Last year, Gartner nearly wrote off IDS as a technology that was no longer able to justify its plodding and inadequate utility. Difficulty in configuration and management, inability to respond to attacks, and the tendency to throw up a deluge of alerts and false positives were prime considerations for its deprecation. However, we are now witnessing an emerging breed of IDS that sets out to overcome these problems.

The new tool doing the rounds is 'target-based IDS', which successfully reduces false positives and squelches alerts to a manageable number. To get a feel of this: say, in a given time span if an older generation IDS had thrown up 10000 alerts, target-based IDS will raise about 10, slashing time to analyze alarms from hours to minutes each day.

As the name suggests, target-based IDS focuses on the target of the transiting packet as much as on the malicious signature contained within the packet. The older generation IDS, merely checked packet payload for a match with its database of malicious signatures, or figured out anomalous traffic patterns — and then threw up alerts if a match or anomaly was detected.

In contrast, the target-based IDS correlates knowledge about network topology, operating systems and applications with incoming attack information, and checks if the destination host is at all vulnerable to the exploit encapsulated within the payload. An alarm is raised only if the target host is found to be at risk. For instance, if target-based IDS detects a packet containing the Blaster worm signature, it will first check if the destination host is adequately patched to counter the RPC DCOM vulnerability, which the Blaster worm would seek to exploit. If the host is patched, no alert will be raised.

The older generation IDS spewed alerts indiscriminately. It did nothing to ascertain whether or not the target carried the specific vulnerability, which the malicious packet sought to exploit. It was left to the administrator to determine if the raw intelligence provided by the alert foreboded any adverse ramifications. The need for manual intervention was a costly and burdensome proposition, negating the very advantage of detecting malicious activity. Automating the process of qualifying an alert as relevant or irrelevant is a big advantage of the target-based IDS.

The act of determining the target's vulnerability before raising an alert is what differentiates target-based IDS from the older generation IDS. Target-based IDS includes a vulnerability scanning functionality, which is activated periodically to get a snapshot of the vulnerabilities in network devices. This information is stored in its database and queried before raising an alert. However, efficacy of the query, and therefore, of the target-based IDS, depends on the currency of the vulnerability information.

The observations of a vulnerability scan conducted earlier may be rendered useless if the target has changed its configuration subsequently. There is a specter of the dangerous possibility of target-based IDS opting not to raise an alarm based on outdated vulnerability information. Therefore, updating vulnerability information is crucial, for which the target-based IDS would have to actively scan the network at short intervals. But this raises operational concerns because active vulnerability scanning can affect network bandwidth and destabilize or even crash production systems. To overcome this, some target-based IDSes provide the option of passive scanning that can monitor for vulnerabilities continually.

While target-based IDS obviates the problem of alerts-deluge to a large degree, it has its downside. A target-based IDS is only as effective as the thoroughness of the vulnerability scanner. Hitherto unknown vulnerabilities will be overlooked by the scanner. Therefore, the target-based IDS will not raise an alert if it comes across a zero-day exploit for such unknown vulnerabilities, fostering a dangerously false sense of security. Target-based IDSes are still in their infancy. Nevertheless, these offer the undeniable advantage of helping to cut through false alerts, and significantly decrease the amount of noise. After all, being able to zero in swiftly on 'real' alerts is what matters.