GLOSSARY: IDS

An intrusion detection system (IDS) may be part of an intrusion prevention system (IPS).

It is a device or software application that monitors a network or systems for malicious activity or policy violations.

Intrusion detection systems (IDS) may be a dedicated device or software.

They are typically divided into two types depending on their responsibilities:

Network Intrusion Detection System (NIDS) - which is responsible for monitoring data passing over a network.

Host Intrusion Detection System (HIDS) - which is responsible for monitoring data to and from a computer.

An IDS can support a network firewall - ideally the firewall should be closed to all traffic apart from that which is known to be needed by the organisation (such as web traffic, email and FTP). An IDS can then be used to scan any traffic passing through the firewall for potential attacks using a NIDS, as well as being able to detect those coming from within – such as from a personal computer infected with malware – using a HIDS.

Intrusion detection may be considered passive; it identifies that an intrusion is taking place and informs an administrator who must take appropriate action. However, they can also be reactive – as well as informing the administrator, the IDS can actively attempt to stop the intrusion, in most cases by blocking any further data packets sent by the source IP address. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. The SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

These systems are also referred to as an Intrusion Prevention or Protection System (IPS).

Weaknesses

Automated intrusion detection systems have a number of weaknesses:

Sensitivity:

They can be too sensitive, falsely reporting that an intrusion is under way, for example if a network is incorrectly configured or a buggy program begins issuing large numbers of packets.

Conversely, they are sometimes not sensitive enough to certain types of attack that proceed very slowly and do not generate enough traffic data to raise the alarm.

Being out of date - signature IDS rely on the software suppliers issuing regular updates to the list of known signatures, until the IDS receives the update it is effectively blind to the attack.

Techniques

Intrusion detection typically uses one of two techniques:

Anomaly detection

Anomaly detection depends on the system having a model of the expected 'normal' network behaviour of users and applications. The basic assumption of anomaly detection is that attacks differ from normal behaviour. This approach has the advantage of being able to detect previously unknown attacks by simply looking for patterns that deviate from the expected normal behaviour.

For example, consider a user who normally logs on to his computer at 9am each weekday and spends most of the morning accessing an order processing application, before taking a break for lunch.

Subsequently the user accesses a number of supplier websites each afternoon before logging off at 5pm. If the intrusion detection system logs the user accessing the system at 3am and installs new software on his machine, the anomaly detection algorithm would flag this activity as suspicious.

Of course a potential disadvantage of this approach would be that some legitimate activities might be incorrectly identified as being suspicious.

Misuse detection

Misuse detection depends on the system having a set of attack patterns, or 'signatures', against which all network activity can be compared.

The patterns of normal behaviour and attacks are configured by an administrator.

Whenever there is a match between users' activities and one of the attack signatures, or a mis-match between users' activities and a configured normal use pattern, the system will flag that an attack is underway.

This approach has the advantage of minimising the occurrences of legitimate activity being identified as being suspicious.

However, it also has the disadvantage of only being able to identify attacks where there is a known pattern, so attacks of a new unknown pattern can be easily missed.

Honeypots

Sometimes network administrators want to study attacks, either so the attackers' methods can be understood more fully and countermeasures prepared, or as part of an investigation that might lead to civil or criminal prosecutions.

One method of safely studying an attack is to deflect attackers towards an isolated computer or network which appears to be completely legitimate, but is in fact a closely-monitored trap known as a honeypot.

There, every action performed by the attacker can be recorded and analysed without risking important data.

Honeypots are also used by researchers to identify new attacks that are circulating in the hacking community, as well as by anti-spam organisations which use them to identify the location and identities of spam email senders.