Learning Resource

Intrusion Detection Systems (IDS) by Marr Madden

What Is an Intrusion Detection System (IDS)?

An intrusion detection system (IDS) is software that monitors network or host traffic looking for anomalies, intrusive activity, or misuse. It can be a dedicated network device or run on individual hosts. An IDS can respond to suspect behavior by sending alerts to system administrators, dropping packets, shutting down services, or implementing scripts. There are many IDS vendors and freeware products, all with different detection and response mechanisms.

How Does an IDS Work?

There are generally two approaches an IDS can use to determine suspicious behavior. The first is called anomaly detection, statistical-based intrusion detection (SBID) or profile-based ID. When operating in this mode, the IDS looks for anomalies that deviate from a user profile of normal behavior. Profiles are created manually or via software that examines logs and then creates the user profiles.

An example of a profile would be a common user named Bob. Bob logs onto the network at 9 a.m. and logs out at 5 p.m. Monday through Friday. He uses Excel, Outlook and surfs the web occasionally. In the past three months, he has never logged in any differently. One evening at 4 a.m., someone logs onto the network using Bob's credentials and attempts to install root.exe on the webserver. This should make an IDS shake, quiver and spout alerts like no tomorrow. Anomaly-based systems should be able to detect suspect activity the first time it is attempted.

The second method of detection is called misuse detection, rule-based intrusion detection (RBID), or signature-based detection. For this method, the IDS compares current network traffic to a database of known attack styles or "signatures." An example of this might be a Microsoft webserver that receives a HTTP request that is formatted similar to or exactly like a request from a machine that is infected with the Nimda virus. When the IDS sees this "signature" and compares it to its database, it would find a match with a known signature and take the appropriate action as determined by the IDS administrator. This could include blocking or dropping the traffic immediately and notifying the administrator of the detection for further action.

What Types of IDSs Are There?

IDSs can be deployed as (a) network-based devices or (b) host-based applications. A network-based IDS (NIDS) sniffs network packets looking for malformed data, unusual patterns, or connection requests. A NIDS deployed on different segments can be configured to report to a centralized monitor station for easy reporting and configuration. NIDSs are usually rule-based; these rules can, in some cases, be created by the application based on traffic patterns. While good at detecting known attacks, a NIDS finds it difficult to determine if the attack was successful.

A host-based IDS (HIDS) monitors application and/or operating system files and logs looking for evidence of suspicious activity. These systems are typically statistically based and can be configured to monitor system files, user activity, log files or file access. Several products take snapshots of important system files and monitor their integrity. An example would be an IDS that monitors the Netstat.exe command, which displays current connections. A hacker would try to install a Trojaned Netstat to hide his or her PC's connection to your server. You, as an unsuspecting user using Netstat, would never see your connection to her PC but the IDS would have denied the hacker's attempt to change the file.

Hybrid systems using NIDS and HIDS are beginning to be used; these hybrids address some of the shortcomings of each system.

Conclusion

The technology of intrusion detection is fairly recent. While not intended to replace a firewall or virus protection, an IDS provides a look inside your network or PC and attempts to detect and defeat potentially destructive behavior.

Additional Considerations

  • Network IDSs can't examine encrypted traffic, while HIDSs can.
  • One NIDS can cover a whole subnet, and is operating system independent.
  • Using profile-based methods requires time to assemble the profiles, leaving you unprotected in the meanwhile.
  • IDSs can be costly—although one of the top-rated systems, Snort, is open source.
  • Configuration and monitoring can be time-consuming. Clearing false positives is a major undertaking.
  • IDS signatures must be kept up to date. New attacks won't be registered in your database until the vendor enters them and you download the current version.
  • There can be latency issues: by the time the IDS figures out that an attack is going on, damage may have already been done.

References and Resources

Intrusion Detection Systems: http://www.informit.com/articles/article.asp?p=25334&redir=1

SANS InfoSec Reading Room - Intrusion Detection: http://www.sans.org/rr/catindex.php?cat_id=30

Snort - The Open-Source Network Intrusion Detection System: http://www.snort.org

Cisco Intrusion Detection Products: http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml

The ABCs of IDSs (Intrusion Detection Systems): http://messageq.ebizq.net/security/meinel_2.html

Licenses and Attributions

Intrusion Detection Systems (IDS) by Marr Madden is available under a Creative Commons Attribution 3.0 United States license. © 2016, OCLC. UMGC has modified this work and it is available under the original license.