An Introduction to Intrusion Detection Systems
An overview of IDS and how they are used to avert risk.
Mar 1, 2009
Intrusion detection systems (IDS) are controls put in place in order to check network traffic. IDS is used to detect actions on the network that seem questionable and alert the system or the administrator of the network. These systems may be empowered to address intrusion by blocking the user or IP address source from getting back on the network.
Typically, an unauthorized network entry can be detected via “information passing on the wire between hosts,” according to Paul Innella of Tetrad Digital Integrity. IDS devices “intercept packets [of information] traveling along various communication mediums and protocols, usually TCP/IP” (Innella). Specifically, network based IDS and host based IDS exist as specialized detection systems. Some IDS seeks the specific profiles of particular threats, just as antivirus programs will maintain a virus database.
"Network" and Host IDS
Network Intrusion Detection Systems (NIDS) remain at a strategic location in the network in order to check traffic in and out of all devices. While it would be desirable, from a security point of view, to scan everything, doing so would slow the network down. Therefore, NIDS only focuses on strategic locations.
Host Intrusion Detection Systems (HIDS) operate on individual hosts or devices. HIDS checks all outgoing and incoming data packets from the device in question and is device-specific. These systems can be classified in terms of (1) file system monitors; (2) logfile analyzers; (3) connection analyzers; and “kernel based” systems (Boer and Pels 5).
Signature and Anomaly Based IDS
In contrast, signature Based IDS monitors packets by comparing them to a database of known malware signatures. The only drawback to this sort of IDS is that there is a time differential between the detection of a new threat signature and it being archived in the IDS database, leaving the network “blind” for the interim.
Anomaly Based IDS examines network traffic and contrasts it with a set baseline. The baseline is the norm for the network in terms of bandwidth, protocols, ports, and types of devices. If anomalous activity is detected, this IDS alerts the administrator. The fundamental idea behind anomaly based systems is that “‘attack behavior’ differs enough from ‘normal user behavior’ that it can be detected by cataloging and identifying the differences involved” (Shimonski).
Two Examples of IDS in Action
Example 1: NIDS: a college student tries to upload a computer virus into a university network from an on-campus lab. NIDS has been installed in a tactically advantageous location to check the traffic emanating from computer workstations in the lab. NIDS locks down the computer and logs the user id.
Example 2: HIDS: a financial company maintains off-site commercial IT storage in order to facilitate redundancy and disaster recovery. By analyzing incoming data packets, HIDS determines that there have been unauthorized attempts to access this storage by a third party. HIDS alerts the vendor and the company’s network administrator.
References:
Boer, Pieter and Martin Pels. “Host-based Intrusion Detection Systems.” Retrieved on March 1, 2009 from: http://staff.science.uva.nl/~delaat/snb-2004-2005/p19/report.pdf
Bradley, Tony. “Introduction to Intrusion Detection Systems (IDS).” Retrieved on March 1, 2009 from: http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
Innella, Paul. “The Evolution of Intrusion Detection Systems.” Retrieved on March 1, 2009 from: http://www.securityfocus.com/infocus/1514
Shimonski, Robert. “What You Need to Know About Intrusion Detection Systems.” Retrieved on March 1, 2009 from: http://www.windowsecurity.com/articles/What_You_Need_to_Know_About_Intrusion_Detection_Systems.html
 |
