Documents  
Intrusion Detection Systems (IDS)   
An Intrusion Detection System (IDS) monitors network or host traffic by looking for anomalies, intrusive activity, or misuse. This article describes how host- and network-based IDSs work and provides links to other resources.
Author:
Marr Madden
Date Posted:
3/29/06
@Copyright 2003 - The Bill & Melinda Gates Foundation

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is software that monitors network or host traffic looking for anomalies, intrusive activity or misuse. It can be a dedicated network device or run on individual hosts. An IDS can respond to suspect behavior by sending alerts to system administrators, dropping packets, shutting down services or implementing scripts. There are many IDS vendors and freeware products, all with different detection and response mechanisms.

How does an IDS work?

There are generally two approaches an IDS can utilize to determine suspicious behavior. The first is called anomaly detection, statistical based intrusion detection (SBID) or profile based ID. When operating in this mode, the IDS looks for anomalies that deviate from a user profile of normal behavior. Profiles are created manually or via software that examines logs and then creates the user profiles. An example of a profile would be a common user named Bob. Bob logs onto the network at 9:00 am and logs out at 5:00 pm, Monday thru Friday. He uses Excel, Outlook and surfs the web occasionally. In the past 3 months he has never logged in any differently. One evening at 4:00 am, someone logs onto the network using Bob's credentials and attempts to install root.exe on the webserver. This should make an IDS shake, quiver and spout alerts like no tomorrow. Anomaly based systems should be able to detect suspect activity the first time it is attempted.

The second method of detection is called misuse detection, rule-based intrusion detection (RBID), or signature based detection. For this method the IDS compares current network traffic to a database of known attack styles or “signatures”. An example of this might be a Microsoft webserver that receives a HTTP request that is formatted similar to or exactly like a request from a machine that is infected with the Nimda virus. When the IDS sees this “signature” and compares it to its database, it would find a match with a known signature and take the appropriate action as determined by the IDS administrator. This could include blocking or dropping the traffic immediately and notifying the administrator of the detection for further action.

What types of IDS are there?

IDSs can be deployed as (a) network-based devices or (b) host-based applications. A network-based IDS (NIDS) sniffs network packets looking for malformed data, unusual patterns or connection requests. A NIDS deployed on different segments can be configured to report to a centralized monitor station for easy reporting and configuration. NIDSs are usually rule-based; these rules can, in some cases, be created by the application based on traffic patterns. While good at detecting known attacks, a NIDS finds it difficult to determine if the attack was successful.

A host-based IDS (HIDS) monitors application and/or operating system files and logs looking for evidence of suspicious activity. These systems are typically statistically based and can be configured to monitor system files, user activity, log files or file access. Several products take snapshots of important system files and monitor their integrity. An example would be an IDS that monitoring the Netstat.exe command, which displays current connections. A hacker would try to install a trojaned Netstat to hide her PC's connection to your server. You, as an unsuspecting user using Netstat, would never see your connection to her PC but the IDS would have denied the hacker's attempt to change the file.

Hybrid systems utilizing NIDS and HIDS are beginning to be used; these hybrids address some of the shortcomings of each system.

Conclusion

The technology of intrusion detection is fairly recent. While not intended to replace a firewall or virus protection, an IDS provides a look inside your network or PC and attempts to detect and defeat potentially destructive behavior.

Additional considerations:

  • Network IDS can't examine encrypted traffic, while HIDS can.

  • One NIDS can cover a whole subnet, and is operating system independent.

  • Using profile-based methods requires time to assemble the profiles, leaving you unprotected in the meanwhile.

  • IDSs can be costly—although one of the top-rated systems, Snort, is open source.

  • Configuration and monitoring can be time consuming. Clearing false positives is a major undertaking.

  • IDS signatures must be kept up to date. New attacks won't be registered in your database until the vendor enters them and you download the current version.

  • There can be latency issues: by the time the IDS figures out that an attack is going on, damage may have already been done.

References and Resources

Intrusion Detection Systems

Protecting your computer network against attack is vital, especially in the highly connected network environment that we live in. One way to monitor your network for intrusive activity is through the installation of an Intrusion Detection System (IDS), which is discussed in this article by Earl Carter.

http://www.informit.com/articles/article.asp?p=25334&redir=1

SANS InfoSec Reading Room - Intrusion Detection

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large.

http://www.sans.org/rr/catindex.php?cat_id=30

Snort - The Open Source Network Intrusion Detection System

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

http://www.snort.org

Cisco Intrusion Detection Products

Providing complete intrusion protection, Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, along with bandwidth and e-Business application attacks.

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml

The ABCs of IDSs (Intrusion Detection Systems)

You have the world's best firewall, your Windows computers update their antivirus software regularly and your Information Security staffers enforce your policies with an iron fist. Does this mean you're safe?

http://messageq.ebizq.net/security/meinel_2.html

Contribute to this topic
Do you have an article, presentation, or other content to share on this topic?
You can post it on this topic page. Find out more about submitting documents in the Member Center.
Ratings You must be signed in to rate this item
Average (0 Votes)
Comments