Intrusion Detection and Prevention

Intrusion detection system (IDS)

It is a device or software application to monitor network or system activities for malicious activities or policy violations and produces reports to a management station. They identify possible incidents, log information about them, and report attempts. They can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall), or changing the attack’s content. There are three types of IDS as

Network intrusion detection system (NIDS) – It identifies intrusions by examining network traffic and monitors multiple hosts by gaining access to network traffic by connecting to a network hub or switch configured for port mirroring, or network tap. Sensors are located in demilitarized zone (DMZ) or at network borders, to capture all network traffic and analyze the contents for malicious traffic like Snort.

Host-based intrusion detection system (HIDS) – It is an agent on a host to identify intrusions by analyzing system calls, application logs, file-system modifications, host activities and state. Usually it is a software agent like Tripwire and OSSEC.

Stack-based intrusion detection system (SIDS) – It is an advanced form of HIDS, in which packets are examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with network interface in promiscuous mode but are operating system dependent.

Intrusion prevention systems (IPS)

It is also called intrusion detection and prevention systems (IDPS) and are network security appliances to monitor network and system activities for malicious activity. It’s main functions are to identify malicious activity, log information about it, attempt to block it and report the activity.

They are advanced IDS as, they both monitor and blocks malicious activity. They are placed in-line and actively prevent/block detected intrusions. IPS can also send an alarm, drop the malicious packets, reset the connection or block the traffic from malicious source. It can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. It is classified as

Network-based intrusion prevention system (NIPS)- monitors the entire network for suspicious traffic by analyzing protocol activity.
Network behavior analysis (NBA)- examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations.
Host-based intrusion prevention system (HIPS)- an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

Different methods of detection are used by IPS for malicious activity as

Signature-Based Detection – It uses signatures or attack patterns which are pre-configured and pre-determined in IPS. It detects by monitoring the network traffic for match to these signatures. When match is found, IPS takes specified action. Signatures can be based on exploits being protected against or vulnerabilities in a program for exploit of said vulnerability.

Statistical anomaly-based detection – It baselines performance of average network traffic conditions to create a baseline. The system samples network traffic intermittently and compares sample to the set baseline by using statistical analysis. If activity is outside baseline, IPS takes specified action.

Stateful Protocol Analysis Detection – It identify deviations of protocol states by comparing observed events with predetermined profiles of generally accepted definitions of benign activity.