IDS

From this article we will discuss some points.

AN OVERVIEW OF FLOW-BASED AND PACKET-BASED INTRUSION DETECTION PERFORMANCE IN HIGH SPEED NETWORKS

       1. Define IDS

        Intrusion Detection can be defined as the process of monitoring and identifying the computer and network 2 events, to determine the emergence of any abnormal incident, as consequence, this unusual event is considered to be an intrusion. It can be defined as “the process of identifying and responding to malicious activity targeted at computing and networking resources” [1]. It detects unwanted exploitation to computer system, both through the Internet and Intranet.

        2. Discuss the main challenges that facing IDS.

One of the challenges is high speed of internet that's mean large amount of data should be computing, analysis, monitor and identify thats will make it very slow because of network speed. Unfortunately, the speed of networks increases faster than the speed of processors it's could be resolved by increase NIDS processors speed. It’s not possible to keep up with the speed of network by just increase the CPU’s speed of NIDS. 

In addition, storing the traffic for further analysis of the packet payload requires vast amount of storage area. 

The other issue that confronts NIDSs is the growth and fast of new attacks/viruses/worms on the Internet.

There are two types of IDS based on the data source: Packet IDS and Flow IDS. Packet IDS analyzes the whole packet payload while flow IDS doesn’t inspect the payload, it rather inspects a summary of the headers only.

     

    3. How flow-based IDS works?

    Flow-based technique is widely deployed as data source in applications like network monitoring, traffic analysis and security.
One important fact about network flow is that flows don’t provide any packet payload unlike packet-based approach.
It rather relies on information and statistics of network flows.
A flow can be defined as a unidirectional data stream between two computer systems where all transmitted packets of this stream share the following characteristics: IP source and destination address, source and destination port number and protocol value.
NetFlow setup consists of two components: an exporter and a collector.
The flow exporter (can be a probe, a switch, or a router) extracts the headers from each incoming packet seen on the monitored interface.
The exporter is responsible for creating flow records from observed traffic and sends them over the network to the collector.
The collector stores these flow records, received from the exporter, and make suitable for NIDS for further analysis.

  4. Is it possible to operate flow-based IDS in high traffic speed? Explain.

yes the flow-based is the best choice for high-speed networks because flow-based read only the header and packet-based read the payload that make it slower than the flow-based. 
flow-based deal with fraction of the total amount of data needs to be monitored and processed. Also, considering the network load measured in bytes, the overhead due to NetFlow is in average 0.2%.
in addition, the performance issues in flow-based are not main concern.

Choose the best answer:

1.       Another name of Anomaly IDS is : 1) misuse IDS        2) behavior IDS

2.       Signature based IDS mostly use: 1) packet-based          2) flow-based

3.       Anomaly based IDS mostly use: 1) packet-based           2) flow-based

REFERENCE: 

Alaidaros, H., Mahmuddin, M., & Al-Mazari, A. (2011). An Overview of Flow-Based and Packet-Based Intrusion Detection Performance in High Speed Networks.