
In continuation of our previous deep-dive article focusing on the key considerations to take into account when re-evaluating intrusion detection systems (IDS) and intrusion protection systems (IPS), we now explore the key areas where rule-based IDS/IPS systems are lacking and insufficient to combat modern-day cyber threats and why AI is the way to go.
The primary function of an intrusion detection system (IDS) is to issue an alarm if suspicious or malicious behavior is detected. An intrusion prevention system (IPS) goes one step farther than this detection by blocking access to the network or blocking additional network traffic before it has ever been compromised.
Unfortunately, both IDS and IPS systems are rendered helpless as threats evolve and switch pace to confound the rule-based nature of these systems. The days of rule-based IDS/IPS systems seem to be numbered since they simply can’t cope with the modern sophistication of the newest cyber attacks.
To that point, IDS/IPS solutions have a few potential weaknesses, such as:
The reason behind high levels of FP/FN lies in the nature of the traffic and the type of infrastructure. High-load systems can generate a lot of traffic, but for rule-based systems, it will mistakenly look like a powerful DoS or DDoS attack.
For instance, with rule-based IDS/IPS systems, if you set a high threshold, you can miss a less powerful attack that can be fatal for low-powered IoT devices. Another worthy example of an issue with rule-based IDS/IPS systems is the escalation of incidents and intelligent grouping, which also increases FP/FN numbers.
In stark contrast, if IDS and IPS systems use machine learning, it is easier to adapt and respond to traffic, not to miss low-power attacks on IoT devices, and not generate a bunch of FP alerts on high-load systems. Since there are many different cases, these numbers will change individually for FP, FN, alerts, incidents, infrastructure, devices, types of attacks, clients, and more.
An important problem is the assessment of the quality and metrics of IDS/IPS systems. To do this, you need to analyze ML metrics -> Proxy metrics -> Business metrics. Based on this analysis, you can make a decision about the quality of your security product.
Machine learning metrics describe a specific case, a specific model, or a specific experiment. One attack type, one traffic type, and one model type. Thus, machine learning metrics don’t always sync up with business metrics or are difficult to convert into business metrics.
Proxy metrics are built based on comprehensive testing and include the grouping of machine learning metrics. Even though proxy metrics can be somewhat unclear for businesses, their main purpose is to connect business metrics (business tasks) with specific machine learning metrics suitable for business.
Business metrics are what the business understands. For example,
In the case of Edge + IoT infrastructure, the EDR system is extremely crucial since, in addition to network threats, detection and prevention against malware and ransomware, two of the most prominent dangers in recent years, are also crucial. Therefore, the integration of such components into a single solution is crucial and can be complex.
By using a non-traditional approach, organizations can mitigate all the challenges of rule-based IDS/IPS systems. By combining IDS/IPS systems with an AI-based endpoint detection and response (EDR) system, organizations have a highly effective approach to detecting and preventing threats.
Here’s how this hybrid IDS/IPS + EDR works:
The strategic advantages of using hybrid IDS/IPS + EDR systems versus traditional, rule-based IDS/IPS systems include:
Overall, a hybrid IDS/IPS + EDR hybrid approach to cybersecurity gives SecOps teams a full picture of what's going on in the network and at each endpoint. This lets the system find and stop a wide range of threats. With the help of machine learning algorithms, the system can change and get better over time, making it better at finding and stopping threats.