Types of IDSs and Detection Methods
IDSs operate as network based, host based, or application based systems and focused on protecting network information assets. All the IDSs use one of 2 detection methods signature based, statistical anomaly-based.
Signature-Based IDS/ knowledge –based IDS
Signature Based IDS examines data traffic in search of patterns that match known as signatures. It is extensively used because many attacks have very clear and distinct signatures. Problem with this approach is that as new attack strategies are identified, the IDS’s database of signatures should be updated continually.
Statistical Anomaly-Based IDS
The statistical anomaly based IDS or behavior based IDS sample network activity to compare to traffic that is normal. When measured activity is outside baseline parameters or clipping level, IDS will trigger an alert to the administrator. It can also detect new types of attacks. Requires more overhead and processing capacity than signature based. It may generate several false positives and thus is less commonly used than the signature based type.