CS406: Information Security

Intrusion detection systems fall into one of three categories: Host Based Intrusion Detection Systems (HIDS), Network Based Intrusion Detection Systems (NIDS), and hybrids of the two.

• Host based Intrusion Detection System

Host-based intrusion detection started in the early 1980s before networks were as prevalent, complex, and interconnected as they are today. In this simpler environment, it was common practice to review audit logs for suspicious activity. Intrusions were sufficiently rare that after-the-fact analysis proved adequate to prevent future attacks.

Today's host-based intrusion detection systems remain a powerful tool for understanding previous attacks and determining proper methods to defeat their future application. Host-based IDS still use audit logs, but they are much more automated, having evolved sophisticated and responsive detection techniques. Host based IDS typically monitor system, event, and security logs on Windows NT and syslog i UNIX environments. When any of these files change, the HIDS compares the new log entry with attack signatures to see if there is a match. If so, the system responds with administrator alerts and other calls to action.

HIDS have grown to include other technologies. One popular method for detecting intrusions checks key system files and executables via checksums at regular intervals for unexpected changes. The timeliness of the response is in direct relation to the frequency of the polling interval. Finally, some products listen to port activity and alert administrators when specific ports are accessed. This type of detection brings an elementary level of network-based intrusion detection into the host-based environment.

Strengths of Host-Based Intrusion Detection Systems

1. Verifies success or failure of an attack
2. Monitors specific system activities
3. Detects attacks that network-based systems miss
4. Well-suited for encrypted and switched environments
5. Near-real-time detection and response
6. Requires no additional hardware
7. Lower cost of entry
   
   
• Network Based Intrusion Detection

Network-based intrusion detection systems use raw network packets as the data source. A network-based IDS typically utilizes a network adapter running in promiscuous mode to monitor and analyze all traffic in real-time as it travels across the network. Its attack recognition module uses four common techniques to recognize an attack signature:

1. Pattern, expression or byte-code matching,
2. Frequency or threshold crossing
3. Correlation of lesser events
4. Statistical anomaly detection
   
   

Once an attack has been detected, the IDS response module provides a variety of options to notify, alert, and take action in response to the attack. These responses vary by product, but usually involve administrator notification, connection termination, and/or session recording for forensic analysis and evidence collection.

Strengths of Network Intrusion Detection Systems

1. Lowers cost of ownership
2. Detects attacks that host-based systems miss
3. More difficult for an attacker to remove evidence
4. Real-time detection and response
5. Detects unsuccessful attacks and malicious intent
6. Operating system independence
• Hybrid Based Intrusion Detection

Both network and host-based IDS solutions have unique strengths and benefits that complement each other. A next-generation IDS, therefore, must include tightly integrated host and network components. Combining these two technologies will greatly improve network resistance to attacks and misuse, enhance the enforcement of security policy, and introduce greater flexibility in deployment options.

A hybrid IDS is a combination of network and host-based intrusion detection systems. It provides an interesting blend of the strengths of both HIDS and NIDS. Exactly how this works varies from product to product, making it hard to define a hybrid IDS.