An intrusion detection system can only detect an attack. It cannot prevent attacks. The primary purpose of IDS is to know if the system is under attack. If you’re planning on taking the Security+ exam, you should have a basic understanding of IDS methods and threshold.
For example, can you answer this question?
Q. Administrators have noticed an increased workload recently. Which of the following can cause an increased workload from incorrect reporting?
A. False negatives
B. False positives
C. Separation of duties
D. Signature-based IDSs
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Using Data Sources and Trends
Any type of intrusion detection system will use various raw data sources to collect information on activity. This includes a wide variety of logs, such as firewall logs, system logs, and application logs. These logs can be analyzed to provide insight on trends. These trends can detect a pattern of attacks and provide insight into how to better protect a network.
Many IDSs have the capability to monitor logs in real time. Each time a system records a log entry, the IDS examines the log to determine if it is an item of interest or not. Other IDSs will periodically poll relevant logs and scan new entries looking for items of interest.
IDSs Reporting
IDSs report on events of interest based on their settings. All events aren’t attacks or actual issues, but instead, they provide a report indicating an event might be an alert or an alarm. Administrators investigate to determine if it is valid. Some systems consider an alarm and an alert as the same thing. Other systems use an alarm for a potentially serious issue, and an alert as a relatively minor issue. The goal in these latter systems is to encourage administrators to give a higher precedence to alarms than alerts.
The actual reporting mechanism varies from system to system and in different organizations. For example, one IDS might write the event into a log as an alarm or alert, and then send an email to an administrator account. In a large network operations center (NOC), the IDS might send an alert to a monitor easily viewable by all personnel in the NOC.
False Positives Versus False Negatives
IDSs are susceptible to both false positives and false negatives. A false positive is an alert or alarm on an event that is nonthreatening, benign, or harmless. A false negative is when an attacker is actively attacking the network, but the system does not detect it. Neither is desirable, but it’s impossible to eliminate both. Most IDSs trigger an alert or alarm when an event exceeds a threshold.
Consider the classic SYN flood attack, where the attacker withholds the third part of the TCP handshake. A host will send a SYN packet and a server will respond with a SYN/ACK packet. However, instead of completing the handshake with an ACK packet, the attacking host never sends the ACK, but continues to send more SYN packets. This leaves the server with open connections that can ultimately disrupt services.
If a system receives one SYN packet without the accompanying ACK packet, is it an attack? Probably not. This can happen during normal operations. If a system receives over 1,000 SYN packets from a single IP address in less than 60 seconds, without the accompanying ACK packet, is it an attack? Absolutely.
With this in mind, administrators set the threshold to a number between 1 and 1,000 to indicate an attack. If administrators set it too low, they will have too many false positives and a high workload as they spend their time chasing ghosts. If they set the threshold too high, actual attacks will get through without administrators knowing about them.
Most administrators want to know if their system is under attack. That’s the primary purpose of the IDS. However, an IDS that constantly cries “Wolf!” will be ignored when the real wolf attacks. It’s important to set the threshold high enough to reduce the number of false positives, but low enough to alert on any actual attacks.
There is no perfect number for the threshold. Administrators adjust thresholds in different networks based on the network’s activity level and their personal preferences.
Remember this
A high incidence of false positives increases the administrator’s workload. Administrators often set the IDS threshold high enough that it minimizes false positives but low enough that it does not allow false negatives.
Q. Administrators have noticed an increased workload recently. Which of the following can cause an increased workload from incorrect reporting?
A. False negatives
B. False positives
C. Separation of duties
D. Signature-based IDSs
Answer is B. False positives can cause an increased workload because they falsely indicate an alert has occurred.
A false negative doesn’t report an actual attack, so it doesn’t increase the workload because administrators are unaware of the attack.
Separation of duties ensures a single person can’t control an entire process, so it is unrelated to increased workload.
Signature-based intrusion detection systems (IDSs) don’t necessarily cause an increased workload unless they have a high incidence of false positives.
You may like to view other blog posts related to IDS: