Anomaly-based IDSes treat all exposed behavior of systems, or the network that is unknown to them, as a potential attack. These systems require extensive training of the IDS so that it can distinguish good from bad traffic. Pattern-based IDSes assume that attack patterns are previously known and therefore can be detected. Because these IDSes cannot detect new attack types, they require constant maintenance to incorporate new attacks. Specification-based IDSes look for states of the system known to be undesirable, and upon detection of such a state, they report an intrusion. Common in all systems is that intrusion-detection analysts review the logs that are generated and other available network information (such as traffic patterns, unusual open ports, or unexpected running processes) to look for suspected or real intrusions. This process is time consuming and requires considerable expertise on the part of the security analysts. A trend toward more automated Intrusion Prevention Systems that actively step in and limit systems access can be observed.
In March 2004, Hewlett-Packard Company officials said that their software engineers had developed software that they believed could slow the spread of Internet worms and viruses. Tentatively dubbed “Virus Throttler,” this software not only identified and alerted professionals to suspicious network traffic but also caused some of the computer’s functions to slow down so that the worm or virus is impeded. This capability was meant to give the professional the needed time to remove the cyber intruder. Shortly after announcing the package, Hewlett-Packard shelved it for several months because of insurmountable difficulties with integrating it into Microsoft’s Windows operating systems. The difficulties were resolved.
See Also: Audit Trail; Exploit; Forensics; Intrusion; Log; Virus; Vulnerabilities of Computers; Worm.