Characteristics1) Uses statistical model or machine learning engine to characterize normal usage behavior
2) Recognizes departures from normal as potential intrusions
Advantages
1) Can detect attempts to exploit new and unforeseen vulnerabilities
2) Can recognize authorized usage that falls outside the normal pattern
1) Can detect attempts to exploit new and unforeseen vulnerabilities
2) Can recognize authorized usage that falls outside the normal pattern
Disadvantages
1) Generally slower, more resource intensive compared to signature-based IDS
2) Greater complexity, difficult to configure
3) Higher percentages of false alerts
1) Generally slower, more resource intensive compared to signature-based IDS
2) Greater complexity, difficult to configure
3) Higher percentages of false alerts
network based
Characteristics1) NIDS examine raw packets in the network passively and triggers alerts
Advantages
1) Easy deployment
2) Unobtrusive
3) Difficult to evade if done at low level of network operation
1) Easy deployment
2) Unobtrusive
3) Difficult to evade if done at low level of network operation
Disadvantages
1) Fail Open
2) Different hosts process packets differently
3) NIDS needs to create traffic seen at the end host
4) Need to have the complete network topology and complete host behavior.
1) Fail Open
2) Different hosts process packets differently
3) NIDS needs to create traffic seen at the end host
4) Need to have the complete network topology and complete host behavior.
host based
Characteristics1) Runs on single host
2) Can analyze audit-trails, logs, integrity of files and directories, etc.
2) Can analyze audit-trails, logs, integrity of files and directories, etc.
Advantages1) More accurate than NIDS
2) Less volume of traffic so less overhead
2) Less volume of traffic so less overhead
Disadvantages 1) Deployment is expensive
2) What happens when host get compromised?
2) What happens when host get compromised?
No comments:
Post a Comment