Lets start at the basics, Network IPS and IDS – Intrusion Prevention and Detection. IPS usually sits inline with the traffic flow and allows packets to be stopped and prevent an attack whereas IDS will simply alert the SecOPS team that there is a potential threat then needs investigating, IPS can be troublesome in routing network traffic so it passes through a single appliance, that appliance needs to be able to handle a large amount of big data. The IDS on the other hand can sit via a network Tap so doesn’t need to pass all the traffic however a tap is required to process the data.
The signature challenge is a real problem which IPS/IDS tuning a key part of the deployment with many venders producing tens of thousands of signatures for all the traffic seen by the IPS/IDS appliances. This can create a lot of false positives as well as false negatives, its not really a sit and forget type of deployment – it needs work to study the environment to make sure there isn’t any unwelcome outages due to a prevention policy.
So lets look at the signatures, there basically 3 types of signatures for an IPS/IDS deployment.
Signature-Based Detection (Pattern Detection)
Anomaly Detection
Behavioural Analysis
For each of the Detection methods there are 2 types of signatures one is a single event which is very specific and not very common as a wider signature set, these are often used as custom events to specifically trigger an event. The second is a sequence of specific events that formulate a threat or an attack – This type of signature must maintain state when processing the traffic as all packet data must be seen to trigger the sequence whereas the single event doesn’t require this to happen as once seen the alert can be trigger and the state is no longer needed.
Signature-Based Detection
An IPS/IDS signature in its finest form is a collection of patterns that match a sequence of events to create an alert for the SecOPS teams. The pattern is very specific to a threat (be it a vulnerability, exploit or malware), this is needed to reduce the false positive rate.
Known exploits usually don’t change or evolve so this type of signature for the exploit is very powerful but as malware changes at a rapid rate using this type of signature for malware detection can create a lot noise and headaches. With this though the signature really needs to have enough information to trigger an alert even if only certain criteria is matched from the pattern sequence.
This type of signature is very powerful with legacy systems as the system isn’t going to change much from the vulnerabilities and exploits that are current for example there are 361 known CVE’s on a windows 2008 server and in 2024 that is unlikely to change.
Anomaly Detection
Anomaly Detection Signatures are not based on a sequence or single event like the signature-based detection but are based when certain activities are triggered however this can create a lot of challenges to determine what a real threat vs normal traffic is. This process needs to be understood so the SecOPS team can successfully determine if this is part of an attack or normal traffic.
Once the SecOPS team knows what normal activities are then signatures can be created for specific events to be triggered on specific network segments protecting certain workloads – this is also extremely powerful in an Operation Technology Environment where the traffic should not really changed than much on a day to day actions.
With the advances in Machine Learning and AI development these type of signatures will be swapped for a powerful supervised and unsupervised machine learning model where true baselining of the traffic can be performed.
Behavioural Detection
Behavioural Detection Signatures in a network Environment is very tricky as its quite specific to what is being looked for, this type of signature works well as a host based signature for example running powershell as an elevated user could be a very useful detection for an alert. Network Behaviour detection is used to detect unusual traffic flows and protocol activity – but this creates a large amount of false positives when alerting the SecOPS teams. There is a lot of noise that can be seen and only really works in an IDS functionality. As with the Anomaly detection this will be swapped out for machine learning models and algorithms to baseline the traffic correctly to apply policy.
When we look at the signature sets we can clearly see that for legacy systems and applications the signature-based detection IPS/IDS Systems are very powerful and can create clear concise alerts for the SecOPS teams, this would also be the case for new exploit outbreaks such as log4j giving the infrastructure teams time to patch exposed systems as we as protecting the applications and systems that can no longer be patched with new security updates. Both Anomaly and Behavioural Signature Detection will be superseded by Machine learning models than can more accurately based line the traffic in out of network segments and workloads to determine what is legit traffic over a threat. Using both these models would be the ideal solution to any legacy protection.
