There are four detection method that are commons amongst most Intrusion protection systems (IPS). Theses methods are known as Signature, Policy, Anomaly, and Reputation based detection.
Signature-based detection is a set of rules used to identity intrusive activity. Sensors scan IP packets referencing existing signatures to detect known attacks and respond with predefined actions. Signatures must be must be tuned to reduce false positives or from preventing legitimate traffic from entering the network. Signatures-based IPS should be vulnerability-focused and not exploit-focused.
Policy based detection identifies actions that are opposing to traffic policies. These policies are predefined by the network security administrator. Policy-based detection typically do not look for malicious or abnormal behavior.
Anomaly based detection looks for abnormal statistical and protocol behaviors. Statistical baseline generally focuses on traffic patterns, traffic mix, and traffic volume. Protocol baseline focuses on traffic that deviated from protocol standards. Like policy-based detection, anomaly…
View original post 31 more words