The Basics of Intrusion Detection Systems
Tools that monitor systems for malicious activity are called intrusion detection systems, or IDS. Read this article to learn the common components and functions of an IDS, and some kinds of IDS, like signature, anomaly, and rule-based. What is the difference between and IDS and an intrusion protection systems (IPS)? Obviously, network detection systems (NIDS) are installed on networks and host-based intrusion detection systems (HIDS) are installed on hosts. The purpose of NIDS and HIDS are similar; they both detect intrusion, but they operate differently. What does each one do?
Intrusion detection is the process of detecting unauthorized use of, or attack upon, a computer, network, or telecommunication infrastructure.
IDS are designed to aid in mitigating the damage that can be caused by hacking or breaking into sensitive computer and network systems.
Common Components of an IDS
- Sensors: collect traffic and user activity data and send it to an analyzer.
- Analyzer: detects an activity that it is programmed to deem as fishy and sends an alert to the administrative interface.
- Administrative Interface: Report the alert details.
Common Functions of an IDS
- Watch for attacks
- Parse audit logs
- Protect system files
- Alert administrators during attacks
- Expose a hackers technique
- Illustrate which vulnerabilities need to be addressed
- Help track down individual hackers
- Network-Based IDS: A network-based IDS (NIDS) uses sensors, which are either host computers with the necessary software installed or dedicated appliances - each with its network interface card (NIC) in promiscuous mode. The NIC driver captures all traffic and passes it to an analyzer to look for specific types of patterns.
- Host-Based IDS: A host-based IDS (HIDS) can be installed on individual workstations and/or servers and watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way.
Both HIDS and NIDS can employ the following technologies:
- Knowledge or Signature Based
- Statistical Anomaly Based
Knowledge or Signature Based
- These are knowledge-based systems where some knowledge is accumulated about specific attacks and a model called signatures is developed.
- The main disadvantage of these systems is they cannot detect new attacks and a few signatures need to be written and continuously updated.
- Also known as misuse-detection system
- Land Attacks ( packets modified to have the same s/c and destination IP)
Security Humor: Attacks or viruses that have been discovered in production environments are referred to as being “in the wild." Attacks and viruses that exist but have not been released are referred to as being “in the zoo."
Statistical Anomaly Based
- These are behavioral-based systems, which do not use any predefined signatures, but rather are put in a learning mode to build a profile by continually sampling the environments normal activities.
- The longer the IDS is put in a learning mode, in most instances, the more accurate a profile it will build and the better protection it will provide.
- Once a profile is built, a different profile is built based on the same sampling on all the future traffic and the data are compared to identify the abnormalities.
- Also known as profile-based systems
- Can detect new attacks including 0 day attacks
- Can also detect low and slow attacks in which an attacker tries to stay beneath the radar by sending a few packets at a time over a longer period of time.
- Developing a correct profile to reduce false positives can be difficult.
- There is a possibility for an attacker to integrate his/her activities into the behavior pattern of the n/w traffic. This can be controlled by ensuring that there are no attack activities currently underway while the IDS are in learning mode.
- The success factors for these systems are based on determining the proper threshold in order to reduce/avoid false positives (threshold set to too low) or false negatives (threshold set to too high)
- Bring the IDS offline by DoS and send the IDS incorrect data in order to distract the n/w and security individuals to make them busy chasing wrong packets, while the real attack takes place.
- Protocol Anomaly-based:
- These types of IDS have specific knowledge of each protocol that they will be monitoring.
- The IDS builds a profile (model) of each protocol’s normal usage and uses it to match with the profile build during the actual operation.
- Common protocol vulnerabilities
- At the DLL, the ARP does not have any protection against ARP attacks where bogus data can be inserted into its table.
- At the n/w layer, the ICMP can be used in a LOKI attack to move data from one place to another, when this protocol was designed to only be used to send status information. This data can be a code which can be made to be executed by the backdoor on a compromised system.
- IP headers can be easily modified for spoofed attacks ( one acting as other)
- At the TL, TCP packets can be injected into the connection between the two systems for a session hijack attack.
- Traffic Anomaly-based:
- These systems have traffic-anomaly filters, which detect changes in traffic patterns as in DoS attacks or a new service that appears on the network.
- Once there is a profile that is built that captures the baselines of an environment’s ordinary traffic, all future traffic patterns are compared to that profile.
- As with all filters, the thresholds are tunable to adjust the sensitivity, to reduce the number of false positives and false negatives.
- Since this is a type of statistical anomaly-based IDS, it can detect unknown attacks
- Protocol Anomaly-based:
- Rule-based intrusion detection is commonly associated with the use of an expert system.
- An expert system is made up of a knowledge base, inference engine, and rule-based programming.
- Knowledge is represented as rules, and the data that is to be analyzed is referred to as facts.
- The knowledge of the system is written in rule-based programming (IF situation THEN action). These rules are applied to the facts, the data that comes in from a sensor, or a system that is being monitored.
- Example: Consider the Rule-IF a root user creates File1 AND creates File2 SUCH THAT they are in the same directory THEN there is a call to AdministrativeTool1 TRIGGER send alert. This rule has been defined such that if a root user creates two files in the same directory and then makes a call to a specific administrative tool, an alert should be sent.
- The more complex the rules, the more demands on software and hardware processing requirements
- Cannot detect new attacks
- State-Based IDS
- A state transition takes place when a variable’s value changes, which usually happens continuously within every system.
- In a state-based IDS, the initial state is the state prior to the execution of an attack, and the compromised state is the state after successful penetration.
- The IDS has rules that outline what state transition sequences should sound an alarm. The activity that takes place between the initial and compromised state is what the state-based IDS looks for, and it sends an alert if any of the state-transition sequences match its preconfigured rules.
- This type of IDS scans for attack signatures in the context of a stream of activity instead of just looking at individual packets. It can only identify known attacks and requires frequent updates of its signatures.
- Model-Based IDS
- In a model-based IDS, the product has several scenario models that represent how specific attacks and intrusions take place. The models outline how the system would behave if it were under attack, the different steps that would be carried out by the attacker, and the evidence that would be available for analysis if specific intrusions took place.
- The IDS takes in the audit log data and compares it to the different models that have been developed, to see if the data meets any of the models’ specifications. If the IDS finds data in an audit log that matches the characteristics in a specific model, it sends an alert.
- State-Based IDS
- Network-based IDSs use sensors for monitoring purposes. A sensor, which works as an analysis engine, is placed on the network segment the IDS is responsible for monitoring.
- The sensor receives raw data from an event generator and compares it to a signature database, profile, or model, depending upon the type of IDS.
- If there is some type of a match, which indicates suspicious activity, the sensor works with the response module to determine what type of activity needs to take place (alerting through instant messaging, page, e-mail, or carry out firewall reconfiguration, and so on).
- The sensor’s role is to filter received data, discard irrelevant information, and detect suspicious activity.
- A monitoring console can be used to monitor all sensors and supplies the network staff with an overview of the activities of all the sensors in the network, but the difficulty arises in a switched environment, where traffic is forwarded through a VPN and is not rebroadcast to all the ports. This can be overcome using Spanning Ports by mirroring the traffic from all the ports to one monitored port.
- Sensor Placement
- Sensors can be placed outside of the firewall to detect attacks
- Inside the firewall (in the perimeter network) to detect actual intrusions.
- At highly sensitive areas, DMZs, and on extranets
- Multiple Sensors can be used in high traffic environments to ensure all packets are investigated. Also If necessary to optimize network bandwidth and speed, different sensors can be set up to analyze each packet for different signatures. That way, the analysis load can be broken up over different points.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.