An intrusion detection system is a device or software which monitors network or system activities for malicious activities for policy violation and
produces reports to the management system. It looking for signs of intrusion (unauthorized users) or misuse (authorized users overstepping their bounds).”
How It Works:
Intrusion Detection Systems (IDS) can operate on a variety of different levels. Host-Bases IDSs reside on a host machine and execute intrusion detection
locally. Network-based Intrusion Detection Systems (NIDS) focus on network data flow. The key to successfully identifying and preventing intrusion lies
within the various techniques. Using intrusion detection methods, you can collect and use information from known types of attacks and find out if someone
is trying to attack your network or particular hosts. IDSs have a series of steps that all need to be completed before a system can be appropriately
protected. These steps revolve around the data that is being processed on the system being monitored. Data is collected by monitoring activities in the
hosts or network. The raw data is analyzed to classify activities as normal or suspicious. When a suspicious activity is considered sufficiently serious, a
response is triggered.
Host-Based Intrusion Detection is accomplished by installing software on each individual local system. These software modules, or agents, work on the
client system to perform intrusion detection. This can be accomplished using a variety of methods. One common method is to have the software agent monitor
the system logs, and look for irregular patterns. An example of this is when an agent watches for unauthorized activities done by a user without adequate
permissions. Essentially, the agent will keep a running log of the user’s actions. If the users actions raise a red flag (meaning that the actions of the
user are suspicious), then the system administrator is able to backtrack the actions, and investigate why a particular user was using the system in that
way. Another effective method for Host-Based IDSs is to watch for suspicious processes that are running. Sometimes a particular process name can mean
trouble for system administrator, depending upon its purpose. Protecting the integrity of the system files is another high priority task for Host-Based
IDSs. An IDS agent can take an inventory of system files, along with their permissions, and report any changes to the set. The same auditing tactic can be
used to watch user accounts. An ID that witnesses a users permissions being changed, or unauthorized user being created can indicate problems for a systems
administrator. All of these methods are classified as agent-based software, which makes up the largest category of Host-Based IDSs. The other major
category is the host wrappers/personal firewalls. “Host wrappers or personal firewalls can be configured to look at all network packets, connection
attempts, or login attempts to the monitored machine.”Examples of these are dial-in attempts, non-network related communication ports, or software other
software on the host attempting to connect to the network.
“Network-based ID involves looking at the packets on the network as they pass by some sensor.” Packets are only of interest if they happen to match a
particular signature. There are three main types of signatures:
· String signatures – Look for strings, or combinations of strings, that could potentially be an intrusion. Signatures containing sensitive file names may
cause an alarm.
· Port signatures – Signatures that contain port numbers that are regularly attached (i.e. telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port
111), and IMAP (TCP port 143), or communications that are utilizing ports that are not used may be reason for suspicion.
· Header condition signatures – Signatures that contain illogical data or well known, dangerous content. “The most famous example is Winnuke , where a
packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band pointer is set. This resulted in the "blue screen of death" for Windows
systems.”
The key to making this intrusion detection system successful lies within the placement. Sensors need to be in a position that will expose the sensors to
the flow of network packets.
Detection Technique:
All the Intrusion Detection Systems use one of two detection techniques:
(1) Signature based IDS
(2) Statistical anomaly based IDS.
(1)Signature Based IDS:
Signature based IDS monitor packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.
(2) Statistical anomaly based IDS:
A statistical anomaly-based IDS determines the normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports
and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous.
The Need for Intrusion Detection Systems :
A computer intrusion can be damaging in a variety of ways, depending on the intent of the intrusion. If the intrusion amounts to a nuisance, then resources
have to be expended to alleviate the problem. This requires the system administrator to divert their attention away from business, and to focus on the
annoyance. Even if an intrusion isn’t malicious, i.e. not damaging or theft related, the intrusion could bog down the network, causing a loss of
productivity among the employees. Intrusions that are aimed at theft are particularly damaging to a company in terms of competition. Companies go to great
lengths to protect their Intellectual Property, since it can be such a large source of income and market share. If this information falls into the wrong
hands, i.e. the competition, then the company can suffer greatly due to lost revenue. Malicious damages may come about by a hacker who intends to hurt a
company by destroying data. This is the most damaging type of an attack because it has a snowball effect. Not only does a company lose many records,
customer information, business contacts, etc., but they also take a huge hit in the productivity area. Until all the information is restored, much of the
staff cannot work efficiently. A company may also lose customers due to the fact that the company has the target of a computer hacking. Customers tend to
get very nervous when they think that their personal data has the potential to fall into the wrongs hands.
IDPS (Intrusion Detection & prevention system):
Intrusion detection & prevention system (IDPS) is also known as the Intrusion prevention system (IPS). An IPS is the extension of intrusion detection
system .Both IDS & IPS used for network monitoring which monitors network and/or system activities for malicious activity. The main function of the
intrusion prevention system is to identify malicious activities, log information about this activity, attempt to block it and report it. The intrusion
prevention system are sending an alarm, dropping the malicious packet, resetting the connection and/ or blocking the traffic from offending IP address. An
IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and
network layer options.
(1) Host based intrusion prevention system: HIPS is a program designed for security over host based systems where intrusion and infections are deal
with at the individual workstation level to provide a more effective level of security.
(2) Network -based Intrusion prevention system: The network – based intrusion prevention system is a program that performs packet sniffing and
analyzes network traffic to identify and stop suspicious activity. Most of the network based IPS products use a combination of attack signatures and
analysis of network and application protocol.
(3) Wireless- intrusion prevention system: A wireless-intrusion prevention system is a network device which monitors the radio spectrum for the
presence of unauthorized access points and can automatically countermeasures.
(4) Network behavior analysis: In network behavior analysis it monitors the network traffic and block the unusual action by signature detection ,
packet inspection and real time blocking.
Detection Technique
(1)Signature Based IDS:
Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.
(2) Statistical anomaly based IDS:
A statistical anomaly-based IDS determines the normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports
and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous.
(3) Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with
“predetermined profiles of generally accepted definitions of benign activity.
%2Bdork%2Blist%2Binfosec%2Baffairs.png)