Intrusion Detection System (IDS)

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.

IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

Terminology

§  Alert/Alarm: A signal suggesting that a system has been or is being attacked.

§  True Positive: A legitimate attack which triggers an IDS to produce an alarm.

§  False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.

§  False Negative: A failure of an IDS to detect an actual attack.

§  True Negative: When no attack has taken place and no alarm is raised.

§  Noise: Data or interference that can trigger a false positive.

§  Site policy: Guidelines within an organization that control the rules and configurations of an IDS.

§  Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.

§  Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.

§  Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.

§  Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.

§  Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.

§  Misfeasor: They are commonly internal users and can be of two types:

1.     An authorized user with limited permissions.

2.     A user with full permissions and who misuses their powers.

§  Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.

Types

§  For the purpose of dealing with IT, there are two main types of IDS:

§  Network intrusion detection system (NIDS) is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and  analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.

§  Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. Examples of HIDS are Tripwire and OSSEC.

§  Stack-based intrusion detection system (SIDS) This type of system consists of an evolution to the HIDS systems. The packets are examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with the network interface in promiscuous mode. This fact makes its implementation to be dependent on the Operating System that is being used.Intrusion detection systems can also be system-specific using custom tools and honeypots.

. In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect" (alert) and/or "prevent." 

Comparison with Firewalls

Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS

A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous(not normal).

Signature-based IDS

Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat. During this lag time your IDS will be unable to identify the threat.