Intrusion Detection System is used to detect all types of malicious network traffic and computer usage that can’t be detected by a conventional firewall. This includes network attacks against vulnerable services, data drove attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware.
IDS composed of three components:
- Sensors: – which sense the network traffic or system activity and generate events.
- Console: – to monitor events and alerts and control the sensors.
- Detection Engine: – that records events logged by the sensors in a database and uses a system of rules to generate alerts from the received security events.
An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.
Types of Intrusion Detection System
- Host-based Intrusion Detection System
Consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/all databases) and other host activities and state.
HIDS analyzes the traffic to and from the specific computer on which the intrusion detection software is installed.
- OSSEC – Open Source Host-based Intrusion Detection System
- AIDE-Advanced Intrusion Detection Environment
- Prelude Hybrid IDS
In HIDS, anti-threat applications such as firewalls, antivirus software, and spyware-detection programs are installed on every network computer that has two-way access to the outside environment such as the Internet.
- Network Intrusion Detection System
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.
A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or non-encrypted traffic.
Important tools for NIDS
Snort’s open source network-based intrusion detection system (IDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and matching.
For example, the sensor on the Internet side of the firewall will see all the traffic.The Program used to detect probes or attacks, including but not limited to operating system fingerprinting attempts URL attacks, buffer flows, server message block probes.
A sensor on the internal side of a firewall will only see the traffic that passes through the firewall.
- Signature-Based Detection
Signature-Based refers to the detection of attack by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
For example, you might use a signature that looks for particular strings within an exploit payload to detect attacks that are attempting to exploit a particular buffer-overflow vulnerability. The events generated by a signature-based IDS can communicate what caused the alert.
Also, pattern matching can be performed very quickly on modern systems so the amount of power needed to perform these checks is minimal for a confined rule set.
- Anomaly-Based Detection
Anomaly-Based detection is designed to detect abnormal behavior in the system. The normal usage pattern is baselined and alerts are generated when usage deviates from the normal behavior.
If any traffic is found to be abnormal from the baseline, then an alert is triggered by the IDS suspected of an intrusion. IDPS first creates a baseline profile that represents the normal behavior of the traffic.
Anomaly-based detection is similar to how heuristic-based antivirus software works. Although the internal methods are different, both examine activity and make decisions that are outside the scope of a signature or definition database.
This can be effective at discovering zero-day exploits. A zero-day vulnerability is usually defined as one that is unknown to the vendor.
Features of IDS
- Physical Intrusion Detection System
Physical intrusion detection is the act of identifying threats to physical systems. In many cases, physical intrusion detection systems act as prevention systems.
Examples of Physical Intrusion Detection System
- Security Guards
- Security Cameras
- Access Control Systems (Card, Biometric)
- Man Traps
- Wireless Detection
Intrusion Detection System has been developed for use on wireless networks. These wireless IDSs can monitor and analyze user and system activities, recognize patterns of known attacks, identify abnormal network activity, and detect policy violations for WLANs.
Wireless IDSs gather all local wireless transmissions and generate alerts based either on predefined signatures or on anomalies in the traffic.
A Wireless IDS is similar to a standard, wired IDS, but has additional deployment requirements as well as some unique features specific to WLAN intrusion and misuse detection.
Wireless intrusion detection systems are an important addition to the security of wireless local area networks. While there are drawbacks to implementing a wireless IDS, the benefits will most likely prove to outweigh the downsides.
- False Positive VS False Negative
False negative (FN): represents the number of intrusions seen by the IDS as normal.
False positive (FP): represents the number of normal activities seen by the IDS as intrusions.
A false negative is when an attacker is actively attacking the network, but the system does not detect it. Neither is desirable, but it’s impossible to eliminate both. Most IDSs trigger an alert or alarm when an event exceeds a threshold.
The term false positive is broad that describes a situation in which a NIDS device trigger an alarm in a when there is malicious activity or attack occurring.Sync commands for False alarm detection describe the detection of the system and benign trigger.
IDSs report an activity or attack based on their settings. All activity isn’t attacks or actual
issues, but instead, they provide a report indicating an event might be an alert or an alarm. Administrators investigate to determine if it is valid.
