4.5 Monitoring Methodologies
Section 4.5 deals with ways to monitor a network and system. There are certain methodologies for tools which dictate how they function and help the tool determine whether something is abnormal, benign, or malicious. Without these monitoring methods, a system is extremely vulnerable. Remember, security is and should be multi-layered.
- Behavior-based – In order for this method to work a baseline has to be established so that from there on any changes that are detected can be reported, including attacks and intrusions. However, the drawback to using behavior based attack is that it’s difficult to determine what is benign or malicious since the tool is automatic.
- Signature-based – This method relies on a database consisting of known malicious or unwanted activity. The strength of this method is the speed in which it detects intrusions into the system is exceptionally fast; however, if an intrusion occurs and the data is not in the database of known files, then the new intrusion will not be detected. The fix for this problem however is constant updating of the database to recognize new threats.
- Anomaly-based – Relying on valid forms of entry in a database, anomaly-based methods detect any and all anomalies that try to gain access to the system. Generally used in protocols since all protocols are known and well defined in the database with any variation of the protocol labeled as an anomaly. The weakness here is that malicious items can get through into the system through regular traffic and remain unnoticed because the data does not exceed the accepted value.
No comments:
Post a Comment