High accuracy: An IDS should raise an alarm if and only if a relevant attack exists. This requirement may initially sound simple, but it actually conceals a complex task: as illustrated in Figure 22.3, an IDS is used to categorize events as suspicious and unsuspicious. Any error will result either in a false
alarm (false positive) or an unidentified attack, a so-called false negative. Even false alarms pose a problem that can have significant consequences, such as when countermeasures are taken automatically. To make matters worse, the administrator is usually only interested in ‘serious’ attacks, i.e. those that are not prevented by proactive measures anyway, and processing of irrelevant and false alarms takes up valuable time. ■ Easy integration: It must be easy to integrate IDSs into
an existing networking environment to prevent any further increase in complexity and so that the reorganization when IDSs are retrofitted does not alert attackers already in the network.
■ Simple configuration and management: Easy operation of such systems is a requirement for preventing configuration errors and for acceptance of an IDS.
Attacks must also ■ Autonomous and fault-tolerant operating: On one hand, be recognized in
cases of failure attackers may cause targeted failures in networks and, on the other hand, attackers may wait until a random failure exists so as to infiltrate a system. It is, therefore, important that IDSs work autonomously even without connection to central components and that any potential attacks are revealed after elimination of the fault. ■ Low resource consumption: If IDSs are not working on
dedicated systems, low resource consumption is a premise so as not to interfere with other applications. Even on dedicated systems, which mostly operate centrally, it is important to be able to handle an extremely large number of events quickly otherwise an attack may be disguised in a flood of legitimate events.
■ Self-protection: Attackers must not easily be able to target an IDS itself and thus evade recording of the events triggered. In the past, IDSs repeatedly showed security vulnerabilities themselves that actually made intrusion possible. Such problems are obviously unacceptable.
Security in Fixed and Wireless Networks (2nd Edition) Guenter Schaefer.
Ping Scan - correct.
Unexpected bandwidth utilization = maybe blocking automatically for some program but not normal.
No comments:
Post a Comment