Intrusion Detection Systems (IDS) are essential for identifying unauthorized activities, such as network scanning, which attackers use to map out network structures and identify potential vulnerabilities. IDS employ several methods to detect these scanning activities:
1. Signature-Based Detection
This method relies on a database of known attack patterns or "signatures." The IDS monitors network traffic and compares it against these signatures. If a match is found, indicating a known scanning technique, the system triggers an alert.
Example: An IDS might recognize a sequence of SYN packets sent to multiple ports on a single host—a common signature of a TCP SYN scan.
2. Anomaly-Based Detection
Anomaly detection involves establishing a baseline of normal network behavior. The IDS then monitors for deviations from this baseline that may suggest malicious activity.
Example: If a host that typically communicates with a few other systems suddenly initiates connections to numerous IP addresses, the IDS may flag this as anomalous behavior indicative of a network scan.
3. Heuristic or Behavior-Based Detection
This approach uses algorithms and rules to assess traffic behavior for patterns consistent with scanning activities. Unlike strict signature matching, heuristic detection can identify new or obfuscated scanning methods by evaluating the behavior's characteristics.
Example: An IDS may detect an IP address that systematically attempts connections to a range of ports across multiple hosts, suggesting a horizontal port scan.
Use Cases and Examples
-
Vertical Scanning Detection: An attacker targets multiple ports on a single host. The IDS observes numerous connection attempts to various ports from the same source and raises an alert.
-
Horizontal Scanning Detection: An attacker probes the same port across multiple hosts. The IDS detects repeated connection attempts to the same port number on different IP addresses within a short timeframe.
-
Stealth Scanning Detection: Techniques like slow scans or fragmented packet scans are used to evade detection. Advanced IDS can identify these by analyzing patterns over extended periods or reassembling fragmented packets to inspect the complete payload.
By integrating these detection methods, IDS provide a robust defense mechanism against network scanning activities, enabling organizations to identify and respond to potential threats proactively.
