Rule-based IDS/IPS Systems Aren’t Enough

In continuation of our previous deep-dive article focusing on the key considerations to take into account when re-evaluating intrusion detection systems (IDS) and intrusion protection systems (IPS), we now explore the key areas where rule-based IDS/IPS systems are lacking and insufficient to combat modern-day cyber threats and why AI is the way to go.

The primary function of an intrusion detection system (IDS) is to issue an alarm if suspicious or malicious behavior is detected. An intrusion prevention system (IPS) goes one step farther than this detection by blocking access to the network or blocking additional network traffic before it has ever been compromised.

Unfortunately, both IDS and IPS systems are rendered helpless as threats evolve and switch pace to confound the rule-based nature of these systems. The days of rule-based IDS/IPS systems seem to be numbered since they simply can’t cope with the modern sophistication of the newest cyber attacks.

To that point, IDS/IPS solutions have a few potential weaknesses, such as:

• False positives: IDS/IPS systems can make a lot of false positives, which can waste time and money as the security team looks into them and decides they are not real threats.
• False negatives: IDS and IPS systems can also give false negatives, which means they miss some threats. This can happen if the system isn't set up right or if the way the attack is done is new or unknown.
• Limited visibility: IDS/IPS systems may only be able to watch the traffic on the network or host devices where they are installed. This can limit their ability to see threats and find them.
• Increased complexity: IDS/IPS systems can be hard to set up, configure, and maintain, which can be a problem for companies that don't have a lot of IT staff.
• Higher Costs: IDS/IPS systems can be expensive to buy and keep up with, which can be a problem for organizations with limited funds.
• Evolving, more dangerous threats: IDS/IPS systems may not be able to keep up with threats that change constantly, which can leave organizations open to new, emerging, or far more dangerous threats.

Artificial Intelligence To The Rescue

The reason behind high levels of FP/FN lies in the nature of the traffic and the type of infrastructure. High-load systems can generate a lot of traffic, but for rule-based systems, it will mistakenly look like a powerful DoS or DDoS attack.

For instance, with rule-based IDS/IPS systems, if you set a high threshold, you can miss a less powerful attack that can be fatal for low-powered IoT devices. Another worthy example of an issue with rule-based IDS/IPS systems is the escalation of incidents and intelligent grouping, which also increases FP/FN numbers.

In stark contrast, if IDS and IPS systems use machine learning, it is easier to adapt and respond to traffic, not to miss low-power attacks on IoT devices, and not generate a bunch of FP alerts on high-load systems. Since there are many different cases, these numbers will change individually for FP, FN, alerts, incidents, infrastructure, devices, types of attacks, clients, and more.

An important problem is the assessment of the quality and metrics of IDS/IPS systems. To do this, you need to analyze ML metrics -> Proxy metrics -> Business metrics. Based on this analysis, you can make a decision about the quality of your security product.

Machine learning metrics describe a specific case, a specific model, or a specific experiment. One attack type, one traffic type, and one model type. Thus, machine learning metrics don’t always sync up with business metrics or are difficult to convert into business metrics.

Proxy metrics are built based on comprehensive testing and include the grouping of machine learning metrics. Even though proxy metrics can be somewhat unclear for businesses, their main purpose is to connect business metrics (business tasks) with specific machine learning metrics suitable for business.

Business metrics are what the business understands. For example,

• The percentage of attacks that the solution covers according to the MITRE matrix.
• Minimum and maximum response time to attacks (time from the start of the attack to the display of the alert on the dashboard).
• The total number or % of attacks guaranteed to be recorded with 100% probability.
• The total number of critical attacks or % of attacks guaranteed to be fixed with 100% probability.
• The average time a security specialist processes various incidents.
• Average CPU load depending on traffic bandwidth. For example, 5% if the traffic is 100 MBs, 10% if the traffic is 5 GBs, and so on.
• The average value of memory usage depends on traffic bandwidth.
• Coverage of various platforms (possibility of deploying the agent on N versions of Linux, Kubernetes, Docker, etc.).
• Labor costs for installing/updating the agent/models.
• ARI to various SIEM systems.
• Response time of our support to the client's question.
• The average time of adding new features to the product the client wants.

In the case of Edge + IoT infrastructure, the EDR system is extremely crucial since, in addition to network threats, detection and prevention against malware and ransomware, two of the most prominent dangers in recent years, are also crucial. Therefore, the integration of such components into a single solution is crucial and can be complex.

By using a non-traditional approach, organizations can mitigate all the challenges of rule-based IDS/IPS systems. By combining IDS/IPS systems with an AI-based endpoint detection and response (EDR) system, organizations have a highly effective approach to detecting and preventing threats.

Here’s how this hybrid IDS/IPS + EDR works:

• The IDS/IPS component looks for signs of malicious behavior in network traffic by using both signature-based and anomaly-based detection methods.
• The AI-based EDR component is put on each endpoint device, such as a Edge server, IT server, workstation, or laptop, and looks for signs of malicious activity.
• Both the IDS/IPS and EDR parts use machine learning algorithms to look at the data they collect and find patterns that might indicate a threat.
• If a threat is found, the system sends out an alert and does what it needs to do to stop it, like blocking the malicious traffic or putting the affected endpoint in quarantine.

The strategic advantages of using hybrid IDS/IPS + EDR systems versus traditional, rule-based IDS/IPS systems include:

• Comprehensive threat detection: The hybrid IDS/IPS + EDR approach gives a full picture of both network and endpoint activity, so the system can find and stop a wide range of threats.
• Reduced the number of false positives: Using machine learning algorithms can make the system more accurate, reducing the number of false positives and making it work better.
• Better response times: The system can automatically stop threats in real time, which cuts down on time it takes to respond to an attack and lessens its potential damage.
• Adaptability: Because the system uses machine learning algorithms, it can change and get better over time. This makes it better at finding and stopping threats.
• Ease of use: The system can be set up and managed from a single console, which makes it easier to deploy and keep up.
• Automation of threat detection and prevention: The system can take automatic steps to stop threats, which reduces the work of SecOps teams and lets them focus on more important tasks.
• Accuracy: Machine learning algorithms can reduce the number of false positives and false negatives, and the number of alerts that SecOps teams need to process.
• Greater visibility and context: The system can give detailed information about the threat, the assets it affects, and the recommended response. This lets SecOps teams decide how to best deal with the threat based on accurate information.

Overall, a hybrid IDS/IPS + EDR hybrid approach to cybersecurity gives SecOps teams a full picture of what's going on in the network and at each endpoint. This lets the system find and stop a wide range of threats. With the help of machine learning algorithms, the system can change and get better over time, making it better at finding and stopping threats.