No edit summary |
|||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | == Definitions == |
||
| − | {{stub}} |
||
| + | An '''intrusion detection system''' ('''IDS''') is |
||
| + | {{Quote|[a] [[software application]] that can be [[implement]]ed on [[host]] [[operating system]]s or as [[network device]]s to [[monitor]] activity that is associated with [[intrusion]]s or [[insider attack|insider misuse]], or both.<ref>[[NIST Special Publication 800-47]], at D-2.</ref>}} |
||
| − | An '''intrusion detection system''' ('''IDS''') detects inappropriate, incorrect, or anomalous activity that is aimed at disrupting the [[confidentiality]], availability, or [[integrity]] of a protected [[network]] and its [[computer system]]s. An IDS collects [[information]] on a [[network]], analyzes the [[information]] on the basis of a preconfigured rule set, and then responds to the analysis. |
||
| + | {{Quote|[a] [[security services|security service]] that [[monitor]]s and [[analyze]]s [[network]] or [[system]] events for the purpose of finding, and providing [[real-time]] or [[near real-time]] warning of, attempts to [[access]] [[system resources]] in an [[unauthorized]] manner.<ref>[[NIST Special Publication 800-82]], at B-4.</ref>}} |
||
| − | There are three common types of IDS, classified by the source of |
||
| ⚫ | |||
| − | application-based. |
||
| + | == Overview == |
||
| − | '''Network-based IDSs''' detect attacks by capturing and analyzing [[network |
||
| + | |||
| − | packet]]s. When placed in a [[network]] segment, one network-based IDS can |
||
| + | {{Quote|Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred.<ref>[[Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats]], at 22 n.20.</ref>}} |
||
| ⚫ | monitor the [[network traffic]] that affects multiple [[host]]s that are connected to that [[network]] segment. Network-based IDSs often consist of a set of single-purpose |
||
| + | |||
| + | An IDS collects [[information]] on a [[network]], analyzes the [[information]] on the basis of a preconfigured rule set, and then responds to the analysis. IDS ensure that unusual activity such as new open [[port]]s, unusual [[traffic]] patterns, or changes to critical [[operating system]] [[file]]s is brought to the attention of the appropriate [[security]] personnel. |
||
| + | |||
| + | The [[implementation]] of an IDS might be valuable for the following reasons: |
||
| + | |||
| + | * Prevent problem behaviors by increasing risk of discovery and punishment for [[system]] [[intruder]]s |
||
| + | * Detect [[attack]]s and other [[security]] violations that are not prevented by other [[security measures]] |
||
| + | * Detect preambles to [[attack]]s ([[network probe]]s and other tests for existing [[vulnerabilities]]) |
||
| + | * Document the existing [[threat]] to the organization |
||
| + | * [[Quality control]] for [[security design]] and administration |
||
| + | * Provide useful information about methods used in [[intrusion]]s. |
||
| + | |||
| + | == Type of Intrusion detection systems == |
||
| + | |||
| ⚫ | |||
| + | |||
| ⚫ | * '''Network-based IDSs''' detect [[attack]]s by capturing and analyzing [[network packet]]s. When placed in a [[network]] segment, one network-based IDS can monitor the [[network traffic]] that affects multiple [[host]]s that are connected to that [[network]] segment. Network-based IDSs often consist of a set of single-purpose [[sensor]]s or [[host]]s, placed at various points in a [[network]]. These units [[monitor]] [[network traffic]], performing local analysis of that [[traffic]] and reporting attacks to a central management console. Because these [[sensor]]s are limited to [[run]]ning the IDS [[application]] only, they can more easily be [[secure]]d against [[attack]]s. Many of these [[sensor]]s are designed to [[run]] in “[[stealth mode]]," making it more difficult for an [[attacker]] to detect their presence and location. |
||
| − | '''Host-based IDSs''' collect [[information]] from within an individual [[computer system]] and use that [[information]] to detect [[intrusion]]s. Host-based IDSs can determine exactly which processes and [[user]] accounts are involved in a particular attack on the system. Furthermore, unlike network-based IDSs, host-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and [[monitor]] the [[data file]]s and system processes that are usually targeted by attacks. Host-based IDSs normally use two types of information sources: [[operating system]] [[audit trail]]s and [[system log]]s. [[Operating system]] [[audit trail]]s are usually generated at the innermost level of the [[operating system]]; therefore, these trails are more detailed and better protected than [[system log]]s. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to [[track]] many [[host]]s. Others generate messages in formats that are [[compatible]] with a [[network]] management system. |
+ | * '''Host-based IDSs''' collect [[information]] from within an individual [[computer system]] and use that [[information]] to detect [[intrusion]]s. [[Host]]-based IDSs can determine exactly which processes and [[user]] accounts are involved in a particular attack on the [[system]]. Furthermore, unlike [[network]]-based IDSs, [[host]]-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly [[access]] and [[monitor]] the [[data file]]s and [[system]] processes that are usually targeted by attacks. [[Host]]-based IDSs normally use two types of information sources: [[operating system]] [[audit trail]]s and [[system log]]s. [[Operating system]] [[audit trail]]s are usually generated at the innermost level of the [[operating system]]; therefore, these trails are more detailed and better protected than [[system log]]s. Some [[host]]-based IDSs are designed to support a centralized IDS management and reporting [[infrastructure]] that can allow a single management console to [[track]] many [[host]]s. Others generate messages in formats that are [[compatible]] with a [[network]] management system. |
