Analysis Engines
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now we said before that what
00:00
separates an intrusion detection
00:00
and prevention system from
00:00
just a regular sniffer is the fact that an
00:00
IDS or IPS is going to have an analysis engine.
00:00
We're going to talk about the two types
00:00
of analysis engines.
00:00
We have pattern matching systems
00:00
and then we have profile matching systems.
00:00
Now the most common type for a long time
00:00
for analysis engines were signature based systems.
00:00
These work a lot like we think about
00:00
our antivirus programs working.
00:00
There are virus definition files which are essentially
00:00
just collections of information about known attacks.
00:00
When the anti-malware application
00:00
is scanning your system for activity,
00:00
it's looking for a match
00:00
for something that's been determined to be
00:00
malicious and when it finds
00:00
that match it sends the alarm,
00:00
hey, we've got a problem here.
00:00
With their signature based systems,
00:00
they're looking for known attacks.
00:00
Activity that matches up to a known attack.
00:00
Once we determine that that activity matches,
00:00
then what happens is we
00:00
have what we refer to as a positive.
00:00
A positive is when an intrusion detection system says,
00:00
we have an attack, that's considered a positive.
00:00
I always think of it as the IDS saying,
00:00
>> I am positive, we're being attacked.
00:00
>> A negative is when the IDS doesn't detect anything.
00:00
Before it triggers a positive,
00:00
it has to see a match to a known attack.
00:00
What happens if there's a new attack?
00:00
That's something called the zero-day attack.
00:00
A zero-day attack is one for
00:00
>> which there is no signature.
00:00
>> Your signature based systems are
00:00
not going to be able to detect those.
00:00
Now, profile matching is where
00:00
your systems are aware of normal network activity.
00:00
Basically, these could be called anomaly based systems,
00:00
behavior-based heuristic systems and so what these do,
00:00
is they start by taking a baseline,
00:00
a snapshot, if you will,
00:00
of normal network behavior.
00:00
Then set up the threshold for tolerance and anything
00:00
outside that threshold is determined to be an attack.
00:00
Again, when it finds something
00:00
outside of the realm of what's normal,
00:00
then we have a positive and the IDS sounds the alarm
00:00
or sends an alert.
00:00
Now the problem with that is not
00:00
all network behavior that isn't standard is an attack.
00:00
We just have differences and activity from day to day.
00:00
The IDS could send a positive
00:00
when there's absolutely nothing sinister going on.
00:00
We would call that a false positive and a
00:00
false positive is exactly that when the IDS triggers,
00:00
yet there's no malicious or damaging activity.
00:00
The problem with this is
00:00
it's certainly not as big a problem
00:00
as a false negative where
00:00
there's an attack and the IDS doesn't recognize it.
00:00
But the problem with the false positive
00:00
is sometimes we get that boy who cried wolf syndrome
00:00
>> where, if my IDS is configured too sensitive so that
00:00
>> every time network activity changes
00:00
just a little bit and I
00:00
spend all my time going back and saying,
00:00
that's not an attack,
00:00
that's not an attack, that's not an attack,
00:00
well then I become desensitized and
00:00
the next time I get an alert that there's an attack,
00:00
I'm just going to ignore it.
00:00
Of course, as soon as I decide to disregard our alarms,
00:00
our alarms are worthless.
00:00
We want to make sure that with
00:00
our profile matching system,
00:00
a lot of times at the beginning,
00:00
we have to tweak how they're configured.
00:00
I'd rather, at the beginning,
00:00
allow some false positives to make sure that we
00:00
don't have any false negatives and
00:00
that's really the measure of
00:00
the accuracy of the system has to do with
00:00
the relationship between
00:00
these false positives and false negatives.
00:00
In this section,
00:00
we just talked about the different types of
00:00
analysis engines for intrusion detection systems.
00:00
We talked about pattern matching systems,
00:00
the most common of which is a signature based system.
00:00
We said its biggest weakness is it
00:00
can't detect zero-day attacks.
00:00
Then we looked at profile matching systems and they
00:00
look for abnormalities in network activity or
00:00
anomalies in network activity and they determined
00:00
that anything that isn't standard is an attack,
00:00
which means we get a lot of false positives.
00:00
What most systems do now is they combine both types of
00:00
analysis engines to work
00:00
together so that we can still detect zero-day attacks.
00:00
But we also don't have
00:00
so many false positives that
00:00
we spend all our time shutting down the alarms.
00:00
That's the best of both worlds.
Up Next
Instructed By
Similar Content
