This chapter discusses intrusion detection and prevention technologies as a recognition strategy. The reason for intrusion detection systems (IDSs) is introduced; namely, that humans are too slow and network threats need to be addressed at network speed. Further, that the technology introduced in Chapter 5 as frustration strategies are not infallible, and an IDS is a method of auditing the success of frustration and resistance strategies.
Given this motivation and that IDSs are important contributions to a layered defense, the chapter discusses several common pitfalls that can degrade IDS usefulness. These include problems of packet fragmentation, application reassembly, acting out of band, utilizing centrality effectively, and the base-rate fallacy.
All IDSs have two basic modes of detection: signature based and anomaly based. The differences between these are introduced and the uses for each are discussed. Although the bulk of the chapter focuses on network IDSs, systems that use related but different data elements are also introduced: network behavior analyzers and wireless IDSs.
[1]
Tyler Moore,et al.
The Economics of Information Security
,
2006,
Science.
[2]
Barton P. Miller,et al.
What are race conditions?: Some issues and formalizations
,
1992,
LOPL.
[3]
M. Bar-Hillel.
The base-rate fallacy in probability judgments.
,
1980
.
[4]
Steven M. Bellovin,et al.
Packets found on an internet
,
1993,
CCRV.
[5]
Stefan Axelsson,et al.
The base-rate fallacy and the difficulty of intrusion detection
,
2000,
TSEC.
[6]
A. Tversky,et al.
On the psychology of prediction
,
1973
.