Intrusion detection system
An intrusion detection system (IDS) is a combination of software and hardware designed to monitor and analyze traffic for suspicious activity that is indicative of an intrusion, either within a host (IP-based computer) or on a network. Intrusions can be defined as those attempts at compromising the confidentiality, integrity or availability (see CIA triad) of the computer or network.
An IDS inspects all inbound and outbound network traffic according to a set of rules, called signatures. Identified patterns that are deemed to be suspicious may indicate a network or system attack from someone attempting to break into or compromise a network, or computer system.
Intrusions can originate from any number of locations – both internally as well as externally, and both maliciously, as well as unintentionally. For instance, intrusions can be a result of attacks on systems from the Internet, or having authorized users of the systems who attempt to gain additional privileges on to a system for which they are not authorized, as well as authorized users who perhaps have misused the privileges given to them.
If a positive trigger event results, the IDS will then report that suspicious activity to a network administrator console device. The IDS may, in certain situations, also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.
Types of Intrusion Detection Systems
Intrusion detection systems can come in a variety of “flavors.” As a result, their goal of detecting suspicious traffic is handled in different ways.
First, one can consider contrasting approaches to IDS’s:
Misuse detection versus statistical (or anomaly) detection
In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of known attacks, called signatures. The IDS then interrogates each packet, looking for a specific attack that has already been documented and is listed in the signature database. In this regard, the IDS operates very much the way antivirus software detects and protects against such malware as viruses, worms and trojans. It should be noted that the detection software is only as good as the currency of the attack signatures database. That is, there will be a delay between a new threat that has been discovered, and the corresponding signature for detecting that new threat being applied to your IDS. During that delay time, your IDS would be unable to detect the new threat.
In contrast, with a statistical, or anomaly detection, the system administrator utilizes the security policy to define a baseline for the normal state of their network. For instance, the administrator might consider the traffic load, the breakdown of various protocol types, what ports and devices generally connect to each other and a typical packet size. The anomaly detection within the IDS would then monitor the network, and compare its state to the normal baseline. If anomalies are discovered, a trigger results, and a report is generated.
Network-based (NIDS) versus Host-based systems (HIDS)
Another possible way to look at Intrusion Detection systems is to consider where they are located – on a network (as a network-based intrusion detection system, or NIDS) or within an individual computer (as a host-based intrusion detection systems, or HIDS).
In a NIDS, monitoring devices are placed at key strategic locations within the network in order to capture and monitor traffic to and from all devices on that network. In this regard, the NIDS is acting very much like an analyzer, capturing all inbound and outbound traffic. The NIDS would detect malicious packets that are possibly being overlooked by a firewall’s often simpler filtering rules. It should be noted, though, that in doing this, one might inadvertently create a choke point that would impair the overall throughput and performance of the network.
NIDS gather and analyze network traffic by connecting to a hub, a network switch configured for port mirroring, or using a network tap. One of the most popular NIDS is the freeware, Snort. Snort is available for a number of platforms and operating systems including both Linux and Windows. There are also many resources available on the Internet where you can acquire signatures to implement to detect the latest threats.
Passive system vs. reactive system
Intrusion detection systems can either simply monitor and alert an administrator, or an IDS can perform a specific action or series of actions in response to a detected threat. A third example of contrasting systems therefore is a passive versus reactive IDS system.
In a passive type of system, when the IDS detects a potential security breach, it logs the triggering information and signals an alert. It is then up to the network administrator to take the appropriate action to mitigate the intrusion.
In a reactive system, the IDS not only detects the suspicious activity, and sends an alert, it also takes specific pre-defined action when responding to the suspicious or malicious activity. For instance, the IDS might administratively log off a user or proactively reprogram a firewall to block specific IP network traffic from the suspected malicious source address.
Another Approach to Classifying IDSs
Another approach to classifying IDSs is to consider what the software is doing within a host-based IDS. For instance, a protocol, or stack-based intrusion detection system consists of software code, known as an agent. This agent would be loaded on to a server, monitoring and analyzing the communication protocol between a connected user or other system and that server it is protecting.
As an example, for a web server, the agent would monitor the HTTP communication traffic flow, and understand the HTTP protocol behavior relative to the web server system it is trying to protect. In the event that HTTPS is used, then the web server IDS system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
Another example is an application protocol-based intrusion detection system. In an application protocol-based IDS, the focus is on monitoring and analyzing a specific application protocol or set of protocols in use by a computing system. It would consist of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols.
For example, for a web server that interacts with database on the backend process. This IDS would monitor the SQL protocol specific to the middleware and business login process as it works with the associated database.
Finally, a hybrid intrusion detection system is one that combines one or more of these approaches. Multiple host agents monitor for traces of malicious activity from many unique sensors such as Snort, honeyd, Nessus Vulnerability Scanner, Samhain, and combines them network information to better verify an attack, and to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.
There can be a very fine line between a firewall and an intrusion detection system. They can be easily confused, and the terms often interchanged. One should, however, consider these different, complementary devices, and not a panacea, living at various control points on your network and providing a unique service.
A firewall should be considered the first line of a network’s perimeter defense. Many network administrators contend that a best practice recommendation would be to configure the firewall to explicitly deny all incoming traffic that does not satisfy specific acceptable holes that are required for business. For instance, one would most likely need to open up port 80 to host web sites or port 25 for email servers. These “holes” may be necessary, but they also represent possible opportunities for malicious traffic to enter your network rather than being blocked by the firewall. As an example, neither a firewall nor an IDS will prevent a malicious email attachment (virus, worm, Trojan) from sneaking through if traffic on TCP port 25 is allowed through the firewall to the email server.
And, though they both relate to network security, an IDS also differs from a firewall in that a firewall will typically monitor traffic for intrusions to stop them from happening in the first place. The firewall limits the access between networks in order to prevent intrusion. It does not signal an attack from inside the network. In contrast, an IDS evaluates a suspected intrusion once it has taken place and signals an alarm after the fact. An IDS can watch for attacks that originate from within a system, as in a host-based system.
In summary, an IDS can be a great tool for proactively monitoring and protecting your network from malicious activity, however they are also prone to false alarms – both false positives and false negatives. A false positive is when the system triggers an alarm in error when there is really no threat. A preponderance of false positives can be considered a nuisance, but they can also result in a network administrator turning off the trigger.
A false negative is when the IDS systems fails to note as a true threat, and lets it through without setting off a triggered alarm. Some would argue that a false positive is not as significant an event as a false negative.
Therefore it is important to realize that any IDS solution will need to be “tuned” after it is installed. The IDS will need to be properly configured to recognize what is normal traffic on your network versus what might be malicious traffic. The administrators responsible for responding to IDS alerts need to understand what the alerts mean and how to effectively respond.
And finally, it should be noted there is also technology called an IPS – intrusion prevention system.
|| Intrusion detection system (IDS)|
|| Intrusion prevention system (IPS)|
|| Host-based vs. Network-based Security|