B.3 Detection Methods - ZyXEL Communications ZYWALL IDP 10 User Manual

ZyWALL IDP10 User's Guide
not. If a malicious packet is detected, an action is taken. The remaining packets that make up that
particular TCP session are also discarded.

B.3 Detection Methods

An IDP system employs a mix of detection methods to identify attacks.
B.3.1 Pattern Matching
Pattern matching identifies a fixed sequence of bytes in a single packet. In addition to the signature
byte sequence, the IDP \ should also be able to match various combinations of the source and
destination IP addresses or ports and the protocol.
This method does not apply well to network streams such as HTTP sessions as it inspects single
packets at a time.
B.3.2 Stateful Pattern Matching
Stateful pattern matching operates based on the established session, rather than on a single packet. It
considers arrival order of packets in a TCP stream and handles matching patterns across packets. For
example, if an exploit is split across two packets, Stateful pattern matching will reassemble the traffic
stream and make the complete string available to the detection engine. This requires large amounts of
memory and processing power to track a potentially large number of open sessions for as long as
possible.
B.3.3 Protocol Decode
Protocol decode is also known as Protocol Anomaly Detection or Protocol Validation. The detection
engine performs a full protocol analysis, decoding and processing the packet in order to highlight
anomalies in packet contents. This is quicker than doing a search of a signature database. It is more
flexible in capturing attacks that would be very difficult to catch using pattern-matching techniques, as
well as new variations of old attacks, which would require a new signature in the database.
The protocol decode engine first applies rules defined by the appropriate RFCs to look for violations.
This can help to certain anomalies such as binary data in an HTTP request, or a suspiciously long
piece of data where it should not be (a sign of a possible buffer overflow attempt).
B.3.4 Heuristic Analysis
Heuristic-based signatures use algorithms based often on statistics to judge whether a warning is
warranted. An example of this type of signature is one that would be used to detect a port sweep. This
signature might look for the presence of a threshold number of unique ports being probed on a
particular device. Signatures of this type may react differently on different networks, and must be
tuned correctly.
B.3.5 Anomaly Analysis
This detection system identifies "normal" traffic on a network, and then anything considers "non-
normal" traffic to be an "intrusion". Anomaly detection can recognize previously unseen attacks, since
it is not reliant on knowing what an attack looks like. However "normal" and "non-normal" may have
to be defined for each network, so false positives may appear in the initial deployment. These types of
attacks do not have a name.
B-2 Intrusion Protection