To ensure a higher attack recognition rate, current Intrusion Detection Systems generally combine both approaches. These hybrid systems are characterized by a central management system that receives the necessary information from both the network-based software and the host-based software. There are three basic components involved in the recognition process:
The data monitor has the task of collecting and making a first filter to the data necessary to filter intruders. This is the aforementioned data audit , which includes log files of computer systems and security applications, such as CPU capacity, number of active network connections, or number of login attempts. In addition, in hybrid intrusion detection systems, the data monitor also evaluates the data of the TCP / IP connections , such as source and destination addresses and other properties of the data packets sent and received, which it obtains thanks to the sensor. Network-based IDS..
The data monitor sends the collected and previously filtered data stream to the so-called analyzer. It must edit and evaluate the information obtained in real time , otherwise it would not be possible to avoid attacks in time. Consequently, the analysis process places greater demands on the underlying hardware (CPU and memory). Especially in very large business networks, IDS scalability is one of the most complicated processes, but it is also one of the most important tasks to ensure the functionality of the attack stop system. The methods used by the analyzer to evaluate the data are:
- In case of misuse of the system (misuse detection), the analyzer tries to detect known attack patterns, called signatures (signature) in the data. These are stored in a separate database that is regularly updated. There, each entry also receives information on the severity of the attack. However, the small disadvantage of this method is that while known attack patterns can be clearly identified and evaluated, those that have not been included in the database will be imperceptible to this detection mechanism.
- The anomaly detection (anomaly detection) is based on a different principle: This method of analysis means that unauthorized access causes abnormal behavior in the system and, therefore, differs from the preset values . Thus, the analyzer can be configured in such a way that it triggers an alarm when the capacity of the CPU or the traffic to the web page exceeds a certain number (static approach). Alternatively, this can also include the time sequence of events in the evaluation (logical approach). Anomaly detection can help detect new and unknown attacks, however, this active reconnaissance method also alerts in case the system is in an unusual state that was not generated by an intruder.
In the final stage, the Intrusion Detection System informs the network administrator if it has found an attack or suspicious system behavior. Depending on the potential risk, there are different possibilities to notify it. So, for example, a system that needs to defend itself would send
- an email explaining the nature of the attack,
- a local alarm as a pop-up window that activates the security console,
- or an alert message to a mobile device .
The degree of risk obtained in the detection of anomalies is derived from the degree of deviation from the standard value , while the procedure for identifying improper uses in the system, as mentioned above, obtains a classification level within the database of patterns.