2. Contents
i. Introduction
ii. Process Model
iii. Terminology
iv. Detection Methodologies
v. Basic components and the Architecture
vi. Types of IDS
vii. Efficiency Metrics
viii. References
3. Introduction
An Intrusion Detection System is a device or software
application that monitors network or system activities
for malicious activities or policy violations and
produces reports to management station
5. Terminology
• Alert/Alarm: A signal suggesting that a system has
been or is being attacked.
• True Positive: A legitimate attack which triggers an
IDS to produce an alarm.
• False Positive: An event signaling an IDS to
produce an alarm when no attack has taken place.
• False Negative: A failure of an IDS to detect an
actual attack.
• True Negative: When no attack has taken place and
no alarm is raised.
6. Detection Methodologies
IDS generally use two primary classes of
Methodologies to Detect an intrusion
1. Signature -based Detection
2. Behavior-based Detection
7. Signature-based ID
o A signature is a pattern that corresponds to a
known threat. Signature-based detection is the
process of comparing signatures against observed
events to identify possible incidents.
o Also known as Misuse Intrusion Detection and
knowledge base Intrusion Detection.
8. Behavior-based ID
o Behavior-based intrusion-detection techniques
assume that an intrusion can be detected by
observing a deviation from the normal or expected
behavior of the system or the users.
o Also called as Anomaly-based Intrusion Detection.
9. Components of a typical IDS
Components: Sensors, Analyzers, Database Server
and User Interface.
• Sensor or Agent: sensors are responsible for
collection of data. They continuously monitor the
activity. The term “sensor” is typically used for IDSs
that monitor the networks and network behavior
analysis technologies. The term “agent” is used for
host-based IDSs .
• Analyzers: it receives information from the sensors and
analyses them to determine if an intrusion has occurred.
10. IDS components contd……
• Database Server: A database server is a
repository for event information recorded by sensors,
agents, and/or Analyzers.
• User Interface/Console: A console is a program
that provides an interface for the IDS’s users and
administrators. Console software is typically installed
onto standard desktop or laptop computers.
13. Types of IDS
• Host Intrusion Detection System (HIDS), which
monitors the characteristics of a single host and the
events occurring within that host for suspicious
activity.
•Network Intrusion Detection (NIDS), which
identifies intrusions by examining network traffic and
monitors multiple hosts.
14. Efficiency of IDS
Accuracy: Accuracy deals with the proper detection of attacks
and the absence of false alarms. Inaccuracy occurs when an
intrusion-detection system flags a legitimate action in the
environment as anomalous or intrusive.
Performance: The performance of an intrusion-detection system
is the rate at which audit events are processed. If the performance
of the intrusion-detection system is poor, then real-time detection
is not possible.
Completeness: Completeness is the property of an intrusion-
detection system to detect all attacks. Incompleteness occurs
15. References
i. Books/papers
•Guide to Intrusion Detection and Prevention Systems (IDPS), NIST
Special Publications USA, Karen Scarfone and Peter Mell
•An Introduction to Intrusion-Detection Systems, IBM Research and Zurich
Research Laboratory, Herve Debar
• An overview to Software Architecture in Intrusion Detection System,
Department of Computer Engineering I.A.U. Booshehr Branch Iran,
Mehdi Bahrami and Mohammad Bahrami.
•Next Generation Intrusion Detection Systems, McAfee Network Security
Technologies Group, Dr. Fengmin Gong
ii. Internet
• www.wikipedia.org
• www.intursiondetectionsystem.org
• www.sans.org