An Intrusion Detection System or IDS is a software tool used to detect unauthorised access to a computer system or network. This may take the form of attacks by skilled malicious hackers, or Script kiddies using automated tools.

An IDS is required to detect all types of malicious network traffic and computer usage. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorised logins and access to sensitive files, and malware (viruses, trojan horses, and worms)

An IDS is composed of several components, Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorise an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.

Misuse Detection vs. Anomaly Detection

A misuse detection system, also known as a Signature-Based Intrusion Detection System identifies intrusions by watching for patterns of traffic or application data presumed to be malicious. These type of systems are presumed to be able to detect only 'known' attacks. However, depending on their rule set, signature-based IDSs can sometimes detect new attacks which share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request.

The IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against.

An Anomaly-Based Intrusion Detection System identifies intrusions by notifying operators of traffic or application content presumed to be different from 'normal' activity on the network or host. Anomaly-based IDSs typically achieve this with self-learning .

In anomaly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.

Network-based vs. Host-based Systems

In a network-based system, or NIDS, the sensors are located at choke points in the network to be monitored, often in the DMZ or at network borders. The sensor captures all network traffic flows and analyzes the content of individual packets for malicious traffic. In a host-based system, the sensor usually consists of a software agent which monitors all activity of the host on which it is installed. Hybrids of these two types of system also exist.

• A Network Intrusion Detection System is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap . An example of a NIDS is Snort.

• A Host-based Intrusion Detection System consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state.

• A Hybrid Intrusion Detection System combines both approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.

Passive System vs. Reactive System

In a passive system, the IDS sensor detects a potential security breach, logs the information and signals an alert on the console. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source, either autonomously or at the command of an operator.

Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system

This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion-prevention system, and is another form of an application layer firewall.

See also

• Intrusion prevention system
• Security Information Management

External Links

• Prelude Hybrid IDS
• Snort Network IDS
• ISS RealSecure Network IDS
• ISS Proventia Intrusion Prevention
• GFI LANguard Security Event Log Monitor performs event log based intrusion detection and network-wide event log management.
• How to perform network-wide security event log monitoring White paper on intrusion detection and the essential auditing of security event logs (PDF).