Contentsi. Introductionii. Process Modeliii. Terminologyiv. Detection Methodologiesv. Basic components and the Architecturevi. Types of IDSvii. Efficiency Metricsviii. References
IntroductionAn Intrusion Detection System is a device or softwareapplication that monitors network or system activitiesfor malicious activities or policy violations andproduces reports to management station
Terminology• Alert/Alarm: A signal suggesting that a system hasbeen or is being attacked.• True Positive: A legitimate attack which triggers anIDS to produce an alarm.• False Positive: An event signaling an IDS toproduce an alarm when no attack has taken place.• False Negative: A failure of an IDS to detect anactual attack.• True Negative: When no attack has taken place andno alarm is raised.
Detection MethodologiesIDS generally use two primary classes ofMethodologies to Detect an intrusion1. Signature -based Detection2. Behavior-based Detection
Signature-based IDo A signature is a pattern that corresponds to aknown threat. Signature-based detection is theprocess of comparing signatures against observedevents to identify possible incidents.o Also known as Misuse Intrusion Detection andknowledge base Intrusion Detection.
Behavior-based IDo Behavior-based intrusion-detection techniquesassume that an intrusion can be detected byobserving a deviation from the normal or expectedbehavior of the system or the users.o Also called as Anomaly-based Intrusion Detection.
Components of a typical IDS Components: Sensors, Analyzers, Database Server and User Interface. • Sensor or Agent: sensors are responsible for collection of data. They continuously monitor the activity. The term “sensor” is typically used for IDSs that monitor the networks and network behavior analysis technologies. The term “agent” is used for host-based IDSs . • Analyzers: it receives information from the sensors and analyses them to determine if an intrusion has occurred.
IDS components contd…… • Database Server: A database server is a repository for event information recorded by sensors, agents, and/or Analyzers. • User Interface/Console: A console is a program that provides an interface for the IDS’s users and administrators. Console software is typically installed onto standard desktop or laptop computers.
Types of IDS• Host Intrusion Detection System (HIDS), whichmonitors the characteristics of a single host and theevents occurring within that host for suspiciousactivity.•Network Intrusion Detection (NIDS), whichidentifies intrusions by examining network traffic andmonitors multiple hosts.
Efficiency of IDSAccuracy: Accuracy deals with the proper detection of attacksand the absence of false alarms. Inaccuracy occurs when anintrusion-detection system flags a legitimate action in theenvironment as anomalous or intrusive.Performance: The performance of an intrusion-detection systemis the rate at which audit events are processed. If the performanceof the intrusion-detection system is poor, then real-time detectionis not possible.Completeness: Completeness is the property of an intrusion-detection system to detect all attacks. Incompleteness occurs
Referencesi. Books/papers•Guide to Intrusion Detection and Prevention Systems (IDPS), NISTSpecial Publications USA, Karen Scarfone and Peter Mell•An Introduction to Intrusion-Detection Systems, IBM Research and ZurichResearch Laboratory, Herve Debar• An overview to Software Architecture in Intrusion Detection System,Department of Computer Engineering I.A.U. Booshehr Branch Iran,Mehdi Bahrami and Mohammad Bahrami.•Next Generation Intrusion Detection Systems, McAfee Network SecurityTechnologies Group, Dr. Fengmin Gongii. Internet• www.wikipedia.org• www.intursiondetectionsystem.org• www.sans.org