Intrusion Detection Systems

From Techotopia
Jump to: navigation, search
PreviousTable of ContentsNext
Network Security TopologiesSecurity Baselines and Operating System, Network and Application Hardening

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

Buy eBook

The purpose of intrusion detections systems (IDSs) is to monitor networks or systems with the express purpose of identifying and responding to suspicious activity. In this chapter we will learn about the concepts and basics of intrusion detection systems.

An Overview of Intrusion Detection Systems

Intrusion detection systems are typically grouped into one of two categories:

  • Host-based IDS - A host-based IDS monitors the activity on individual systems with a view to identifying unauthorized or suspicious activity taking place on the operating system.
  • Network-based IDS - A network-based IDS is solely concerned with the activity taking place on a network (or more specifically, the segment of a network on which it is operating).

An IDS also falls into either Knowledge-based or Behavior-based categories:

  • Knowledge-based - Includes a database of signatures known to be associated with malicious or unauthorized activity. A knowledge-based IDS compares activity data against the signature database and responds when a match is identified.
  • Behavior-based - Monitors for deviations from the normal operation of systems or networks based on knowledge gathered over time of the normal usage patterns of users and systems.

IDS Architecture

Regardless of the type of IDS there are a few common components that typically constitute an IDS:

  • Traffic Collector - The component is responsible for gathering activity and event data for analysis. On a host-based IDS this will typically include metrics such as inbound and outbound traffic and activity recorded by the operating system in log and audit files. A network-based IDS will pull data off a segment of a network for analysis.
  • Analysis Engine - The analysis engine is responsible for analyzing the data gathered by the traffic collector. In case of a knowledge-based IDS the data will compared against a signature database. A behavior-based IDS, on the other hand, will compare it against baseline behavior information gathered over time to see if the current behavior deviates from the norm.
  • Signature Database - Used in knowledge-based systems, the signature database contains a collection of signatures known to be associated with suspicious and malicious activities. It could be said that a knowledge based IDS is only as good as its database.
  • Management and Reporting Interface - A management interface providing a mechanism by which system administrators may manage the system and receive alerts when intrusions are detected.

Host-based Intrusion Detections Systems (HIDS)

A host-based IDS runs directly on a server or desktop system and uses the resources of that system to examine log and audit files together with network traffic entering and leaving the system. In addition some host-based systems are able to monitor the log files for specific services such as web or ftp servers. These systems either work in real-time or in a batch mode where logs are checked at pre-defined intervals.

A host based IDS might, for example, look for anomalies such multiple failed login attempts, logins occurring at unusual times and access to system files not usually accessed by users.

Host-based intrution detection systems have a number of strengths and weaknesses.

Strengths of Host-based Intrusion Detection Systems

  • Fewer False Positives - A false positive is legitimate and authorized activity on a system which is incorrectly identified by an IDS as being suspicious or malicious. By running directly on the host and analyzing log files in context with overall system activity the number of false positives is reduced.
  • Narrow Operating System Focus - Host based systems are usually developed for specific operating systems, avoiding the pitfalls of a more general, cross-platform approach to intrusion detection.
  • Decrypted Data Monitoring - Because malicious network traffic is more often than not encrypted it is often missed by network-based IDSs. Because host-based systems examine data after it has been decrypted by the operating system and network stack it is better placed to identify malicious activity.
  • Non-Network Based Attacks - While many attacks are initiated via the network it is also common for attacks to be performed directly at the system by disgruntled or dishonest employees. The advantage of a host-based IDS over a network-based IDS is that is capable of identifying suspicious activity taking place at the physical machine (i.e. the keyboard and mouse attached to the computer).

Weaknesses of Host-based Intrusion Detection Systems

  • Use of Local System Resources - Host-based IDSs use CPU and memory resources of the systems they are designed to protect. Whilst not a serious issue for typical users this can have a significant impact on system where high performance or real-time demands are made on the system.
  • Scalability - Whilst host-based intrusion detection systems work well for deployment on smaller numbers of systems the tracking, monitoring and maintaining of hundreds or thousands of systems can quickly become a cumbersome overhead in terms of costs and resources.
  • Local IDS Logging Vulnerable - Because host-based systems often log locally on the systems they are protecting they are vulnerable to having those log files compromised to remove any record of malicious activity.
  • IDS Tunnel Vision - When we talk about tunnel vision we are talking about an IDS version of the human malady where it is only possible to see a small area in front. In many ways a host-based IDSs focus solely on host based activities has a tendency to blind the systems to the larger picture in terms of traffic on the surrounding network and connected hosts.

