Intrusion Detection Systems Intro

Intrusion: a security event in which someone attempts to access
information or systems they are not allowed to see.

Intrusion detection: the process of identifying digital or electronic
activity that is malicious or unauthorized.

-Brief Overview-

IDS are basically surveillance systems for networks; they alert system
administrators or security managers of potential breaches or attacks in the
system. IDS run continuously in the background, monitoring the network
traffic flowing in and out of a computer. The intrusion detection system looks
for traffic that is suspicious, abnormal, or matches the behaviors of a known
exploit or threat. When most IDS find something, they either notify the
system admins, or take corrective action themselves.


-Types of Detection-

1. Network-based Intrusion Detection Systems (NIDS): examine the
characteristics of every packet that passes on the network. A typical network
IDS consists of one of more sensors and a console to aggregate and analyze
data from the sensors.

2. Host-based Intrusion Detection Systems (HIDS): watch for processes
inside the host and monitor log files and data for suspicious activity. Some
HIDS operate independently. In other systems, each host-based IDS may
report to a master system that centralizes the evaluation and response
mechanisms, helpful in large enterprise deployments.

3. Hybrid IDS: combines NIDS and HIDS. Hybrid IDS are system-based
and provide attack recognition on the network packets flowing to or from a
single host. Hybrid IDS provide additional protection by monitoring a system’s
events, data, directory and registry for attack.

4. Decoy-based Systems: otherwise known as “honeypots”, provide an
additional level of security within the network infrastructure. These systems can
be considered as a “set and forget” intrusion detection sensor composed of a
single system or network of devices whose sole purpose is to capture
unauthorized activity. This means any packet entering or leaving a decoy-based
system is suspect by nature.


-How Are Intrusions Detected?-

1. Signature-based Detection: examines network traffic for specific patterns
of attack. For every exploit, the IDS vendor must code a signature specifically
for that attack in order to detect it, and therefore the attack must be known.
Almost all IDS are structured around a large signature database and attempt to
compare every packet to every signature in the database

2. Protocol Anomaly Detection: performed at the application protocol layer. It
focuses on the structure and content of the communications. I.e. Protocol-based
IDS detect Code Red because they model the HTTP protocol exactly as it is
reflected in the RFC. The Code Red attack violates the HTTP protocol specification
because it uses a GET request to post and execute malicious code on the victim
server. The IDS will pick up on this.

3. Behavioral Anomaly Detection: a less prevalent method of intrusion detection
is the ability to detect statistical anomalies. The framework of a statistical anomaly
detection is the “baseline” of certain system statistics or patterns of behavior that
are tracked continually by the system. Changes in these patterns are used to
indicate an attack. I.e. excessive use, detection of use at unusual hours, detection
of changes in system calls made by user processes.

Keep in mind that intrusion detection is merely the first step to a secure network.
Prevention is also a key role in keeping your network secure. I’ll most likely post
something on prevention of intrusions in the near future.

Hope this helped explain IDS in a more in-depth view.

Sources:
Cioe, Barry. Huerta, Frank. “Intrusion Detection and Prevention: Security’s One-
Two Punch.” The ISSA Journal . Aug. 2003.