Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
In this section we examine analysis engines. These are the core components of intrusion detection and prevention systems. We'll look at techniques employed by them along with the vulnerabilities and threats they're designed to detect. Pattern matching or signature-based analysis engines behave very similarly to antivirus programs. They refer to a set of definition files to detect suspicious data. Like AV programs, their definition files must be kept up-to-date and are unable to detect zero-day attacks since no existing signature yet exists. We then discuss profile matching systems which look for suspicious activity. These are behavior-based or anomaly-based systems. They work from a baseline and then flag behavior outside of what's considered normal. The downside is that such systems are prone to false positives and require a more skilled analyst to interpret their findings. Finally, we conclude with mentioning attack strategies which attempt to evade detection by analysis engines. Such strategies include a collection of small attacks in an attempt to fly under the RADAR and insertion attacks targeting signature-based detection systems.