2. Intrusion Detection System (IDS)
• IDP (intrusion detection and prevention) network
intrusion detection (ID) is based on monitoring the
operation of computer systems or `networks and analyzing
the processes they perform, which can point to certain
incidents.
• Incidents are events posing a threat to or violating defined
security policies, violating AUP (acceptable use policy)
rules, or generally accepted security norms.
• They appear as a result of the operation of various malware
programmes (e.G., Worms, spyware, viruses, and trojans),
as a result of attempts at unauthorized access to a system
through public infrastructure (internet), or as a result of the
operation of authorized system users who abuse their
privileges.
3. Intrusion Detection System (IDS)
Network intrusion detection (NID)
• It includes the process of detecting network intrusion events, but not
includes the process of preventing and blocking detected or potential
network incidents.
Network intrusion detection and prevention systems (NIDP)
• They are based on identifying potential incidents, logging
information about them, attempting to prevent them and alerting the
administrators responsible for security.
• In addition to this basic function, NIDP systems can also be used to
identify problems concerning the adopted security policies, to
document existing security threats and to discourage individuals
from violating security rules.
• NIDP systems use various incident detection methods.
4. Intrusion Detection System (IDS)
• There are three primary classes of detection
methodology:
– 1. Signature-based detection
– 2. Anomaly-based detection
– 3. Detection based on stateful protocol analysis
5. Intrusion Detection System (IDS)
1. Signature-based detection
– certain security threats can be detected based on the
characteristic manner in which they appear.
– The behaviour of an already detected security threat,
described in a form that can be used for the detection
of any subsequent appearance of the same threat, is
called an attack signature.
– This detection method, based on the characteristic
signature of an attack, is a process of comparing the
known forms in which the threat has appeared with the
specific network traffic in order to identify certain
incidents.
6. Intrusion Detection System (IDS)
1. Signature-based detection
– Although it can be very efficient in detecting the
subsequent appearance of known threats, this detection
method is extremely inefficient in the detection of
completely unknown threats, of threats hidden by
using various techniques, and of already known threats
that have somehow been modified in the meantime.
– It is considered the simplest detection method and it
cannot be used for monitoring and analysing the state
of certain, more complex forms of communication.
7. Intrusion Detection System (IDS)
2. Anomaly-based detection
– This method of IDP is based on detecting anomalies in
a specific traffic flow in the network.
– Anomaly detection is performed, based on the defined
profile of acceptable traffic and its comparison with
the specific traffic in the network.
– Acceptable traffic profiles are formed by tracking the
typical characteristics of the traffic in the network
during a certain period of time (e.g., The number of
email messages sent by a user, and the number of
attempts to log in to a host, or the level of utilization of
the processor in a given time interval).
– These characteristics of the behaviour of users, hosts,
connections or applications in the same time interval
are then considered to be completely acceptable.
8. Intrusion Detection System (IDS)
2. Anomaly-based detection
– However, acceptable-behaviour profiles can
unintentionally contain certain security threats,
which lead to problems in their application.
– Likewise, imprecisely defined profiles of
acceptable behaviour can cause numerous alarms,
generated by the system itself as a reaction to
certain acceptable activities on the network.
– The greatest advantage of this detection method is
its exceptional efficiency in detecting previously
unknown security threats.
9. Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Stateful protocol analysis is a process of comparing
predefined operation profiles with the specific data
flow of that protocol on the network.
– Predefined profiles of operation of a protocol are
defined by the manufacturers of IDP devices and they
identify everything that is acceptable or not acceptable
in the exchange of messages in a protocol.
– Unlike anomaly-based detection, where profiles are
created based on the hosts or specific activities on the
network, stateful protocolanalysis uses general profiles
generated by the equipment manufacturers.
– Most IDP systems use several detection methods
simultaneously, thus enabling a more comprehensive
and precise method of detection.
10. Intrusion Detection System (IDS)
3. Detection based on stateful protocol analysis
– Testing tools are used for testing the detection,
recognition and response capabilities of devices that
perform packet filtering (including those that use
network address translation), such as firewalls,
idses/ipses, routers and switches.
– These test the traffic filtering devices' ability to detect
and/or block dos attacks, spyware, backdoors, and
attacks against applications such as IIS, SQL server
and WINS (Windows Internet Name Service).
– Standard traffic sessions can be used to test how
packet filtering devices handle a variety of protocols
including HTTP, FTP, SNMP and SMTP
11. Intrusion Detection System (IDS)
• Intrusion detection systems can be grouped
into the following categories:
– Host-based IDS
– Network-based IDS
– Intrusion prevention system (IPS)
12. Host-based intrusion detection
systems
• Host-based IDSs are designed to monitor, detect
and respond to activity and attacks on a given
host. In most cases, attackers target specific
systems on corporate networks that have
confidential information.
• They will often try to install scanning programs
and exploit other vulnerabilities that can record
user activity on a particular host.
• Some host-based IDS tools provide policy
management, statistical analytics and data
forensics at the host level.
13. Host-based intrusion detection
systems
• Host-based IDSs are best used when an
intruder tries to access particular files or other
services that reside on the host computer.
• Because attackers mainly focus on operating
system vulnerabilities to break into hosts, in
most cases, the host-based IDS is integrated
into the operating systems that the host is
running.
14. Network-based intrusion detection
systems
• Network traffic based IDSs capture network traffic to detect
intruders.
• Most often, these systems work as packet sniffers that read
through incoming traffic and use specific metrics to assess
whether a network has been compromised.
• Various internet and other proprietary protocols that
handle messages between external and internal networks,
such as TCP/IP, NetBEUI and XNS, are vulnerable to attack
and require additional ways to detect malicious events.
• Frequently, intrusion detection systems have difficulty
working with encrypted information and traffic from virtual
private networks. Speed over 1Gbps is also a constraining
factor, although modern and costly network-based IDSs
have the capability to work fast over this speed.
• NetBEUI (NetBIOS Extended User Interface)
• XNS (Xerox Network Systems)
15. Intrusion prevention system (IPS)
• An IPS is a network security tool that can not only
detect intruders, but also prevent them from
successfully launching any known attack.
• Intrusion prevention systems combine the abilities of
firewalls and intrusion detection systems.
• However, implementing an IPS on an effective scale can
be costly, so businesses should carefully assess their IT
risks before making the investment.
• Moreover, some intrusion prevention systems are not
as fast and robust as some firewalls and intrusion
detection systems, so an IPS might not be an
appropriate solution when speed is an absolute
requirement.
16. Intrusion prevention system (IPS)
• When deploying an IPS, you should carefully
monitor and tune your systems and be aware
of the risks involved.
• You should also have an in-depth
understanding of your network, its traffic, and
both its normal and abnormal characteristics.
• It is always recommended to run IPS in test
mode for a while to thoroughly understand
their behaviour.