In 1980, James Anderson’s paper, Computer Security Threat Monitoring and Surveillance, bore the notion of intrusion detection. Through government funding and serious corporate interest allowed for intrusion detection systems(IDS) to develope into their current state. So what exactly is IDS? An IDS is used to detect malicious network traffic and computer usage through attack signatures. The IDS watches for attacks not only from incoming internet traffic but also for attacks that originate in the system. When a potential attack is detected the IDS logs the information and sends an alert to the console. How the alert is detected and handled at is dependent on the type of IDS in place. Through this paper we will discuss the different types of IDS and how they detect and handle the alerts, the difference between a passive and a reactive system and some general IDS intrusion invasion techniques.
First lets go over what the difference is between a passive and a reactive IDS. In a passive IDS the sensor of detects an potential threat then logs the information and sends an alert to the console. With a reactive IDS, also known as an intrusion prevention system(IPS), the threat would be detected and logged. Then the reactive IDS would either reset the connection or reprogram the firewall to block network traffic from the suspected source, which could be automatic or at the control of an operator. Therefore a reactive system will act in response to the threat were as a passive system will only log and send an alert to the console informing the operator of a threat.
There are many types of intrusion detection systems, network intrusion detection, host based, protocol based, application protocol based, anomaly based and hybrid. The first one we are going to discus is network intrusion detection systems or NIDS. With NIDS the system attempts to detect threats and attacks, such as denial of service attacks, port scans and attempts to hack into computers by monitoring the network traffic in real time through a promiscuous connection. It does so by first filtering out all known non-malicious traffic and then analyzing the remaining incoming packets for suspicious patterns that could be threats. It is not however limited to just analyzing incoming packets, the system also analyzes the outgoing local traffic, in case of an attack/threat that originates inside of the local network. Snort is an example of this.
Host based intrusion detection systems unlike network intrusion detection systems, which focus on a computing system’s external interfaces, host based systems focus on the monitoring and examination of the computing system’s internals. Host based systems are more concerned with the changes in state of a computing system. It detects these changes by analyzing system specific logs either in real time or periodically. When there is any change in the logs the IDS will compare the current configuration of the security policy to the changes and react accordingly. An example of this would be tripwire.
Protocol based intrusion detection systems (PIDS) monitor the dynamic behavior and state of the protocol. In a typical setup there is a system or agent sitting at the front end of the server. This agent or system monitors the communication protocol between the computing system, it is trying to protect, and a connected device. The main goal of protocol based IDS is to impose the proper use of the protocol used between the protected computing system and all connected devices. Bro and sort are examples of protocol based intrusion detection systems.
Application protocol based intrusion detection systems (APIDS) are used to monitor the protocols specific to certain applications and protocols being used by the computing system. The typical setup, similar to protocol based IDS, consists of a system or agent that sits in front of a group of servers where it will monitor and analyze the...