Is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. Intrusion detection systems can also take some steps to deny access to would-be intruders.

Why use Intrusion Detection?

We want to protect our data and systems integrity. It is important that the system prevents access to critical files or authentication databases except by authorized systems administrators.

Types of Intrusion Detection systems

Intrusion Detection systems fall into two broad categories. These are:

1.Network based : Network Intrusion Detection Systems (NIDS) usually consists of a network appliance (or sensor) with a Network Interface Card (NIC) operating in promiscuous mode and a separate management interface. The IDS is placed along a network segment or boundary and monitors all traffic on that segment.

2.Host based: A Host Intrusion Detection Systems (HIDS) and software applications (agents) installed on workstations which are to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. Hosts Intrusion detection systems (HIDS) can only monitor the individual workstations on which the agents are installed and it cannot monitor the entire network. Host based IDS systems are used to monitor any intrusion attempts on critical servers.

Active and passive IDS

An active Intrusion Detection Systems (IDS) is also known as Intrusion Detection and Prevention System (IDPS). Intrusion Detection and Prevention System (IDPS) is configured to automatically block suspected attacks without any intervention required by an operator. Intrusion Detection and Prevention System (IDPS) has the advantage of providing real-time corrective action in response to an attack.

A passive IDS is a system that’s configured to only monitor and analyze network traffic activity and alert an operator to potential vulnerabilities and attacks. A passive IDS is not capable of performing any protective or corrective functions on its own.

 

Intrusion Detection Systems use one of two detection techniques:

1.Signature detection : In signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware, scanning activity, attacks against servers and much more.

2.Anomaly Detection: With anomaly-based IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities or activity that has been previously unseen. Perhaps a server is sending out more HTTP activity than usual or a new host has been seen inside your DMZ.

In the next section we will see what makes up a Network intrusion detection system.

Goal of NIDS(Network Intrusion Detection System)

  • Detect attacks as they happen: Real-time monitoring of networks
  • Provide information about attacks that have succeeded: Forensic analysis
  • Passive systems: monitoring and reporting
  • Active systems: corrective measures adopted
  • Good place to establish a NIDS: The perimeter network, or DMZ(Demilitarized zone).

Strategies

  • Often NIDS are described as being composed of several parts
  1. Event generator boxes
  2. Analysis boxes
  3. Storage boxes
  4. Counter-measure boxes
  • Analysis is the most complex element, and can use protocol analysis as well as anomaly detection, graph analysis, etc.

Elements of a NIDS

CIDF : Common Intrusion Detection Framework

Intrusion_5

Common analysis techniques

  • Attempts pattern-matching against certain known attack types. For instance, substring matching.
  • Passive protocol analysis: Emulate the sequence of protocol events to detect attacks.

Difficulties inherent in NIDS

  • What defines an attack is not a packet, but its induced behavior on the receiving host. NIDS must determine this behavior.
  • NIDS runs in a different machine, even a different part of the network. Proper function of the NIDS may require of each host being protected:
  • Knowledge of its place in the network topology.
  • Knowledge of its TCP/UDP implementation.
  • OS-based behavior variance.

Difficulties inherent in NIDS

  • What defines an attack is not a packet, but its induced behavior on the receiving host. NIDS must determine this behavior.
  • NIDS runs in a different machine, even a different part of the network. Proper function of the NIDS may require of each host being protected:
  • Knowledge of its place in the network topology.
  • Knowledge of its TCP/UDP implementation.
  • OS-based behavior variance.

Reference links:

  1. http://en.wikipedia.org/wiki/Intrusion_detection_system
  2. http://sectools.org/tag/ids/
  3. http://nmap.org/
  4. http://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview