Network-Based Intrusion Detection Systems

Marco Cremonini, University of Milan, Italy

Introduction

Network Intrusion Detection Models

Anomaly Detection

Misuse Detection

Signature-Based NIDSs

Signature Examples

Tuning Signatures

Active Responses

Protocol-Based Intrusion Detection

Understanding Protocol Semantics

From Packet-Grepping to Protocol-Based Intrusion Detection

Evasion Techniques

Weaknesses of String Matching

Techniques

Testing NIDS

Approaches and Difficulties

Guidelines and Test Criteria

NIDS Deployment and Management

Basic Requirements for Large Organizations

Physical Deployment

Economics of NIDS

General Measurements

Evaluating Investments

Limitations of NIDSs and Innovative Research Efforts

Intrusion Detection for Web-Based Applications

Hybrid Systems

Combining Anomaly-Based and Signature-Based Intrusion Detection

NIDS in Wireless Networks

Conclusion

Glossary

Cross References

References

Further Reading

INTRODUCTION

This chapter focuses on the characteristics of network-based intrusion detection systems (NIDSs). NIDSs collect data from packets in transit on a network segment for the purpose of identifying and preventing inappropriate network uses. NIDSs have several fundamental functional components:

• Source of observed events: The source-of-event information used to determine whether an intrusion has taken place. The most common sources are recorded from an individual computer system (in host-based IDSs) or by capturing network packets in transit (in network-based IDSs). ...