2. What is IDS
An intrusion detection system (IDS) is a
device or software application that monitors
network and/or system activities for
malicious activities or policy violations and
produces reports to a Management Station.
Intrusion prevention is the process of
performing intrusion detection and
attempting to stop detected possible
incidents.
Intrusion detection and prevention systems
(IDPS) are primarily focused on identifying
possible incidents, logging information about
them, attempting to stop them, and
reporting them to security administrators.
3. What is IDS
In addition, organizations use IDPSs for other
purposes, such as identifying problems with
security policies, documenting existing
threats, and deterring individuals from
violating security policies.
IDPSs have become a necessary addition to
the security infrastructure of nearly every
organization.
IDPSs typically
record information related to observed events,
notify security administrators of important
observed events,
and produce reports.
4. What is IDS
Many IDPSs can also respond to a detected
threat by attempting to prevent it from
succeeding.
They use several response techniques, which
involve the IDPS stopping the attack itself,
changing the security environment (e.g.,
reconfiguring a firewall), or changing the
attack’s content.
5. IDS Terminology
Alert/Alarm: A signal suggesting that a system has
been or is being attacked.
True Positive: A legitimate attack which triggers an
IDS to produce an alarm.
False Positive: An event signaling an IDS to produce
an alarm when no attack has taken place.
6. IDS Terminology
False Negative: A failure of an IDS to detect an
actual attack.
True Negative: When no attack has taken place
and no alarm is raised.
Noise: Data or interference that can trigger a
false positive.
Site policy: Guidelines within an organization
that control the rules and configurations of an
IDS.
7. IDS Terminology
Site policy awareness: The ability an IDS has to
dynamically change its rules and configurations in
response to changing environmental activity.
Confidence value: A value an organization places
on an IDS based on past performance and analysis
to help determine its ability to effectively
identify an attack.
8. IDS Terminology
Masquerader: A user who does not have the authority
to a system, but tries to access the information as an
authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can
be of two types:
An authorized user with limited permissions.
A user with full permissions and who misuses their powers.
Clandestine user: A user who acts as a supervisor and
tries to use his privileges so as to avoid being
captured.
9. Types of intrusion detection systems-NIDS
It is an independent platform that identifies intrusions by
examining network traffic and monitors multiple hosts.
Network intrusion detection systems gain access to
network traffic by connecting to a network hub, network
switch configured for port mirroring.
In a NIDS, sensors are located at choke points in the
network to be monitored, often in or at network borders.
Sensors captures all network traffic and analyzes the
content of individual packets for malicious traffic.
An example of a NIDS is Snort.
10. Types of intrusion detection systems-HIDS
It consists of an agent on a host that identifies
intrusions by analyzing system calls, application logs,
file-system modifications (binaries, password files,
capability databases, Access control lists, etc.)
In a HIDS, sensors usually consist of a software agent.
An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-
specific using custom tools and honeypots.
11. Types of intrusion detection systems-PIDS
Detects and pinpoints the location of intrusion
attempts on perimeter fences of critical
infrastructures. Using either electronics or more
advanced fibre optic cable technology fitted to
the perimeter fence, the PIDS detects
disturbances on the fence, and this signal is
monitored and if an intrusion is detected and
deemed by the system as an intrusion attempt, an
alarm is triggered.
12. Types of intrusion detection systems-VMIDS
It detects the intrusion using virtual machine
monitoring.
By using this we can deploy the Intrusion
Detection System with Virtual Machine Monitoring.
It is the most recent one its still under
progressing. No need of separate intrusion
detection system by using this we can monitor the
overall activities.
13. Passive and/or reactive systems
In a passive system, the intrusion detection system (IDS)
sensor detects a potential security breach, logs the
information and signals an alert on the console and or
owner.
In a reactive system, also known as an intrusion
prevention system (IPS), the IPS auto-responds to the
suspicious activity by resetting the connection or by
reprogramming the firewall to block network traffic from
the suspected malicious source.
14. Comparison with firewalls
A firewall in that a firewall looks outwardly for
intrusions in order to stop them from happening.
Firewalls limit access between networks to
prevent intrusion and do not signal an attack from
inside the network.
An IDS evaluates a suspected intrusion once it has
taken place and signals an alarm. An IDS also
watches for attacks that originate from within a
system.
15. Comparison with firewalls
This is traditionally achieved by examining
network communications, identifying heuristics
and patterns (often known as signatures) of
common computer attacks, and taking action to
alert operators.
16. Anomaly-based intrusion detection system
A system for detecting computer intrusions and
misuse by monitoring system activity and
classifying it as either normal or anomalous.
The classification is based on rules, rather than
patterns or signatures, and will detect any type of
misuse that falls out of normal system operation.
This is as opposed to signature based systems
which can only detect attacks for which a
signature has previously been created.
17. Protocol-based intrusion detection system
Typically installed on a web server, and is used in
the monitoring and analysis of the protocol in use
by the computing system.
A PIDS will monitor the dynamic behavior and
state of the protocol and will typically consist of a
system or agent that would typically sit at the
front end of a server, monitoring and analyzing the
communication between a connected device and
the system it is protecting.
18. Protocol-based intrusion detection system
Typically installed on a web server, and is used in
the monitoring and analysis of the protocol in use
by the computing system.
A PIDS will monitor the dynamic behavior and
state of the protocol and will typically consist of a
system or agent that would typically sit at the
front end of a server, monitoring and analyzing the
communication between a connected device and
the system it is protecting.