]. Fig.1. General scheme of IDPS systems NIPS is one member of a large family of so-called intrusion detection and prevention systems (IDPS). Download 0.59 Mb. Do'stlaringiz bilan baham: 
|