2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	705/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 701 702 703 704 705 706 707 708 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Behavior-Based Detection
The second detection type is
behavior-based detection
(also
called statistical intrusion detection, anomaly detection, and heuristics-based detection).
Behavior-based detection starts by creating a baseline of normal activities and events on the
system. Once it has accumulated enough baseline data to determine normal activity, it can
detect abnormal activity that may indicate a malicious intrusion or event.
This baseline is often created over a finite period such as a week. If the network is modi-
fied, the baseline needs to be updated. Otherwise, the IDS may alert you to normal behav-
ior that it identifies as abnormal. Some products continue to monitor the network to learn
more about normal activity and will update the baseline based on the observations.
Behavior-based IDSs use the baseline, activity statistics, and heuristic evaluation tech-
niques to compare current activity against previous activity to detect potentially malicious

758
Chapter 17
■
Preventing and Responding to Incidents
events. Many can perform stateful packet analysis similar to how stateful inspection fire-
walls (covered in Chapter 11) examine traffic based on the state or context of network
traffic.
Anomaly analysis adds to an IDS’s capabilities by allowing it to recognize and react
to sudden increases in traffic volume or activity, multiple failed login attempts, logons or
program activity outside normal working hours, or sudden increases in error or failure mes-
sages. All of these could indicate an attack that a knowledge-based detection system may
not recognize.
A behavior-based IDS can be labeled an expert system or a pseudo–artificial intelligence
system because it can learn and make assumptions about events. In other words, the IDS can
act like a human expert by evaluating current events against known events. The more informa-
tion provided to a behavior-based IDS about normal activities and events, the more accurately
it can detect anomalies. A significant benefit of a behavior-based IDS is that it can detect
newer attacks that have no signatures and are not detectable with the signature-based method.
The primary drawback for a behavior-based IDS is that it often raises a high number
of false alarms, also called false alerts or false positives. Patterns of user and system activ-
ity can vary widely during normal operations, making it difficult to accurately define the
boundaries of normal and abnormal activity.
False alarms
A challenge that many IDS administrators have is finding a balance between the number
of false alarms or alerts that an IDS sends and ensuring that the IDS reports actual attacks.
In one organization we know about, an IDS sent a series of alerts over a couple of days that
were aggressively investigated but turned out to be false alarms. Administrators began los-
ing faith in the system and regretted wasting time chasing these false alarms.
Later, the IDS began sending alerts on an actual attack. However, administrators were
actively troubleshooting another issue that they knew was real, and they didn’t have time
to chase what they perceived as more false alarms. They simply dismissed the alarms on
the IDS and didn’t discover the attack until a few days later.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 701 702 703 704 705 706 707 708 ... 881