The actual reporting mechanism varies from system to system and in different organizations. For example, one IDS might write the event into a log as an alarm or alert, and then send an email to an administrator account.
In a large network operations centre (NOC), the IDS might send an alert to a
monitor easily viewable by all personnel in the NOC.
- IDS Response
Each IDS will respond to external stimulation in different ways, depending on its configuration and functions.
- Passive IDS. A passive IDS logs the attack and may also raise an alert to notify someone. Most IDSs are passive by default. The notification can come in many forms, including an email, a text message, a pop-up window, or a notification on a central monitor.
- Active IDS. An active IDS logs and notifies personnel just as a passive IDS does, but it can also change the environment to thwart or block the attack.
For example, it can modify access control lists (ACLs) on firewalls to block offending traffic, or divert the attack to a safe environment, such as honeypot.
Sensor Placement for network IDS
NIDS work in relation to network architectures you will need to figure out where to place the IDS sensors that actually “sniff” the wire and monitor your network traffic.
Intrusion detection systems and network switches don’t get along, so you need to understand how traffic flows to and from the resources you need to protect in order to establish the best place(s) to monitor. One of the most obvious places to put an IDS sensor is inside the firewall that connects firewall to the internal network to monitor for intrusion targeting DNS mail server.
If attackers compromise the server, the IDS has the best chance of detecting either the original penetration or the resulting activity originating from the compromised host.
The logic is that the firewall will prevent the attacks aimed at the organization.
- Host Integration For HIDS
A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces.
To set Host IDS you should have an adequate testing, these allow an operator to get familiar with the operation with pieces with the software.
As an additional example will report when a user process alters the system password file. This would happen if an intruder added an account.
It also happens, however, when a user changes his or her password. The IDS analyst needs time to become familiar with the correct operation of each system so that he or she can properly diagnose deviations from “normal” alarms.
- Alarm Configuration
To protect your network, your IDS must generate alarms when it detects intrusive activity on your network. Different IDSs trigger alarms based on different types of network activity. The two most common triggering mechanisms are the following:
- Anomaly detection
- Misuse detection
. Monitoring intrusive activity normally occurs at the following two locations:
IDSs come with configurable alarm levels. Some will integrate with network management stations, some allow paging, some send e-mail, and some can interoperate with firewalls to shut down all traffic from the network that originated the attack. If they trigger after an alarm, the people monitoring the system will stop paying attention. Remember, the IDS is not securities saving grace, it is only a tool.
- Integration Schedule
Install one sensor at a time. Don’t rush the installation in order to roll out the IDS capability in a short time span. It takes a certain amount of time for the administrators.
Analysts to gain familiarity with the peculiarities of a given system or network point, and the peculiarities may not be the same from point to point.
It is important that the staff assigned to monitor the Intrusion Detection Network System should be familiar with the software and tool.
Preparing the system for IDS
Deciding on the placement of the IDS within the network is critical. The IDS machine must connect to a port that can see all traffic between the LAN and the Internet.
This means either connecting to a mirrored switch port or a hub located between the Internet connection and the LAN. If a firewall and only one IDS sensor is used, the sensor should be placed between the firewall and the LAN, for reasons that will be discussed later.
A Snort IDS setup can involve one or several independent machines, or many that report to a central database server.
A Windows box running Burn4Free (a freeware ISO burner) will work fine.
Snort is specifically required for IDS for comparing the pattern making packets to signature known packets.
If a packet matches a pattern in a selected signature, an alert is generated. Analyzing the alerts for meaningful data is no easy task, given the amount of data and its raw format presentation.
For Example, MySQL uses the database application but Microsoft SQL Server or Oracle may be used for the alert database as well. While populating a well-formatted database with Snort information is necessary for categorizing information.
Administrating the IDS installation
After a successful installation, pointing a Web browser to the IDS will produce a summary alert window.
From here, intrusion-detection data may be analyzed efficiently. Base offers many data aggregation and presentation tools. Each alert can be analyzed individually or as a group.
IDS is the important part of good security system architecture. It alerts the system when an activity considered an attack being performed. IDS solutions have their strengths and weaknesses, which must be measured and evaluated before you decide to deploy one on your network. IDS is the best security software or tool and well worth as the investment.