Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Introduction to Network Security - Intrusion Detection


{LANG_NAVORIGIN} Security Basics Intrusion Detection
Mitchell Rowton 02/12/2005



Overview of Intrusion Detection System (IDS)

An Intrusion Detection System is designed to detect unscrupulous activities that compromise the confidentiality, integrity, or availability of network or computer systems.

This paper first discusses the two different types of IDSs, network based and host based. It then covers the two methods used to detect intrusions, signature based and behavior based. This is a basic paper that will only touch on a broad overview of IDS technologies; it is only intended for the security engineer needing a high level overview of intrusion detection.


Network Intrusion Detection Systems

A network IDS (NIDS) monitors all traffic on the network segment that it is placed on. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments can't be monitored unless the traffic is directed to the NIDS promiscuous interface.

Network Intrusion Detection involves looking at the packets on the network as they pass by the NIDS. The NIDS can only see the packets that are carried on the network segment it’s attached to. Packets are considered to be of interest if they match a signature or certain behavior.


Host Based Intrusion Detection Systems

A Host IDS (HIDS) uses a piece or pieces of software on the system to be monitored. The loaded software uses log files and/or the system's auditing agents as sources of data. In contrast, a NIDS monitors the traffic on its network segment as a data source.

Host based intrusion detection involves not only looking at the network traffic in and out of a single computer, but also checking the integrity of your system files and watching for suspicious processes. To get complete coverage at your network with HIDS, you must load the software on every computer. Host based Intrusion Detection is much more effective in detecting insider attacks than is NIDS.

The below diagram shows a HIDS.

image


Signature based IDS

Almost all IDSs are signature based, also known as knowledge based. Signature based IDSs monitor network traffic and analyze this traffic against specific predefined attacks. When an attack is detected an alarm is generated. This means that any traffic that doesn’t specifically match a signature is considered safe.

Signature based IDSs obviously require that the signature base be updated regularly to detect new exploits. If legitimate network traffic triggers an alarm this is called a false positive. The amount of false positives generated by signature based IDSs can be significantly less than behavior based IDSs.


Behavior based IDS

Behavior-based intrusion detection techniques assume that an intrusion can be detected by observing a deviation from normal or expected behavior of the system or the users. The model of normal or valid behavior is extracted from reference information collected by various means. The intrusion detection system later compares this model with the current activity. When a deviation is observed, an alarm is generated. In other words, anything that does not correspond to a previously learned behavior is considered intrusive.

Advantages of behavior-based approaches are that they can detect attempts to exploit new and unforeseen vulnerabilities. They can even contribute to the automatic discovery of these new attacks. They are less dependent on operating system-specific mechanisms. They also help detect 'internal abuse' types of attacks that do not actually involve exploiting any security vulnerability. In short, this is the paranoid approach: Everything which has not been seen previously is dangerous.

The high false alarm rate is the primary drawback of behavior-based techniques because the entire scope of the behavior of an information system may not be covered during the learning phase. Also, behavior can change over time, introducing the need for periodic online retraining of the behavior profile, resulting either in unavailability of the intrusion detection system or in additional false alarms. The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous.













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
11125 Views
4.4/5 Rating
15 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact