Tweet
An intrusion detection system (IDS) is a device or a piece of software used to gather and analyze information that passes across at network or host to detect malicious or nonstandard behavior. The IDS system is designed to analyze, identify and report on any security violations, deviations or misuse of a network or host security policy so that the security staff or system owner can react and handle the issue. The main purpose of an IDS is to detect and alert about potential attacks and do not prevent the attack from happening. As IDS systems does not have to work in real time and a delay is acceptable. This kind of a system should not loose packets. It has the capability to hold traffic for a short period of time to be able to reassemble fragmented packets opposite an Intrusion Prevention System that works in real time may loose packet from time to time depending on the load. The system is monitoring for signatures or behaviors and if a traffic pattern matches a pattern in the signature database the IDS will trigger an alarm. It usually also has the capability to send alarms using text messages, emails or by paging the system owner.
Network-Based Intrusion Detection System (NIDS)
The NIDS is designed to capture and inspect every packet entering the network for the presence of malicious or damaging traffic and when malicious activity is detected, alert the SOC, administrator or system owner. NIDS systems have the capability to monitor traffic as it flows from one device to another by acting as a sniffer or a Network Interface Card (NIC) in promiscuous mode. Often a dedicated device is in place to act as a NIDS and is much like a sniffer that captures traffic and verify the legality against a rule set.
Host-Based Intrusion Detection System (HIDS)
The HIDS system is quite different from the NIDS system as it is installed as software on most servers and does not run on a dedicated device. This is because the host based IDS is responsible for monitoring activities on the host or server itself. It has the capability to detect when the server is being misused and is in perfect position to deal with threats on that host.
Log File Monitors (LFMs)
This kind of system has the task of monitoring log files created by network services by searching through the logs and identify malicious activities by looking for patterns that may indicate an intrusion.
File integrity checking mechanisms are are HIDS products that check for issues such as Trojan horses or files that have been unexpectedly modified, indicating an attack is in progress or has been previously. This includes protective mechanisms such as a system integrity verifier which looks for changes to files or other objects such as the Windows registry that may be a sign of a compromise.
IDS Detection Methods
What makes everything work is the rule engine but the inner workings may vary from one type of detection to another. In systems such as this there will always be a risk of generating false positives or false negatives. As the database that holds the patterns and signatures grow large, the time it takes to analyze traffic increases, resulting in a reduction in performance and increase the risk of traffic being dropped and hence not analyzed. Even small variations in known attacks can result in the need for multiple signatures for a single attack. Signature files will need to be updated regularly to avoid the majority of false negatives.
Signature Detection
One detection method is the signature based detection or recognition method and is sometimes referred to as the misuse detection. The system compares traffic to known models and when matches are found, the system reports the attack.
Pattern matching is the most basic kind of detecting and is widely used. This process relies on the comparison of known patterns or binary models against the traffic the system has captured. This includes things such as TCP flags in captured traffic.
Signature recognition is effective at detecting known attacks and poor at detecting ones not known in the database. There is also a possibility that legitimate traffic may trigger a false positive.
Anomaly Detection
This kind of detection is very different from signature detection in how it will detect potential malicious activity. Any activity that matches something in the database is considered an anomaly. Any deviation from normal traffic is regarded as an attack unlike the signature-based IDS. This system must be configured to understand what normal activity on the network is to make the system capable of detecting deviations from the traffic baseline. If this is not done correctly the end result will be false positives and false negatives. Such a system can initially be configured to run for a period of time i learning mode until sufficient traffic has passed and a baseline can be established. Then the system will be configured to run in active mode. This is also sometimes referred to as Statical Anomaly-Based Detection.
Protocol Anomaly Detection
This type of detection used by IDS systems is protocol anomaly detection and is based on anomalies that are specific to a given protocol. To determine what these anomalies are, the IDS system uses known specifications for the particular protocol and uses that as a model to compare traffic against. This kind of detection may discover new or unknown attacks by relying on misuse of the protocol itself. Protocols rarely change compared to signatures in a database that may need to be updated each time an attack changes so protocol anomaly detection rarely require updates. This is also sometimes referred to as Stateful Protocol Analysis Detection.
