Last Day to Save $200 on SANS Cyber Defense San Diego 2014

Intrusion Detection FAQ: What is knowledge-based intrusion detection?

There are two complementary approaches to detecting intrusions, knowledge-based approaches and behavior based approaches. This entry describes the first approach. Almost all IDS tools today are knowledge-based. This is also referred to in the literature as misuse detection.

Knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities. The intrusion detection system contains information about these vulnerabilities and looks for attempts to exploit these vulnerabilities. When such an attempt is detected, an alarm is triggered. In other words, any action that is not explicitly recognized as an attack is considered acceptable. Therefore, the accuracy of knowledge-based intrusion detection systems is considered good. However, their completeness (i.e. the fact that they detect all possible attacks) depends on the regular update of knowledge about attacks.

Advantages of the knowledge-based approaches are that they have the potential for very low false alarm rates, and the contextual analysis proposed by the intrusion detection system is detailed, making it easier for the security officer using this intrusion detection system to take preventive or corrective action.

Drawbacks include the difficulty of gathering the required information on the known attacks and keeping it up to date with new vulnerabilities and environments. Maintenance of the knowledge base of the intrusion detection system requires careful analysis of each vulnerability and is therefore a time-consuming task. Knowledge-based approaches also have to face the generalization issue. Knowledge about attacks is very focused, dependent on the operating system, version, platform, and application. The resulting intrusion detection tool is therefore closely tied to a given environment. Also, detection of insider attacks involving an abuse of privileges is deemed more difficult because no vulnerability is actually exploited by the attacker.

Herve Debar
IBM Zurich Research Laboratory