IDS: IDS stands for Intrusion Detection System. There are primarily two types of IDSs. These are Network based IDS (NIDS), and Host based IDS (HIDS). If the IDS monitors network wide communication, it is called Network based IDS, and if the IDS monitors security on a per host basis, it is called Host based IDS. Network based IDS collects widespread intrusions effectively.
IDS Tools that identify attacks using defined rules or logic and are considered passive. An IDS can be network based or host based. An IDS monitors network traffic, but it does not take any specific action and is therefore considered passive.
Usually, several services are installed by default when an Operating System is installed. Nonessential services are the services that are not used. It is important that non-essential services are either disabled or removed; otherwise, hackers may use these services to get back-door entry into the computer system. These attacks usually do not draw the attention of system admins because they are not monitored actively. IDS (short for Intrusion Detection Systems) can detect such type of attacks.
A few techniques used by IDS (Intrusion Detection Systems) include the following:
1. Anomaly detection
2. Signature detection
3. Target monitoring, and
4. Stealth probes
Anomaly detection: This method establishes a baseline of normal usage patterns, and anything that widely deviates from the baseline is investigated for possible intrusion. An example of this would be if a user logs on and off of a machine 10 times a day instead of the normal once or twice a day.
Signature detection: This uses specifically known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures.
Target monitoring systems do not actively search for anomalies or misuse, but instead look for the modification of specified files.
IDS (Intrusion Detection Systems, like NIDS, HIDS) use signature matching for detecting abnormal activities in a host or network.
An active IDS responds to an intrusion by taking pre-configured steps to prevent the intruder doing any further damage. Such steps may include preventing the IP address from accessing the network or disabling the intruded port, etc.
There are several key terms that one needs to be familiar with IDS
Alert: An alert is a message from the analyzer indicating that an event of interest has occurred. Alerts occur when activities of a predefined type exceed a threshold. value set by the operator.
Analyzer: The analyzer processes the data collected by the sensor. Analyzer monitors the events and determines any unusual activities. They can also use a rule-based process and send alerts when a rule is met or not met.
Data Source: Data source is the raw information available to the analyzer. Data source is used by an analyzer to analyze any suspicious activity.
Event: An event is an occurrence in a data source that indicates that a suspicious activity has occurred. Analyzer processes any such events and may generate an alert.
Manager: The manager is the interface that an operator uses to manage the IDS. An operator uses IDS manager to configure the IDS.
Notification: Notification is the process by which the IDS manager makes the operator aware of an alert.
Operator: The operator is the human interface responsible for configuring and managing the IDS.
Sensor: A sensor is the IDS component that collects data from the data source and passes it on to the analyzer.
The first thing to be done when an intrusion is detected is to contain the damage. For example, if the intrusion is in the form of an unauthorized user, ensure that the user cannot access any network resource.
There are primarily three types of Intrusion Detection Schemes.
1. Behaviour based
2. Signature based, and
3. Anomaly based.
Signature based IDS: It is also called Misuse-Detection IDS is based on detecting known patterns (signatures) of data. SD-IDS uses huge data (signatures) to detect any intrusions or intrusion attempts.
Anomaly based IDS: This looks for any anomalous activity. This type of detection is normally based on artificial intelligence.
Web Application Firewall: A web application firewall (WAF) is server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked.
Unified Threat Management (UTM): UTM involves an approach to information security whereby a single hardware- or software-installation provides multiple security functions. UTM is a single solution that combines multiple security controls. The overall goal of UTMs is to provide better security, while also simplifying management requirements. In many cases, a UTM device will reduce the workload of administrators without sacrificing security.