Responses Inline :
1.IPS must build normal model while IDS can use the abnormal
model(misuse detection)?If it is what's the difference between the IDS's
anomaly detection and IPS?
IDS can watch the whole session and figure out whats just happened. IPS
must know long before the session is finished in order to Prevent
anything from happening.
2.Has someone formally use the data mining technology in the IPS?
No Comment.
3.Besides the DoS and buffer overflow etc,has any other way be used in
IPS just like the users behaviour analysis?
Depending on the IPS Software in question, probably any non-encrypted
session oriented traffic which can be broken down, reset or logged.
Sessionless traffic can be prevented once traffic analysis is done (like
with UDP type DOS attacks).
4.Why someone said IPS can not log the trace of the attacks while IDS
can do?I think IPS can do it easily.Maybe because IPS is in-line and log
the trace needing many time?
The IPS would see the same packets any IDS would, the difference is that
once the IPS figured out the traffic is malicious it takes action. Thus
the IPS log would be up to the point of action being taken, so an IDS
may see the entire flow of traffic and more acurately match the traffic
to a signature of a known attack while the IPS just knows its an attack
which needs to be blocked/dropped/rset.
So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank
you in advance.
I had this great apricot beer the other day, I highly recommend it.
Lily
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
