China
Africa
Explore chapters and articles related to this topic
Intrusion Detection and Prevention Systems (IDPSs)
Published in Mohssen Mohammed, Al-Sakib Khan Pathan, Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks, 2016
Mohssen Mohammed, Al-Sakib Khan Pathan
IDPS technologies offer extensive and accurate detection capabilities. To provide more accurate detection, IDPS products use a combination of detection techniques. The types of events detected and the typical accuracy of detection vary greatly depending on the type of IDPS technology. Most IDPSs require at least some tuning and customization to improve their detection accuracy, usability, and effectiveness. Examples of tuning and customization capabilities are as follows [2]: Thresholds. A threshold is a value that sets the limit between normal and abnormal behavior. Thresholds usually specify a maximum acceptable level, such as five failed connection attempts in 60 seconds or 100 characters for a filename length.Blacklists and white lists. A blacklist is a list of discrete entities, such as hosts, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers, Internet Control Message Protocol (ICMP) types and codes, applications, usernames, Uniform Resource Locators (URLs), filenames, or file extensions, that have been previously determined to be associated with malicious activity. Blacklists allow IDPSs to block activity that is highly likely to be malicious. Some IDPSs generate dynamic blacklists that are used to temporarily block recently detected threats (e.g., activity from an attacker’s IP address). A white list is a list of discrete entities that are known to be benign. White lists are typically used on a granular basis, such as protocol by protocol, to reduce or ignore false positives involving known benign activity.Alert settings. Most IDPS technologies allow administrators to customize each alert type. Examples of actions that can be performed on an alert type include toggling it on or off and setting a default priority or severity level. Some products can suppress alerts if an attacker generates many alerts in a short period of time and may also temporarily ignore all future traffic from the attacker. This is to prevent the IDPS from being overwhelmed by alerts.Code viewing and editing. Some IDPS technologies permit administrators to see some or all of the detection-related code. This is usually limited to signatures, but some technologies allow administrators to see additional code, such as programs used to perform stateful protocol analysis. Viewing the code can help analysts determine why particular alerts were generated so they can better validate alerts and identify false positives. The ability to edit detection-related code and write new code (e.g., new signatures) is necessary to fully customize certain types of detection capabilities.
A survey of phishing attack techniques, defence mechanisms and open research challenges
Published in Enterprise Information Systems, 2022
Whitelisting or blacklisting scheme consists of either a list of legitimate websites known as whitelist or a list of malicious sites known as blacklist. Whitelist is the list of reliable websites frequently visited by users. Maintaining a blacklist requires several resources to confirm and report the malicious URL. The access time of these solutions is very fast as compared to machine learning and visual similarity-based approaches. However, these solutions suffer from the low detection accuracy because most of the list-based techniques do not protect against zero-hour attack.
DNS rule-based schema to botnet detection
Published in Enterprise Information Systems, 2021
Kamal Alieyan, Ammar Almomani, Mohammed Anbar, Mohammad Alauthman, Rosni Abdullah, B. B. Gupta
These signature-based approaches are used to detect well-known bots through signature matching. That is done through the use of IDS detection system, like: Roesch (1999). Ramachandran, Feamster, and Dagon (2006) proposed a DNS-based Black List (DNSBL) approach. This approach represents a signature-based system for the detection of a botnet (Ramachandran, Feamster, and Dagon 2006).