HIDS are not deployed in the network but rather within the machine or system needed protection. Thus, configuration of HIDS is dependent on the device they are installed on and different devices require different configurations and rulesets. Hybrid IDSes are a combination of two or more IDS components and provides one of the highest levels of protection ion information systems assets and resources. However, this kind of deployment mean more resources need to be allocated to ensure optimum functioning of hybrid IDSes.
From the various IDS components available, IDSes can also be differentiated by their detection types. These detection types can be signature-based, anomaly-based and stateful protocol inspection. The following are the differences in the detection types of IDSes (Scarfone & Mell, 2007):
A signature is a pattern that corresponds to a known threat. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents.
Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. An IDPS using anomaly-based detection has profiles that represent the normal behavior of such things as users, hosts, network connections, or applications.
Stateful protocol analysis is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations.
In the same manner as hybrid intrusion detection systems can be deployed, the same goes true for detection types. Depending upon the security needs and requirements that come up after the risk analysis, IDSes deployed throughout the network can be a combination of two or all of the various detection types. With the variety of threats and vulnerabilities that abound, hybrid deployments are always the best possible implementation because of the wider...
There are several methodologies and best practices involved in doing so. For startup deployments or those that are done from the ground up, deployments of IDSes is part of the secure network design and architecture and these systems are aligned with the other security controls and mechanisms. Existing information systems infrastructures requires comprehensive risk management to determine the threats and vulnerabilities thereto. Once these threats and vulnerabilities have been identified, determination of the impact and likelihood of each of these will be done and a risk register is completed. From the risk register, mitigation measures will be made and one of these will reveal where and how to deploy intrusion detection systems. Thus, this provides for the most diligent, effective and efficient deployment and utilization of IDSes because it is based on known and anticipated factors. But once again, it is always important to remember that IDSes cannot by themselves provide comprehensive protection of information systems assets and resources. They are part of the unified threat management system employed to provide for the most comprehensive security controls and measures that ensure the confidentiality, integrity, and availability of the information system.
Bibliography:
Information Assurance Technology Analysis Center (IATAC). (2009). Information assurance tools report -- Intrusion detection systems, 6th ed. Retrieved June 6, 2011 from http://iac.dtic.mil/iatac/download/intrusion_detection.pdf
Scarfone, K. & Mell, P. (2007, February). Special publication 800-94: Guide to intrusion detection and prevention systems (IDPS): Recommendations of the National Institute of Standards and Technology. Retrieved June 6, 2011 from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
