Intrusion detection encompasses a range of security techniques designed to detect (and report) malicious system and network activity or to record evidence of intrusion. To understand intrusion detection one must fully understand what intrusion is. Webster’s dictionary defines an intrusion as “the act of thrusting in, or of entering into a place or state without invitation or welcome”. For the purpose of this article, we will define intrusion as any unauthorized system or network activity on one (or more) computer(s) or network(s). This could be an instance of a legitimate user of a system trying to escalate his privileges so that he can gain greater access to the system that he is currently assigned, or a legitimate user trying to connect to a remote port of a server to which he is not authorized. These intrusions can originate from the outside world, a disgruntled ex-employee who was fired recently, or from your trusted staff.
What is an IDS?
Intrusion detection systems (IDS) are software and/or hardware-based systems that detect intrusions to your network/host-based on a set of predefined rules. Active IDS attempts to block attacks, respond with counter measures that are already pre-programmed into the IDS system or at least alert administrators while the attack progresses. Passive IDS merely log the intrusion or create audit trails that are apparent after the attack has succeeded.
The term “Intrusion Detection” covers a wide range of technologies that are involved in the detection, reporting, and correlation or operating system and network security events. Intrusion detection technologies are detective rather than preventive but they can help mitigate following type of risks by providing a security administrator with information on attempted or actual security events.
- Data destruction
- Hostile code, for example buffer overflow attempt
- Network or system eavesdropping
- System or network mapping
- System or network intrusion
- Unathorized access
Intrusion detection systems are a weapon in the arsenal of system administrators, network administrators and security professionals allowing real time reporting of suspicious and malicious network activity.
Type of IDS Systems
The intrusion Detection Systems are categorized into three:
- Host - based intrusion detection systems (HIDS)
- Network-based intrusion detection systems (NIDS)
- Hybrid intrusion detection systems
Host-based intrusion detection systems (HIDS)
The HIDS is an IDS that resides on the host . The HIDS scans the host systems for activities. Typically, the HIDS scans the operating system log files, application log files, or DBMS log files for activity traces. This makes it completely dependent on the contents of the log files. As a result, if the log-files data is corrupt or in the worst case , if attacker is able to manipulate the log files information, these systems will not able to detect the occurrence of the attack. The result of the scan performed by the host-based intrusion detection system are logged into a secure database and compared with the knowledge base to detect any malicious activity.
There are various types of host-based intrusion detection systems that world at various levels.
Operating System Level
these type of HIDS function by working on the operating system log files . these HIDS determine unauthorized activities based on the following criteria :
- application initiated on a system
- Logon and Logoff credentials like date and time, login locations etc.
- Addition/Deletion?modification of system entities
- Access to system resources like files/folders/memory location/registry
The information collected from the log files is compiled and compared to the signature available in the database using special algorithms.
These type of HIDS are very similar to OS level HIDS the main difference is that HIDS concentrate more on the application level log files rather than the system level log files. For example, this is an ideal solution for detecting intrusion attempts to a database application residing on a host machine.
Even though the name of these HIDS looks very similar to NIDS they are different. A network-level HIDS works on the network packets that are addressed to particular host. If a packet is not addressed to host, the network-level HIDS will not collect and work on the network packet.
Advantages of HIDS
- Cost effective- HIDS are most cost effective when compared to NIDS for a small to medium-sized network
- additional layer of protection: in a multi-tiered security architecture, HIDS can provide another layer of security by detecting attacks missed by other security tools in the architecture
- Direct control over System Entities : Since HIDS work at the host level, they are more control and command over the system entities like memory, registry, system files etc
Network-based intrusion detection systems (NIDS)
Network -based intrusion detection System is an IDS responsible for detecting inappropriate, anomalous, or any kind of data which may be considered unauthorized or inappropriate for a subject network. A NIDS is designed to receive all packets on a particular network segment. In the case of a switched network, various methods like taps and port mirroring are used to receive all the packets in the network.
Most NIDS are pattern based, which means that they require signature to alert an intrusion attempt, or a set pattern in the payload. The accuracy of these approaches depends on the level to which the NIDS are fine-tuned.
Hybrid intrusion detection systems
The hybrid intrusion detection system is and IDS that combines both the features of a H0st-based IDS and a network -based Ids. In the Hos-based IDS monitors events occurring to monitor the network activities.