Intrusion Detection System (IDS) – A Detailed Guide & Working Function -SOC/SIEM

An intrusion detection system (IDS) gathers and analyzes information from within a computer or network to identify unauthorized access, misuse, and possible violations.

IDS also can be referred to as a packet sniffer which intercepts packets travel along with various communication mediums. All the packets are analyzed after they are captured.

How IDS Works?

The main purpose of IDS is they not only prevent intrusion but they also alert administrators immediately when an attack going on.

• IDS have sensors to detect signatures, and some advanced IDS have a behavioral activity to determine malicious behaviors. Even if the signature doesn’t match this system can notify the behavior of the attack.
• If the signature match it will move to the next step or the connections are cut down from the source IP, the packet is dropped and an alarm notifies the administrator.
• Once the signature is matched, then sensors pass on anomaly detection, whether the received packet or request matches or not.
• If the packet passes the anomaly stage, a stateful protocol analysis will be done. After that, through the switch, the packets are passed on to the network. If anything mismatches again, the connections are cut down from the source IP address and the packet is dropped, also an alarm will be raised and notified to the administrator.

Also Read Intrusion Prevention System(IPS) and Its Detailed Function – SOC/SIEM

WAYS TO DETECT AN INTRUSION

Intrusion can be identified in three ways.

Signature Detection:

It is also known as misuse detection, it tries to identify the events that indicate an abuse of the system. It is achieved by creating models of intrusions.

Incoming events are compared with the intrusion models for detection and decision. While making a signature the model should detect the incoming intrusion without making any impact on regular traffic, only malicious traffic should match the model, or else the false alarm will be raised.

• The simplest form of signature reorganization uses simple pattern matching to compare the network packets against binary signatures of known attacks. Binary signature is defined as the specific portion of the packet such as TCP flags.
• Signature recognization can find known attacks, But there is a possibility other packets that match the same signature will trigger bogus signals. Signatures need to be customized.
• A signature that is termed improperly may trigger bogus signals, and the bandwidth of the network is consumed with the increase in the signature database.
• Despite problems with signature-based intrusion detection, such systems are popular and work well when configured correctly and monitored closely.

Anomaly Detection

It is termed “not-use detection” and it differs from the signature recognization model.

The model consists of a database of Anomalies. Any event that is identified with the database is called an anomaly. Any deviation from normal use is considered an Attack.

• In this traditional method, important data is kept for checking in various network traffic models. However, in reality, there is less variation in network traffic and too many statistical variations making these models imprecise.
• In this type of approach, the inability to instruct a model thoroughly on the normal network is of grave concern.

Protocol Anomaly detection

This technique is based on the anomalies specific to a protocol, this model was integrated with IDS recently.

This identifies TCP/IP-specific flaws with the network. Protocols are created with specifications, known as RFCs(RFC1192) for dictating proper use and communication.

• There are new attack methods and exploits that violate protocol standards being discovered frequently.
• The pace at which the malicious signature attacker is growing is incredibly fast. But the network protocol, in comparison, is well-defined and changing slowly. Therefore, the signature database must be updated frequently to detect attacks.
• Protocol anomaly detection systems are easier to use because they require no signature updates.
• The best way to present alarms is to explain which part of the state system was compromised. For this, the IDS operators have to have a thorough knowledge of the protocol design; the best way is the documentation provided by the IDS.

TYPES OF INTRUSION DETECTION SYSTEMS (IDS)

• Network-based intrusion detection
• Host-based intrusion detection
• Log file monitoring
• File Integrity Check.

Network-based Intrusion

NIDS checks every packet entering the network for anomalies and incorrect data. Unlike a firewall that is confined to filtering packets malicious packets, IDS inspects every packet thoroughly.

A NIDS captures and inspects all the traffic regardless of whether it is permitted. Based on the content, either the application or IP level, an alert is generated.

Network-based intrusion systems tend to be more distributed than host-based. NIDS is designed basically to identify the anomalies in the network and the host level.

It audits information contained in data packets and logs information of malicious packets.

A threat level is assigned to each packet after the data packet is received. These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion.

Host-based Intrusion

In the host-based system, the IDS analyzes each system’s behavior. The HIDS can be installed on any system ranging from a desktop PC to a server. The HIDS is more versatile than the NIDS.

One example of a host-based system is a program that operates on a system and receives an application or operating system audit logs.

These programs are highly effective in detecting insider abuses. If one of the users attempts unauthorized activity then the host-based system logs and collects the most pertinent information promptly.

In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting

These programs are highly effective for detecting insider abuses. If one of the users attempts unauthorized activity then the host-based system logs and collects the most pertinent information promptly.

In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification.

HIDSes are more focused on changing aspects of the local systems.HIDS is also more platform-centric, with more focus on the Windows OS, but there are other HIDSs for UNIX platforms. These mechanisms usually include auditing for events that

These mechanisms usually include auditing for events that occur on a specific host. These are not as common, due to the overhead they incur by having to monitor each system event.

Log File Monitoring

A Log File Monitor (LFM) monitors log files created by network services. The LFT IDS searches through the logs and identifies malicious events.

In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intrusion. These mechanisms are typically programs that parse log files after an event has already occurred, such as failed login attempts.

File Integrity Check

These mechanisms check for Trojan horses, or files that have otherwise been modified, indicating an intruder has already been there.

IDS PENTESTING

1. Perform a Time-To-Live attack.
2. Perform the invalid RST packets technique.
3. Perform the urgency flag technique.
4. Perform the polymorphic shellcode technique.
5. Perform the ASCII shellcode trachyte,unique.
6. Perform Application-layer attacks.
7. Perform encryption and flooding techniques.
8. Perform a post-connection SYN attack.
9. Perform a pre-connection SYN attack.

Also Read Security Information and Event Management (SIEM) – A Detailed Explanation

4 Best Intrusion Detection Systems

• Snort

• Bro Intrusion Detection System

• Cisco Intrusion Prevention System (IPS)

• Juniper Networks Intrusion Detection & Prevention (IDP)

Snort

Snort is an open-source network intrusion prevention and detection system (IDS/IPS) created by Martin Roesch and put out by Sourcefire (acquired by Cisco in 2013).

The best deal for the money (it’s free). It does an amazing job of combining the benefits of signature, protocol, and anomaly-based inspection. Snort is without a doubt the most widely deployed IDS/IPS technology across the globe. With millions of downloads and approximately 300,000 registered users.

Bro Intrusion Detection Systems

Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.

Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (for example, certain hosts connecting to certain services, or patterns of failed connection attempts).

Cisco Intrusion Prevention System (IPS)

Besides being one of the most expensive, Cisco IPS is one of the most widely deployed intrusion prevention systems thanks to its acquisition of Surefire. The company’s Firepower network security appliances are based on Snort.

Cisco offers:

Protection against more than 30,000 known threats, Timely signature updates, and Cisco Global Correlation to dynamically recognize, evaluate, and stop emerging Internet threats

Cisco IPS includes industry-leading research and the expertise of Cisco Security Intelligence Operations.

Cisco IPS protects against increasingly sophisticated attacks, including Directed attacks, Worms, Botnets, Malware, and Application abuse.

Juniper Networks Intrusion Detection & Prevention (IDP)

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method Detection (MMD), offers an impressive comprehensive coverage by leveraging multiple detection mechanisms.

For one example, by utilizing signatures, as well as other detection methods including protocol anomaly traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as well as possible future variations of the attack.

You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates