What Are The Limitations Of Nids?

1.	What Are The Limitations Of Nids?
Answer» Limitations of NIDS : A mere Workaround: A number of RESEARCHERS have argued that a NIDS is more or a less a workaround for the flaws and weak or missing security mechanisms in an operating system, an application, and/or a protocol. False Positives: NIDS comes with a bane, i.e. false positives. A false positive is an event when a NIDS falsely raises a security threat alarm for harmless traffic. Signatures can be tuned precisely to reduce such false positives, however fine signatures create a significant performance BOTTLENECK, which is the next limitation of NIDS. Current Anomaly based algorithms lead to even higher false positives . Performance issues: Current signature based NIDS systems use regular expressions signatures which creates a significant performance bottleneck. In order to reduce false positives long signatures are required which further reduces the performance. The data THROUGHPUT of current NIDS systems is limited to a few gigabit per second. Encryption: The ultimate threat to the very existence of the signature based NIDS systems is the increasing use of data encryption. Everybody dreams to encrypt their data before transmission. Once the packet payloads are encrypted, the existing signatures will become completely useless in identifying the anomalous and harmful traffic. New and sophisticated attacks: Commercial NIDS which are signature based are unable to detect new attacks whose signatures are not yet devised. Anomaly based NIDS can detect such attacks but due to the limitations of the current anomaly detection algorithms, an intelligent attacker can always develop attacks that remain undetected. Human intervention: Almost all NIDS systems require a constant human supervision, which slows down the detection and the associated actions. Some recent systems such as Network Intrusion Prevention Systems (NIPS) can automatically take pre-programmed actions but these are limited only to the WELL known attacks. Evasion of signatures: A number of researchers have argued that it is not difficult for an attacker to evade a signature. Additionally there has been an increase in polymorphic worms which can automatically change their PROPAGATION characteristics thereby effectively changing their signatures. Such worms also pose a critical threat to the current NIDS. Limitations of NIDS :

Answer»

Limitations of NIDS :

A mere Workaround: A number of RESEARCHERS have argued that a NIDS is more or a less a workaround for the flaws and weak or missing security mechanisms in an operating system, an application, and/or a protocol.
False Positives: NIDS comes with a bane, i.e. false positives. A false positive is an event when a NIDS falsely raises a security threat alarm for harmless traffic. Signatures can be tuned precisely to reduce such false positives, however fine signatures create a significant performance BOTTLENECK, which is the next limitation of NIDS. Current Anomaly based algorithms lead to even higher false positives .
Performance issues: Current signature based NIDS systems use regular expressions signatures which creates a significant performance bottleneck. In order to reduce false positives long signatures are required which further reduces the performance. The data THROUGHPUT of current NIDS systems is limited to a few gigabit per second.
Encryption: The ultimate threat to the very existence of the signature based NIDS systems is the increasing use of data encryption. Everybody dreams to encrypt their data before transmission. Once the packet payloads are encrypted, the existing signatures will become completely useless in identifying the anomalous and harmful traffic.
New and sophisticated attacks: Commercial NIDS which are signature based are unable to detect new attacks whose signatures are not yet devised. Anomaly based NIDS can detect such attacks but due to the limitations of the current anomaly detection algorithms, an intelligent attacker can always develop attacks that remain undetected.
Human intervention: Almost all NIDS systems require a constant human supervision, which slows down the detection and the associated actions. Some recent systems such as Network Intrusion Prevention Systems (NIPS) can automatically take pre-programmed actions but these are limited only to the WELL known attacks.
Evasion of signatures: A number of researchers have argued that it is not difficult for an attacker to evade a signature. Additionally there has been an increase in polymorphic worms which can automatically change their PROPAGATION characteristics thereby effectively changing their signatures. Such worms also pose a critical threat to the current NIDS.

Limitations of NIDS :

What Are The Limitations Of Nids?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment