Skip to main content
Version: Next

Intrusion detection system (IDS) overview

  • Detects intrusions in real time and alerts
  • Can filter the traffic and alert the security personnel
    • Also known as intrusion detection and prevention systems (IDPS) or intrusion prevention systems (IPS)
  • Inspects both incoming (inbound) and outgoing (outbound) traffic
  • Can be a software or hardware
  • Usually placed near the firewall
    • Inside or outside depending on which traffic is being monitoring
    • đź’ˇ Good to deploy on both places (before and after DMZ) for layered defense

Intrusion types​

  • Filesystem intrusion
    • Unexpected creation/deletion/modification of files or file attributes (e.g. permissions)
  • Network intrusion
    • Increase in bandwidth consumption
    • Unexpected incoming connections e.g. attempted logins
    • Sudden increase of logs can be caused by DoS/DDoS
  • System intrusion
    • Missing/modified for log, system or configuration files
    • Degradation in system performance
    • Unfamiliar processes, system reboots, crashes

IDS types​

Network-based vs Host-based IDS​

  • Comparison

    NIDS HIDS
     Strength Sensing attacks from outsideSensing attacks from inside that NIDS cannot examine
    Packet headers Examines Does not understand
    HostIndependentDependent
    BandwidthIn need ofDoes not require
     Performance Slows down networks where it's installed Slow down hosts where it's installed
    Attack types Senses network attacks as payload is analyzedSenses local attacks before they hit the network
     False positive rate High Low
  • See also WIDS (Wireless Intrusion Detection system)

Network-based intrusion detection systems (NIDSs)​

  • Also known as network-based IDS
  • Inspects each incoming packet for anomalies and suspicious patterns.
  • Can detect DoS attacks, port scans, or break-in attempts.
Network tap​
  • Typically a hardware device, which provides a way to access the data flowing across a computer network.
  • Provide IDS visibility into the traffic flowing over the network
  • E.g. a hub connected on the segment or a network appliance created specifically for the task
Snort​
  • Open-source NIDS that's most widely deployed
  • Rule-based IPS to detect and stop packages
  • Can block expressions such as
    •  /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix
    • /((\%27)|(\'))union/ix
Snort configurations​
  • Alerts are defined in Snort configuration file
    • Configuration file is at /etc/snort, or C:\Snort\etc
  • Can be configured to use as:
    • packet sniffer
      • E.g. snort -vde
    • packet logger
      • E.g. ./snort -dev -l ./log
    • Network intrusion detection system by
      • Does not drop packets
      • Evaluates packets to check all alert rules, logging the matches.
      • E.g. ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
    • Network intrusion protection System
Snort rules​
  • All rules are checked for each packet
  • If multiple matches are found:
    • Alerts the most unique (specific) rule ignoring the more generic one.
  • đź“ť Syntax
    • Action protocol address port -> address port (option:value;option:value)
    • E.g. alert tcp 10.0.0.1 25 -> 10.0.0.2 25 (msg:"Sample Alert"; sid:1000;)

Host-Based intrusion detection systems (HIDSs)​

  • Also known as host-based IDS
  • đź“ť Analyzes behavior and events on a particular host e.g. a desktop PC or a server.
  • Can detect both anomalies and unauthorized changes in the filesystem.
  • Log file monitoring (LFM): Monitoring logs files for malicious events.
  • File integrity checking
    • Checking for modified files e.g. ossec-hids
    • Compares the current hash value of the file against its known-good hash value.
  • E.g. Windows Defender, Norton Internet Security..

Active vs passive IDS​

Active IDS​

  • Also known as Intrusion Detection and Prevention System (IDPS) or Intrusion Protection Systems (IPS)
  • Configured to automatically block suspected attacks without any intervention required by an operator

Passive IDS​

  • Configured to only monitor and analyze network traffic activity and alert
  • Does not perform any protective or corrective functions on its own

Signature-based vs Anomaly-based IDS​

  • đź’ˇ Recent systems uses both (hybrid approach) to cover each others flaws

Signature recognition​

  • Also known as misuse detection, signature based IDS or signature-based IDS
  • đź“ť Compares incoming and outgoing traffic to the signatures of already known attacks
  • Based on a database of previous attack signatures and known system vulnerabilities.
  • A signature is a recorded evidence of an intrusion or attack
  • đź“ť Pros
    • Little false positives
    • No need for a training phase, starts working out of the box
  • đź“ť Cons
    • Vulnerable to unique attacks, easy to fool
    • High dependency of latest updates, constant maintenance
    • Signature data consumes traffic

Anomaly detection​

  • Also known as not-use detection, behavior based IDS or behavior-based IDS.
  • đź“ť Analyzes characteristics of the system's users and components and looks for deviations.
  • Learns pattern of normal system activity to identify active intrusion attempts.
  • Deviations from this baseline or pattern cause an alarm to be triggered.
  • Can use artificial intelligence or can be based on heuristics or rules
  • đź“ť Pros
    • More suitable for blocking future unknown attacks
    • Low dependency of latest updates, constant maintenance
  • đź“ť Cons
    • Higher false positive alarm rates
    • Challenging to construct a model thoroughly on a regular network.
Protocol anomaly detection​
  • Identifies anomalies specific to a protocol
  • Uses a model of the different ways vendors deploy the TCP/IP protocol.

IDS alerts​

  • đź“ť IDS alert types
    • True positive: Attack + Alert
    • False positive: No attack + Alert
    • True negative: No attack + No alert
    • False negative: Attack + No alert
    • đź’ˇ False negatives are considered far worse than false positives
  • đź“ť IDS alert thresholding
    • Also known as alert throttling or event filtering.
    • Reducing the volume of repeated alerts
    • E.g. ignore alerts after nth times during X minutes

Firewall vs IPS vs IDS​

FirewallIPS
Abbreviation for-Intrusion Prevention System
 FirewallFilters incoming and outgoing network traffic based on predetermined rulesInspects traffic, detects it, classifies and then proactively stops malicious traffic from attack.
Working principleFilters traffic based on IP address and port numbers (layer 3), state of the connection (layer 4), or contents of packet (layer 7)Inspects real time traffic and looks for traffic patterns or signatures of attack and then prevents the attacks on detection
Configuration modeLayer 2 to 7Layer 3 and 4
Usual placementFirst line of defenseAfter firewall
Action on unauthorized traffic detectionBlock the trafficBlock the traffic