Intrusion Prevention Systems (IPS) also known as Intrusion Detection and Prevention Systems (IDPS) are very much like Intrusion Detection Systems and also exists in much the same flavors. One major difference is the added capability of being able to mitigate the attack by reconfiguring network devices such as firewalls and routers, or lock down a system at the host level. Wireless Intrusion Prevention Systems (WIPS) also exists but are limited to protect wireless traffic. Network Behavior Analysis (NBA) attempts to identify threats that generate unusual traffic patterns such as DDoS, traffic generated by malware and policy violations.
Network-Based Intrusion Detection System (NIDS)
The NIDS is designed to capture and inspect every packet entering the network for the presence of malicious or damaging traffic and when malicious activity is detected, alert the SOC, administrator or system owner. NIDS systems have the capability to monitor traffic as it flows from one device to another by acting as a sniffer or a Network Interface Card (NIC) in promiscuous mode. Often a dedicated device is in place to act as a NIDS and is much like a sniffer that captures traffic and verify the legality against a rule set.
Host-Based Intrusion Detection System (HIDS)
The HIDS system is quite different from the NIDS system as it is installed as software on most servers and does not run on a dedicated device. This is because the host based IDS is responsible for monitoring activities on the host or server itself. It has the capability to detect when the server is being misused and is in perfect position to deal with threats on that host.
Log File Monitors (LFMs)
This kind of system has the task of monitoring log files created by network services by searching through the logs and identify malicious activities by looking for patterns that may indicate an intrusion.
File integrity checking mechanisms are are HIDS products that check for issues such as Trojan horses or files that have been unexpectedly modified, indicating an attack is in progress or has been previously. This includes protective mechanisms such as a system integrity verifier which looks for changes to files or other objects such as the Windows registry that may be a sign of a compromise.
IDS Detection Methods
What makes everything work is the rule engine but the inner workings may vary from one type of detection to another. In systems such as this there will always be a risk of generating false positives or false negatives. As the database that holds the patterns and signatures grow large, the time it takes to analyze traffic increases, resulting in a reduction in performance and increase the risk of traffic being dropped and hence not analyzed. Even small variations in known attacks can result in the need for multiple signatures for a single attack. Signature files will need to be updated regularly to avoid the majority of false negatives.
Signature Detection
One detection method is the signature based detection or recognition method and is sometimes referred to as the misuse detection. The system compares traffic to known models and when matches are found, the system reports the attack.
Pattern matching is the most basic kind of detecting and is widely used. This process relies on the comparison of known patterns or binary models against the traffic the system has captured. This includes things such as TCP flags in captured traffic.
Signature recognition is effective at detecting known attacks and poor at detecting ones not known in the database. There is also a possibility that legitimate traffic may trigger a false positive.
Anomaly Detection
This kind of detection is very different from signature detection in how it will detect potential malicious activity. Any activity that matches something in the database is considered an anomaly. Any deviation from normal traffic is regarded as an attack unlike the signature-based IDS. This system must be configured to understand what normal activity on the network is to make the system capable of detecting deviations from the traffic baseline. If this is not done correctly the end result will be false positives and false negatives. Such a system can initially be configured to run for a period of time i learning mode until sufficient traffic has passed and a baseline can be established. Then the system will be configured to run in active mode. This is also sometimes referred to as Statical Anomaly-Based Detection.
Protocol Anomaly Detection
This type of detection used by IDS systems is protocol anomaly detection and is based on anomalies that are specific to a given protocol. To determine what these anomalies are, the IDS system uses known specifications for the particular protocol and uses that as a model to compare traffic against. This kind of detection may discover new or unknown attacks by relying on misuse of the protocol itself. Protocols rarely change compared to signatures in a database that may need to be updated each time an attack changes so protocol anomaly detection rarely require updates. This is also sometimes referred to as Stateful Protocol Analysis Detection.
Intrusion Prevention Systems (IPS) also known as Intrusion Detection and Prevention Systems (IDPS) are very much like Intrusion Detection Systems and also exists in much the same flavors. One major difference is the added capability of being able to mitigate the attack by reconfiguring network devices such as firewalls and routers, or lock down a system at the host level. Wireless Intrusion Prevention Systems (WIPS) also exists but are limited to protect wireless traffic. Network Behavior Analysis (NBA) attempts to identify threats that generate unusual traffic patterns such as DDoS, traffic generated by malware and policy violations.