Definitions[edit | edit source]
An intrusion detection system (IDS) is
|“||[a] software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both.||”|
|“||[a] security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.||”|
Overview[edit | edit source]
|“||Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred.||”|
An IDS collects information on a network, analyzes the information on the basis of a preconfigured rule set, and then responds to the analysis. IDS ensure that unusual activity such as new open ports, unusual traffic patterns, or changes to critical operating system files is brought to the attention of the appropriate security personnel.
The implementation of an IDS might be valuable for the following reasons:
- Prevent problem behaviors by increasing risk of discovery and punishment for system intruders
- Detect attacks and other security violations that are not prevented by other security measures
- Detect preambles to attacks (network probes and other tests for existing vulnerabilities)
- Document the existing threat to the organization
- Quality control for security design and administration
- Provide useful information about methods used in intrusions.
Type of Intrusion detection systems[edit | edit source]
There are three common types of IDS, classified by the source of information they use to detect intrusions: network-based, host-based, and application-based.
- Network-based IDSs detect attacks by capturing and analyzing network packets. When placed in a network segment, one network-based IDS can monitor the network traffic that affects multiple hosts that are connected to that network segment. Network-based IDSs often consist of a set of single-purpose sensors or hosts, placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. Because these sensors are limited to running the IDS application only, they can more easily be secured against attacks. Many of these sensors are designed to run in “stealth mode," making it more difficult for an attacker to detect their presence and location.
- Host-based IDSs collect information from within an individual computer system and use that information to detect intrusions. Host-based IDSs can determine exactly which processes and user accounts are involved in a particular attack on the system. Furthermore, unlike network-based IDSs, host-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes that are usually targeted by attacks. Host-based IDSs normally use two types of information sources: operating system audit trails and system logs. Operating system audit trails are usually generated at the innermost level of the operating system; therefore, these trails are more detailed and better protected than system logs. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are compatible with a network management system.
- Application-based IDSs are a special subset of host-based IDSs that analyze the events occurring within a specific software application. The most common information sources used by application-based IDSs are the application's transaction log files. Because they directly interface with the application and use application-specific knowledge, application-based IDSs can detect the actions of authorized users who are attempting to exceed their authorization. This is because such problems are more likely to appear in the interaction among the user, the data, and the application.
An additional type of IDS is a
- Protocol-based Intrusion Detection System (PIDS) is associated with a component rather than the network. Typically it would reside between a server and a connected device and analyze communication protocols between the two. A variation of PIDS is the "Application Protocol-based Intrusion Detection System."