IDS Architecture
Intrusion Detection (ID) is the process of monitoring for and identifying attempted unauthorized system access or manipulation. An ID system gathers and analyzes information from diverse areas within a computer or a network to identify possible security breaches which include both intrusions (attack from outside the organization) and misuse (attack from within the organization). An Intr
usion Detection System (IDS) are yet another tool in network administrator’s computer security arsenal. It inspects all the inbound and outbound network activity. The IDS identifies any suspicious pattern that may indicate an attack the system. The IDS acts as a security check on all transaction that take place in, and out of, the system.
Type of IDS
For the purpose of dealing with IT, there are four main types of IDS:
Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. An example of a NIDS isSnort.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools and honeypots. In the case of physical building security, IDS is defined as an alarm system designed to detect unauthorized entry.
Perimeter Intrusion Detection System (PIDS)
Detects and pinpoints the location of intrusion attempts on perimeter fences of critical infrastructures. Using either electronics or more advanced fiber optic cable technology fitted to the perimeter fence, the PIDS detects disturbances on the fence, and this signal is monitored and if an intrusion is detected and deemed by the system as an intrusion attempt, an alarm is triggered.
VM based Intrusion Detection System (VMIDS)
It detects the intrusion using virtual machine monitoring. By using this we can deploy the Intrusion Detection System with Virtual Machine Monitoring. It is the most recent one its still under progressing. No need of separate intrusion detection system by using this we can monitor the overall activities.
Comparison with Firewall
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
Detection Model
All Intrusion Detection Systems use one of two detection techniques:
Statistical anomaly-based IDS
A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered.
Signature-based IDS
Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.
Indication of Intrusions
System Intrusions
File Intrusions
Network Intrusions
IDS Tools
Defense against IDS attack
Synopsis
An intrusion-detection system must be a part of every network security administrator’s defense plan. IDS monitor hosts for system alteration or sniff network packets off the wire, seeking for malicious contents. Security Administrators should contemplate using combinations of HIDS and NIDS, with both signature-detection and anomaly-based engines.
IDS can be configured purely as a monitoring and detection devices or it can participate as an inline device and prevent threats. IDS biggest weaknesses are the high number of false-positives and the signature maintenance effort needed to keep it up to date and fined tuned.
Intrusion Detection (ID) is the process of monitoring for and identifying attempted unauthorized system access or manipulation. An ID system gathers and analyzes information from diverse areas within a computer or a network to identify possible security breaches which include both intrusions (attack from outside the organization) and misuse (attack from within the organization). An Intr
usion Detection System (IDS) are yet another tool in network administrator’s computer security arsenal. It inspects all the inbound and outbound network activity. The IDS identifies any suspicious pattern that may indicate an attack the system. The IDS acts as a security check on all transaction that take place in, and out of, the system.
Type of IDS
For the purpose of dealing with IT, there are four main types of IDS:
Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. An example of a NIDS isSnort.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools and honeypots. In the case of physical building security, IDS is defined as an alarm system designed to detect unauthorized entry.
Perimeter Intrusion Detection System (PIDS)
Detects and pinpoints the location of intrusion attempts on perimeter fences of critical infrastructures. Using either electronics or more advanced fiber optic cable technology fitted to the perimeter fence, the PIDS detects disturbances on the fence, and this signal is monitored and if an intrusion is detected and deemed by the system as an intrusion attempt, an alarm is triggered.
VM based Intrusion Detection System (VMIDS)
It detects the intrusion using virtual machine monitoring. By using this we can deploy the Intrusion Detection System with Virtual Machine Monitoring. It is the most recent one its still under progressing. No need of separate intrusion detection system by using this we can monitor the overall activities.
Comparison with Firewall
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
Detection Model
All Intrusion Detection Systems use one of two detection techniques:
Statistical anomaly-based IDS
A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered.
Signature-based IDS
Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.
Indication of Intrusions
System Intrusions
- System failure in identifying valid user
- Active access to unused logins
- Login during non-working hours
- New user account created automatically
- Modification in system software or configuration files
- System logs are deleted
- System performance decreased drastically
- Unusual display of graphics, pop-ups
- System crashes suddenly and reboot without user interventions
File Intrusions
- Identifications of unknown files and program on your system
- File permissions modification
- Unexplained modifications in file size
- Identifications of strange file presence into system directories
- Missing files
Network Intrusions
- Identifications of repeated attempts to log in from remote locations
- Sudden increase in bandwidth consumptions
- Repeated probes of the existing services
- Arbitrary log data in log files
IDS Tools
- Snort
- Cybercop monitor
- NetProwler
- Vanguard Enforcer
- Cisco Secure IDS
Defense against IDS attack
- Signature update
- Configure the firewall to filter out IP address of an intruder
- Beep or play .WAV file as an indication
- Force a TCP FIN or RST packet to force a connection termination
- Save a trace file of raw packets for future analysis
- Save the attack information ( Intruder IP, victim IP , timestamp)
- Send a intimation to Administrator about attack
Synopsis
An intrusion-detection system must be a part of every network security administrator’s defense plan. IDS monitor hosts for system alteration or sniff network packets off the wire, seeking for malicious contents. Security Administrators should contemplate using combinations of HIDS and NIDS, with both signature-detection and anomaly-based engines.
IDS can be configured purely as a monitoring and detection devices or it can participate as an inline device and prevent threats. IDS biggest weaknesses are the high number of false-positives and the signature maintenance effort needed to keep it up to date and fined tuned.