Network-based Intrusion Detection Systems (NIDS)

Network-based intrusion detection systems (NIDS) monitor traffic passing through a network and compare that traffic with a database of so called signatures known to be associated with malicious activity. A number of different signature types are used by the typical NIDS:

  • Header Signatures - Scans the header portion of network packets to identify suspicious or inappropriate information.
  • Port Signatures - Monitors the destination port of network packets to identify packets destined for ports not serviced by the servers on the network, or targeting ports known to be used by common attacks.
  • String signatures - Identifies strings contained in the payload of network packets to identify strings known to be present in malicious code.

A network based IDS will typically only pick up packets traveling in the network segment to which it is attached. In general NIDS are generally placed between an internal network and the firewall, ensuring that all inbound and outbound traffic is monitored. In addition, if the network-based IDS software is installed on a computer it is vital that the computer be equipped with a network interface card (NIC) which supports promiscuous mode so that it is able to capture all network packets, not just those destined for its own IP address.

As with host-based intrusion detection systems, network-based systems have inherent strengths and weaknesses.

Strengths of Network-based Intrusion Detection Systems

  • Pre-host Detection - There is a view in the IT security community that if an attack has reached the point that it has been detected by a host-based defense layer then the outer layers of security have failed to do their job. The advantage of the network-based IDS is that it is designed specifically to prevent an attack before it reaches any systems on the internal network.
  • Reduced Cost of Ownership - Unlike host-based intrusion detection systems which have to be installed on every host to be protected, a single network based IDS can protect and entire network resulting in reduced deployment and maintenance overheads.
  • Real-time Detection - Network-based systems track and analyze traffic in real-time enabling attacks to be stopped while they are still in progress.
  • Cross-platform Protection - Because network-based intrusion detection systems focus solely on network traffic they are are completely operating system agnostic. The typical NIDS neither knows, nor cares what operating systems the computers on a network are running. All it cares about is the network traffic passing between them.
  • Big Picture View - The typical NIDS (assuming it has been carefully placed in a network) has a "big picture" view of what is happening on a network and as such can see patterns to identify, for example, how widespread an attack is on a network.

Weaknesses of Network-based Intrusion Detection Systems

  • Unable to Monitor Encrypted Traffic - Unfortunately much traffic these days is encrypted and, as such, is impervious to analysis by a network-based IDS.
  • Potential Blind Spots - An IDS can only detect attacks that pass through the segment of network to which it is attached. If the suspicious traffic is traveling on a different section of the network it will not be detected by the NIDS.
  • Unaware if Host Based Activity - Because network based detection focuses solely on network traffic such systems have no knowledge of malicious activities that may be taking place on a host on the network (unless that host generates suspicious network traffic that is visible to the IDS).
  • Matching the Bandwidth Curve - With the increasing deployments of fiber and Gigabit Ethernet it is becoming increasingly challenging for network-based intrusion detection systems to keep up with the speed of data traveling across networks.

Responding to Incidents

When an IDS alerts an administrator to an attack it is important that the administrator have guidelines to follow in response to the notification. A number of response options are available:

  • Deflection - When an attack is identified the administrator may choose to deflect the attacker to a secured host or network segment that will lead the attacker to believe they have succeeded (typically pre-configured environments known as honeypots and honeynets respectively).
  • Detection - The process of detection involves the application of forensics in an attempt uncover the identity and location of the attacker for subsequent investigation by law enforcements agencies.
  • Countermeasures - Automated countermeasures can be implemented through the deployment of Intrusion Countermeasure Equipment (ICE). Such systems will lock down a network or increase security levels in the event of an attack. Such systems should be used with care as false positives may result in unnecessary interruptions of service.

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

Buy eBook

PreviousTable of ContentsNext
Network Security TopologiesSecurity Baselines and Operating System, Network and Application Hardening