Page 475 - StudyBook.pdf
P. 475

Topologies and IDS • Chapter 7  459

                 Signature-based IDSes and Detection Evasion


                 An IDS is, quite simply, the high-tech equivalent of a burglar alarm configured to
                 monitor access points, hostile activities, and known intruders.These systems typi-
                 cally trigger on events by referencing network activity against an attack signature
                 database. If a match is made, an alert takes place and is logged for future reference. It
                 is the makeup of this signature database that is the Achilles heel of these systems.
                    Attack signatures consist of several components used to uniquely describe an
                 attack.The signature is a kind of detailed profile that is compiled by doing an anal-
                 ysis of previous successful attacks.An ideal signature would be one that is specific
                 to the attack, while being as simple as possible to match with the input data stream
                 (large complex signatures may pose a serious processing burden). Just as there are
                 varying types of attacks, there must be varying types of signatures. Some signatures
                 define the characteristics of a single IP option, perhaps that of an nmap portscan,
                 while others are derived from the actual payload of an attack.
                    Most signatures are constructed by running a known exploit several times,
                 monitoring the data as it appears on the network, and looking for a unique pattern
                 that is repeated on every execution.This method works fairly well at ensuring that
                 the signature will consistently match an attempt by that particular exploit.
                 Remember, the idea is for the unique identification of an attack, not merely the
                 detection of attacks.



                 EXAM WARNING
                      Signatures are defined as a set of actions or events that constitute an
                      attack pattern. They are used for comparison in real time against actual
                      network events and conditions to determine if an active attack is taking
                      place against the network. The drawback of using attack signatures for
                      detection is that only those attacks for which there is a released signa-
                      ture will be detected. It is vitally important that the signature database
                      be kept up to date.




                    A computing system, in its most basic abstraction, can be defined as a finite
                 state machine, which literally means that there are only a specific predefined
                 number of states that a system may attain.This limitation hinders the IDS, in that it
                 can be well armed at only a single point in time (in other words, as well armed as
                 the size of its database).This poses several problems:




                                                                              www.syngress.com
   470   471   472   473   474   475   476   477   478   479   480