INTRUSION DETECTION SYSTEMS

What is a Intrusion Detection System?

An intrusion detection system (IDS) is a device or software application that
monitors a network for malicious activity or policy violations. Any malicious
activity or violation is typically reported or collected centrally using a security
information and event management system. Some IDS’s are capable of responding
to detected intrusion upon discovery. These are classified as intrusion prevention
systems (IPS).

IDS Detection Types

There is a wide array of IDS, ranging from antivirus software to tiered monitoring
systems that follow the traffic of an entire network. The most common
classifications are:
• Network intrusion detection systems (NIDS): A system that analyzes
incoming network traffic.
• Host-based intrusion detection systems (HIDS): A system that monitors
important operating system files.

There is also subset of IDS types. The most common variants are based on signature
detection and anomaly detection.
• Signature-based: Signature-based IDS detects possible threats by looking for
specific patterns, such as byte sequences in network traffic, or known
malicious instruction sequences used by malware. This terminology
originates from antivirus software, which refers to these detected patterns as
signatures. Although signature-based IDS can easily detect known attacks, it
is impossible to detect new attacks, for which no pattern is available.
• Anomaly-based: a newer technology designed to detect and adapt to
unknown attacks, primarily due to the explosion of malware. This detection
method uses machine learning to create a defined model of trustworthy
activity, and then compare new behavior against this trust model. While this
approach enables the detection of previously unknown attacks, it can suffer
from false positives: previously unknown legitimate activity can accidentally
be classified as malicious.

IDS Usage in Networks

When placed at a strategic point or points within a network to monitor traffic to and
from all devices on the network, an IDS will perform an analysis of passing traffic,
and match the traffic that is passed on the subnets to the library of known attacks.
Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to
the administrator.
Evasion Techniques
Being aware of the techniques available to cyber criminals who are trying to breach
a secure network can help IT departments understand how IDS systems can be
tricked into not missing actionable threats:
• Fragmentation: Sending fragmented packets allow the attacker to stay under
the radar, bypassing the detection system's ability to detect the attack
signature.
 • Avoiding defaults: A port utilized by a protocol does not always provide an
indication to the protocol that’s being transported. If an attacker had
reconfigured it to use a different port, the IDS may not be able to detect the
presence of a trojan.
• Coordinated, low-bandwidth attacks: coordinating a scan among numerous
attackers, or even allocating various ports or hosts to different attackers.
This makes it difficult for the IDS to correlate the captured packets and
deduce that a network scan is in progress.
• Address spoofing/proxying: attackers can obscure the source of the attack by
using poorly secured or incorrectly configured proxy servers to bounce an
attack. If the source is spoofed and bounced by a server, it makes it very
difficult to detect.
• Pattern change evasion: IDS rely on pattern matching to detect attacks. By
making slight adjust to the attack architecture, detection can be avoided.

Why Intrusion Detection Systems are Important

Modern networked business environments require a high level of security to ensure

safe and trusted communication of information between various organizations. An
intrusion detection system acts as an adaptable safeguard technology for system
security after traditional technologies fail. Cyber attacks will only become more
sophisticated, so it is important that protection technologies adapt along with their
threats.

What is an Intrusion Prevention System?

An intrusion prevention system (IPS) is an automated network security device
used to monitor and respond to potential threats. Like an intrusion detection
system (IDS), an IPS determines possible threats by examining network traffic.
Because an exploit may be carried out very quickly after an attacker gains access,
intrusion prevention systems administer an automated response to a threat, based
on rules established by the network administrator.
The main functions of an IPS are to identify suspicious activity, log relevant
information, attempt to block the activity, and finally to report it.
IPS’s include firewalls, anti-virus software, and anti-spoofing software. In addition,
organizations will use an IPS for other purposes, such as identifying problems with
security policies, documenting existing threats and deterring individuals from
violating security policies. IPS have become an important component of all major
security infrastructures in modern organizations.

How An IPS Works

An intrusion prevention system works by actively scanning forwarded network
traffic for malicious activities and known attack patterns. The IPS engine analyzes
network traffic and continuously compares the bitstream with its internal signature
database for known attack patterns. An IPS might drop a packet determined to be
malicious, and follow up this action by blocking all future traffic from the attacker’s
IP address or port. Legitimate traffic can continue without any perceived disruption
in service.
Intrusion prevention systems can also perform more complicated observation and
analysis, such as watching and reacting to suspicious traffic patterns or packets.
Detection mechanisms can include:
• Address matching
• HTTP string and substring matching
• Generic pattern matching
• TCP connection analysis
• Packet anomaly detection
• Traffic anomaly detection
• TCP/UDP port matching

An IPS will typically record information related to observed events, notify security
administrators, and produce reports. To help secure a network, an IPS can
automatically receive prevention and security updates in order to continuously
monitor and block emerging Internet threats.
Intrusion Countermeasures
Many IPS can also respond to a detected threat by actively preventing it from
succeeding. They use several response techniques, which involve:
• Changing the security environment – for example, by configuring a firewall to
increase protections against previously unknown vulnerabilities.
• Changing the attack's content – for example, by replacing otherwise
malicious parts of an email, like false links, with warnings about the deleted
content.
• Sending automated alarms to system administrators, notifying them of
possible security breaches.
• Dropping detected malicious packets.
• Resetting a connection.
• Blocking traffic from the offending IP address.

IPS Classifications
Intrusion prevention systems can be organized into four major types:
• Network-based intrusion prevention system (NIPS): Analyzes protocol
activity across the entire network, looking for any untrustworthy traffic.
• Wireless intrusion prevention system (WIPS): Analyzes network protocol
activity across the entire wireless network, looking for any untrustworthy
traffic.
• Host-based intrusion prevention system (HIPS): A secondary software
package that follows a single host for malicious activity, and analyzes events
occurring within said host.
• Network behavior analysis (NBA): Examines network traffic to identify
threats that generate strange traffic flows. The most common threats being
distributed denial of service attacks, various forms of malware, and policy
abuses. pattern matching to detect attacks. By making slight adjust to the
attack architecture, detection can be avoided.

IPS Detection Methods

The majority of intrusion prevention systems use one of three detection methods:
signature-based, statistical anomaly-based, and stateful protocol analysis.
• Signature-based detection: Signature-based IDS monitors packets in the
network and compares with predetermined attack patterns, known as
“signatures”.
 • Statistical anomaly-based detection: An anomaly-based IDS will monitor
network traffic and compare it to expected traffic patterns. The baseline will
identify what is "normal" for that network – what sort of packets generally
through the network and what protocols are used. It may however, raise a
false positive alarm for legitimate use of bandwidth if the baselines are not
intelligently configured.
• Stateful protocol analysis detection: This method identifies protocol
deviations by comparing observed events with pre-determined activity
profiles of normal activity.

Why Intrusion Prevention Systems are Important

Modern networked business environments require a high level of security to ensure
safe and trusted communication of information between various organizations. An
intrusion prevention system acts as an adaptable safeguard technology for system
security after traditional technologies. The ability to prevent intrusions through an
automated action, without requiring IT intervention means lower costs and greater
performance flexibility. Cyber attacks will only become more sophisticated, so it is
important that protection technologies adapt along with their threats.