Results 1 to 5 of 5

Thread: IDS In-Depth / Intro

  1. #1
    Senior Member
    Join Date
    May 2003

    IDS In-Depth / Intro

    Intrusion Detection Systems Intro

    Intrusion: a security event in which someone attempts to access
    information or systems they are not allowed to see.

    Intrusion detection: the process of identifying digital or electronic
    activity that is malicious or unauthorized.

    -Brief Overview-

    IDS are basically surveillance systems for networks; they alert system
    administrators or security managers of potential breaches or attacks in the
    system. IDS run continuously in the background, monitoring the network
    traffic flowing in and out of a computer. The intrusion detection system looks
    for traffic that is suspicious, abnormal, or matches the behaviors of a known
    exploit or threat. When most IDS find something, they either notify the
    system admins, or take corrective action themselves.

    -Types of Detection-

    1. Network-based Intrusion Detection Systems (NIDS): examine the
    characteristics of every packet that passes on the network. A typical network
    IDS consists of one of more sensors and a console to aggregate and analyze
    data from the sensors.

    2. Host-based Intrusion Detection Systems (HIDS): watch for processes
    inside the host and monitor log files and data for suspicious activity. Some
    HIDS operate independently. In other systems, each host-based IDS may
    report to a master system that centralizes the evaluation and response
    mechanisms, helpful in large enterprise deployments.

    3. Hybrid IDS: combines NIDS and HIDS. Hybrid IDS are system-based
    and provide attack recognition on the network packets flowing to or from a
    single host. Hybrid IDS provide additional protection by monitoring a system’s
    events, data, directory and registry for attack.

    4. Decoy-based Systems: otherwise known as “honeypots”, provide an
    additional level of security within the network infrastructure. These systems can
    be considered as a “set and forget” intrusion detection sensor composed of a
    single system or network of devices whose sole purpose is to capture
    unauthorized activity. This means any packet entering or leaving a decoy-based
    system is suspect by nature.

    -How Are Intrusions Detected?-

    1. Signature-based Detection: examines network traffic for specific patterns
    of attack. For every exploit, the IDS vendor must code a signature specifically
    for that attack in order to detect it, and therefore the attack must be known.
    Almost all IDS are structured around a large signature database and attempt to
    compare every packet to every signature in the database

    2. Protocol Anomaly Detection: performed at the application protocol layer. It
    focuses on the structure and content of the communications. I.e. Protocol-based
    IDS detect Code Red because they model the HTTP protocol exactly as it is
    reflected in the RFC. The Code Red attack violates the HTTP protocol specification
    because it uses a GET request to post and execute malicious code on the victim
    server. The IDS will pick up on this.

    3. Behavioral Anomaly Detection: a less prevalent method of intrusion detection
    is the ability to detect statistical anomalies. The framework of a statistical anomaly
    detection is the “baseline” of certain system statistics or patterns of behavior that
    are tracked continually by the system. Changes in these patterns are used to
    indicate an attack. I.e. excessive use, detection of use at unusual hours, detection
    of changes in system calls made by user processes.

    Keep in mind that intrusion detection is merely the first step to a secure network.
    Prevention is also a key role in keeping your network secure. I’ll most likely post
    something on prevention of intrusions in the near future.

    Hope this helped explain IDS in a more in-depth view.

    Cioe, Barry. Huerta, Frank. “Intrusion Detection and Prevention: Security’s One-
    Two Punch.” The ISSA Journal . Aug. 2003.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Quick but good tutorial as a brief overview of what is an IDS.

    Only one little comment: Tutorials are normally posted by their writers. Maybe could you try to create your own tutorial about the subject. I'm sure that, helped by such articles, you would make something very good.
    Life is boring. Play NetHack... --more--

  3. #3
    Senior Member
    Join Date
    Mar 2002
    For those of you whom are looking for a more in depth tutorial, here is a good one.

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Good simple intro and great link from entropy

  5. #5
    Senior Member
    Join Date
    Nov 2001
    come on plastic you've been here long enough to know tutorials are supposed to be original. this will not be listed in the index and therefore be of no more help to anyone than the average post.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts