9.2 Statistical-Based IDS

The second major class of IDS products is roughly categorized as statistical IDS. Instead of relying on attack signatures, statistical IDSs attempt to learn the normal behavior of your network and classify as noteworthy any traffic that violates normal traffic patterns. For many years, statistical IDSs were simply laboratory experiments. The idea did not meet the needs of production networks. Recently, however, IDS products have started to produce statistical IDSs that complement signature-based IDS applications. For example, one product learns user log-on patterns and generates an alert when the user log-on is outside the normal bounds.

Statistical IDSs suffer from a couple of drawbacks. The first is the need to learn the behavior of the network. It is thus possible to train a statistical IDS into thinking that something abnormal is normal. Furthermore, to reduce the number of false positives (that is, alerts that turn out to be normal user behavior), most of these IDSs have a sensitivity level that can be adjusted, as in biometric authentication systems. The same risks that apply to sensitivity adjustments in biometric systems also apply here. Making the sensor too sensitive will generate too many alerts and annoy both users and administrators. Lowering the sensitivity too much will increase the opportunity for undetected misuse of network resources.

Closely related to statistical IDSs, but generally allocated their own taxonomical designation, are anomaly detection systems (ADSs), also termed protocol anomaly detection (PAD). These devices operate on the assumption that there are a definable number of proper ways in which a protocol should operate. Anything outside this range should be considered suspicious. Individual alerts, statistically examined, can also alert network administrators to much larger Internet attack trends. As with statistical IDSs, ADSs attempt to identify attacks prior to their widespread discovery.

Ultimately, an effective IDS is going to have elements from all three groups of IDS technologies. No single technology can successfully account for the wide variety of Internet-based attacks. As it turns out, however, even a system running all of these IDS methods still may not detect every attack. There are other factors to consider when choosing an IDS.