The biggest advantage is that they’re cheap and easy to set up. You only need to install one NIDS to secure an entire local network of systems, and you don’t need to install software on any end hosts (like employees’ computers).
NIDS Evasion Attacks
Suppose we install a NIDS that alerts for a path traversal attack whenever it sees .. or its hex encoding in a packet. What evasion attack(s) could an attacker try on this scheme?
The attacker could send the first . and the second . in two different packets.
Depending on how the NIDS parses repeated TCP packets, the attacker could try and send two packets with the same sequence number and manipulate the TTLs, as seen in the firewalls lecture.
What is a disadvantage of using a NIDS?
Many of the disadvantages of using a NIDS come from the fact that it only inspects network packets, not the actual messages received by end hosts. This can lead to evasion attacks and being unable to understand encrypted TLS traffic.
Host-Based Intrusion Detection (HIDS)
What are some tradeoffs between HIDS and NIDS?
HIDS is more expensive than NIDS, since we have to install detection software on every individual end host, but it avoids the problem of inconsistent parsing between the detection system and the end host.
What are some advantages and disadvantages of logging?
Logging is usually the cheapest of the three options, since you don’t need to perform analysis in real-time. The disadvantage to this is that if an attack happens, you won’t be alerted in real-time either.
System Call Monitoring
Which intrusion detection method would be most appropriate for detecting a DoS attack?
NIDS is the best answer here. A HIDS would be more expensive to install, and doesn’t give us any more help, since we don’t need context from the end hosts to detect a DoS attack. Logging wouldn’t detect the attack in real-time, which could be problematic.
(Other answers may be possible depending on the specific details of the DoS attack.)
Note: This is one of the longer lectures of the semester. If you want to watch it in two sittings, this is a good halfway point to take a study break.
False Positives and False Negatives
Detection Tradeoffs, Base Rate Fallacy
System A has a false positive rate of 0.05% and a false negative rate of 1%. System B has a false positive rate of 1% and a false negative rate of 0.05%.
The cost of a false positive is $100, and the cost of a false negative is $10000. Which system is better?
Not enough information - we don’t know how often attacks happen.
Does signature-based detection use a blacklist (default allow) or a whitelist (default deny)?
Signature-based detection uses a blacklist, since you maintain a list of known attacks that you will alert on, and everything that’s not on the list will not trigger an alert. In other words, we allow all traffic by default, and only alert when an attack is on the blacklist.
Which detection scheme is least useful for detecting never-before-seen attacks?
Signature-based detection uses a list of known attacks, so it is least effective for detecting new unknown attacks. The other three detection schemes will alert when something unusual happens, so they are good for detecting unknown attacks.