RangerIDS - Intrusion Detection System (IDS)

Which Detection Method is Best

Monitor-Evaluate-Modify: The Security Cycle

Which Detection Method Is The Best?

Which detection method to choose is a difficult question, and in all honesty, it is not one with which most of those evaluating these products should concern themselves. Adequate performance to handle the traffic to which the sensor will be exposed, accuracy of alerts, low incidence of false positives, and centralised management and reporting/analysis tools are far more important than how the packets are processed.

In some instances, the lines blur between methodologies to the point where they become almost indistinguishable. For example, most protocol decode analysis engines alert the user to the presence of protocol violations that are not directly related to any known attack but are “anomalous” (for example, length-based buffer overflow detection). Therefore, in this instance the engine has attributes of an anomaly-based system.

As we have already mentioned, most protocol analysis systems are also reduced to performing some form of pattern-matching process following the protocol decode. Likewise, even the most basic pattern-matching systems perform some form of protocol analysis – even if it is only for a limited range of protocols. In truth, most Network IDS systems are already adopting a hybrid architecture in some way, and we foresee a time in the not too distant future when most NIDS will employ fully integrated pattern-matching, protocol decode, heuristic and anomaly detection engines in a single product.

By and large, therefore, the pattern-matching vs. protocol decode debate is one of religion – something for the marketing departments to shout about until the aforementioned hybrid products become commonplace. Why should the average user care what happens under the hood as long as the product does what it claims to do – detect intrusions?