An intrusion detection system (IDS) gathers and analyzes information from within a computer or network to identify unauthorized access, misuse, and possible violations.
IDS also can be referred to as a packet sniffer which intercepts packets travel along with various communication mediums. All the packets are analyzed after they captured.
How IDS Works ?
The main purpose of IDS are they not only prevent intrusion but they also alert administrators immediately when the attack going on.
- IDS having sensors to detect signatures, some advanced IDS having a behavioral activity to determine malicious behaviors. Even if the signature doesn’t match this system can notify the behavior of attack.
- If the signature match it will move to next step or the connections cut down from source IP, the packet is dropped and an alarm notifies the administrator.
- Once the signature is matched, then sensors pass on anomaly detection, whether the received packet or request matches or not.
- If the packet passes the anomaly stage, a stateful protocol analysis will be done. After that, through the switch, the packets are passed on the network. If anything mismatches again, the connections are cut down from the source IP address and the packet is dropped, also an alarm will be raised and notified to the administrator.
WAYS TO DETECT AN INTRUSION
Intrusion can be identified in three ways.
It is also known as misuse detection, it tries to identify the events that indicate an abuse of the system.It is achieved by creating models of intrusions.
Incoming events are compared with the intrusion models for detection and decision.While making signature the model should detect the incoming intrusion without making any impact on regular traffic, only malicious traffic should match the model or else the false alarm will be raised.
- The simplest form of signature reorganization uses simple patterns matching to compare the network packets against binary signatures of known attacks. Binary signature defined as the specific portion of the packet such as TCP flags.
- Signature recognization can find known attacks, But there is a possibility other packets that match the same signature will trigger bogus signals. Signatures need to be customized.
- A signature that termed improperly may trigger bogus signals, the bandwidth of the network is consumed with the increase in the signature database.
- Despite problems with signature-based intrusion detection, such systems are popular and work well when configured correctly and monitored closely.
It is termed as “not-use detection” and it differs from the signature recognization model. The model consists of a database of Anomalies. Any event that is identified with the database is called an anomaly.Any deviation from the normal use is considered as Attack.
- In this traditional method, important data is kept for checking in various network traffic model.However, in reality, there is less variation in network traffic and too many statistical variations making these models imprecise.
- In this type of approach, the inability to instruct a model thoroughly on the normal network is of grave concern.
Protocol Anomaly detection
This technique based on the anomalies specific to a protocol, this model integrated with IDS recently. This identifies TCP/IP specific flaws with the network. Protocols are created with specifications, know as RFCs(RFC1192) for dictating proper use and communication.
- There are new attack methods and exploits that violate protocol standards being discovered frequently.
- The pace at which the malicious signature attacker is growing is incredibly fast. But the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database must be updated frequently to detect attacks.
- Protocol anomaly detection systems are easier to use because they require no signature updates.
- The best way to present alarms is to explain which part of the state system was compromised. For this, the IDS operators have to have a thorough knowledge of the protocol design; the best way is the documentation provided by the IDS.
TYPES OF INTRUSION DETECTION SYSTEM (IDS)
- Network-based intrusion detection
- Host-based intrusion detection
- Log file monitoring
- File Integrity Check.
NIDS check’s every packet entering into the network for anomalies and incorrect data. Unlike firewall that is confined to be filtering packets malicious packets, IDS inspects every packet thoroughly.
A NIDS captures and inspects all the traffic regardless of it permitted. Based on the content, either the application or IP level, an alert is generated.
Network-based intrusion systems tend to be more distributed than host-based. NIDS is designed basically to identify the anomalies in the network and the host level.
It audits information contained in data packets and logs information of malicious packets.
A threat level is assigned to each packet after the data packet received. These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion.
In the host-based system, the IDS analyzes each system’s behavior. The HIDS can be installed on any system ranging from a desktop PC to a server. The HIDS is more versatile than the NIDS.
One example of a host-based system is a program that operates on a system and receives an application or operating system audit logs.
These programs are highly effective in detecting insider abuses. If one of the users attempt unauthorized activity then the host-based system logs and collect the most pertinent information promptly.
In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting
These programs are highly effective for detecting insider abuses. If one of the users attempt unauthorized activity then the host-based system logs and collect the most pertinent information promptly.
In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.
HIDSes are more focused on changing aspects of the local systems.HIDS is also more platform-centric, with more focus on the Windows OS, but there are other HIDS’s for UNIX platforms. These mechanisms usually include auditing for events that
These mechanisms usually include auditing for events that occur on a specific host. These are not as common, due to the overhead they incur by having to monitor each system event.
Log File Monitoring
A Log File Monitor (LFM) monitors log files created by network services. The LFT IDS searches through the logs and identifies malicious events.
In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion. These mechanisms are typically programs that parse log files after an event has already occurred, such as failed login attempts.
File Integrity Check
These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there.
- Perform a Time-To-Live attack.
- Perform the invalid RST packets technique.
- Perform the urgency flag technique.
- Perform the polymorphic shellcode technique.
- Perform the ASCII shellcode trachyte,unique.
- Perform Application-layer attacks.
- Perform encryption and flooding techniques.
- Perform a post-connection SYN attack.
- Perform a pre-connection SYN attack.
4 Best Intrusion Detection Systems
The best deal for the money (it’s free). It does an amazing job of combining the benefits of signature, protocol, and anomaly-based inspection. Snort is without a doubt the most widely deployed IDS/IPS technology across the globe. With millions of downloads and approximately 300,000 registered users.
Bro Intrusion Detection Systems
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.
Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.
Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (for example, certain hosts connecting to certain services, or patterns of failed connection attempts).
Cisco Intrusion Prevention System (IPS)
Besides being one of the most expensive, Cisco IPS is one of the most widely deployed intrusion prevention systems thanks to its acquisition of Surefire. The company’s Firepower network security appliances are based on Snort.
Protection against more than 30,000 known threats, Timely signature updates, and Cisco Global Correlation to dynamically recognize, evaluate, and stop emerging Internet threats
Cisco IPS includes industry-leading research and the expertise of Cisco Security Intelligence Operations.
Cisco IPS protects against increasingly sophisticated attacks, including Directed attacks, Worms, Botnets, Malware, Application abuse.
Juniper Networks Intrusion Detection & Prevention (IDP)
Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method Detection (MMD), offers an impressive comprehensive coverage by leveraging multiple detection mechanisms.
For one example, by utilizing signatures, as well as other detection methods including protocol anomaly traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as well as possible future variations of the attack.