| + | |||
| ⚫ | * '''Application-based IDSs''' are a special subset of [[host]]-based IDSs that analyze the events occurring within a specific [[software application]]. The most common information sources used by [[application]]-based IDSs are the [[application]]'s [[transaction log file]]s. Because they directly [[interface]] with the [[application]] and use [[application]]-specific knowledge, [[application]]-based IDSs can [[detect]] the actions of [[authorized user]]s who are attempting to [[exceed authorized access|exceed their authorization]]. This is because such problems are more likely to appear in the [[interaction]] among the [[user]], the [[data]], and the [[application]]. |
||
| + | An additional type of IDS is a |
||
| ⚫ | '''Application-based IDSs''' are a special subset of host-based IDSs that analyze the events occurring within a specific [[software application]]. The most common information sources used by application-based IDSs are the |
||
| + | * '''Protocol-based Intrusion Detection System''' ('''PIDS''') is associated with a [[component]] rather than the [[network]]. Typically it would reside between a [[server]] and a [[connected]] [[device]] and [[analyze]] [[communication protocol]]s between the two. A variation of PIDS is the "Application Protocol-based Intrusion Detection System." |
||
| + | == References == |
||
| ⚫ | |||
| + | <references /> |
||
| ⚫ | |||
[[Category:Security]] |
[[Category:Security]] |
||
| + | [[Category:Definition]] |
||
Latest revision as of 05:42, 27 May 2013
Definitions[]
An intrusion detection system (IDS) is
| “ | [a] software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both.[1] | ” |
| “ | [a] security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.[2] | ” |
Overview[]
| “ | Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred.[3] | ” |
An IDS collects information on a network, analyzes the information on the basis of a preconfigured rule set, and then responds to the analysis. IDS ensure that unusual activity such as new open ports, unusual traffic patterns, or changes to critical operating system files is brought to the attention of the appropriate security personnel.
The implementation of an IDS might be valuable for the following reasons:
- Prevent problem behaviors by increasing risk of discovery and punishment for system intruders
- Detect attacks and other security violations that are not prevented by other security measures
- Detect preambles to attacks (network probes and other tests for existing vulnerabilities)
- Document the existing threat to the organization
- Quality control for security design and administration
- Provide useful information about methods used in intrusions.
Type of Intrusion detection systems[]
There are three common types of IDS, classified by the source of information they use to detect intrusions: network-based, host-based, and application-based.
- Network-based IDSs detect attacks by capturing and analyzing network packets. When placed in a network segment, one network-based IDS can monitor the network traffic that affects multiple hosts that are connected to that network segment. Network-based IDSs often consist of a set of single-purpose sensors or hosts, placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. Because these sensors are limited to running the IDS application only, they can more easily be secured against attacks. Many of these sensors are designed to run in “stealth mode," making it more difficult for an attacker to detect their presence and location.
- Host-based IDSs collect information from within an individual computer system and use that information to detect intrusions. Host-based IDSs can determine exactly which processes and user accounts are involved in a particular attack on the system. Furthermore, unlike network-based IDSs, host-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes that are usually targeted by attacks. Host-based IDSs normally use two types of information sources: operating system audit trails and system logs. Operating system audit trails are usually generated at the innermost level of the operating system; therefore, these trails are more detailed and better protected than system logs. Some host-based IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single management console to track many hosts. Others generate messages in formats that are compatible with a network management system.
- Application-based IDSs are a special subset of host-based IDSs that analyze the events occurring within a specific software application. The most common information sources used by application-based IDSs are the application's transaction log files. Because they directly interface with the application and use application-specific knowledge, application-based IDSs can detect the actions of authorized users who are attempting to exceed their authorization. This is because such problems are more likely to appear in the interaction among the user, the data, and the application.
An additional type of IDS is a
- Protocol-based Intrusion Detection System (PIDS) is associated with a component rather than the network. Typically it would reside between a server and a connected device and analyze communication protocols between the two. A variation of PIDS is the "Application Protocol-based Intrusion Detection System."