Basically IDS is a system used to connect attempted connectivity to your computer or network in a way that compromises the security of end point devices or network. A metric monitoring system is used to monitor network resources and activities fromminternal or external sources such that it . An Instrusion detection actively monitors all inbound and outbound traffic to detect anomolies that are outside of the normal operating pattern. A series of signatures are examined for the network traffic and if the inbound and outbound traffic match this pattern a alarm is raised.
Intrusion Detection System can be a software or hardware systems flavors.
There are few different types of IDS such as, Network-based (NIDS), Host-based (HIDS), and Stack-based (SIDS) intrusion detection system. NIDS will use the network to congregate, and reassemble all network packets from the network. Examples of NIDS are such as Cisco Secure IDS or NetRanger, Hogwash, Dragon, E-Trust IDS, etc. HIDS is where the IDS reside in a host, so every host has its own IDS. HIDS will only examine traffic within a particular host by gathering information from the host’s system calls, application logs, database, operating system audit trails. SIDS is where the packets are examined as they go through the TCP/IP stack and, therefore, it is not necessary for them to work with the network interface in promiscuous mode.
Once the IDS is set up it monitors abnormal patterns of system usage in order to detect any computer misuse or abuse. A series of network anomoly patterns such as:
• Attempted break-in: Someone attempting to break into a system might generate an abnormally high rate of password failures with respect to a single account or the system as a whole.
• Masquerading or successful break-in: Someone logging into a system through an unauthorized account and password might have a different login time, location, or connection type from that of the account’s legitimate user. In addition, the penetrator’s behavior may differ considerably from that of the legitimate user in particular. The penetrator might spend most of his time browsing through directories and executing system status commands, whereas the legitimate user might concentrate on editing or compiling and linking programs. Many break-ins have been discovered by security officers or other users on the system who have noticed the alleged user behaving strangely.
• Penetration by legitimate user: A user attempting to penetrate the security mechanisms in the operating system might execute different programs or trigger more protection violations from attempts to access unauthorized files or programs. If his attempt is successful, he will have access to commands and files not normally permitted to him.
• Leakage by legitimate user: A user trying to leak sensitive documents might log into the system at unusual times or route data to remote printers not normally used.
• Inference by legitimate user: A user attempting to obtain unauthorized data from a database through aggregation and inference might retrieve more records than usual.
• Trojan horse: The behavior of a Trojan horse planted in or substituted for a program may differ from the legitimate program in terms of its CPU time or 1/0 activity.
• Virus: A virus planted in a system might cause an increase in the frequency of execuTable files rewritten, storage used by execuTable files, or a particular program being executed as the virus spreads.
• Denial-of-Service: An intruder who is able to monopolize a resource (e.g., network) might have abnormally high activity with respect to the resource, while activity for all other users is abnormally low.
Next step is to analyze this information. There are two ways to do it; misuse and anomaly. Misuse of analysis is similar to the way antivirus works that is by having a huge database of known attacks. The IDS will then compare the data collected with that of the database. If there is a match then the IDS will assume an attack has occurred. In anomaly method it is assumed that attacks or threats are different from the normal usage or behavior of a host, network or network connection. Compared to misuse, anomaly method gives more false alarms.
After IDS has gathered and analyzed data or information and detect an intrusion the IDS will respond to the intrusion in two ways; first is passive and second is reactive. In passive reaction, once an intrusion is detected the IDS will log the information about the intrusion and then originate an alert. Passive IDS rely on humans to take action when an intrusion occurred.
Finally, Intrusion Detection System (IDS) is used to detect intrusion and then alert the system administrator, who is responsible to analyze, detect and remove the intrusions, before the system gets corrupted. Intrusion detection system is one of the lines of defense in protection your network from being compromised against hackers who can do substainal damage to the company digital assets
Is your network secure?
Amvean provides a suite of network security including vunerability scanning to determine if you network is secure. Please get in touch with us for free network security analysis to determine if your network is secure.
For more details about Amvean can help you with there storage strategy please contact us at firstname.lastname@example.org or 212.810.2074.