MODULE - 2

PART – 6: INTRUSION DETECTION SYSTEM

Intrusion Detection System
• An Intrusion Detection System (IDS) is a device or software application that
monitors a network/system for suspicious activities and known threats. Any
suspicious activity or threat is typically reported or collected centrally using a
Security Information and Event Management (SIEM).
• IDS can be broken into two broad categories: network-based and host-based.

Network Intrusion Detection System (NIDS)

• A Network Intrusion Detection System (NIDS) is generally deployed or placed at
strategic points throughout the network, intended to cover those places where
traffic is most likely to be vulnerable to attack.
• Generally, it’s applied to entire subnets, and it attempts to match any traffic
passing by to a library of known attacks. It passively looks at network traffic
coming through the points on the network on which it’s deployed.
Intrusion Detection System
• Network-based intrusion detection system software analyzes a large amount of
network traffic, which means they sometimes have low specificity.
• This means sometimes they might miss an attack or might not detect something
happening in encrypted traffic. In some cases, they might need more manual
involvement from an administrator to ensure they’re configured correctly.
Example of NIDS: SNORT.

Host Intrusion Detection System (HIDS)

• The Host Intrusion Detection System (HIDS) runs on all the devices in the network
with access to the internet and other parts of the enterprise network.
• HIDS have some advantages over NIDS, due to their ability to look more closely at
internal traffic, as well as working as a second line of defense against malicious
packets a NIDS has failed to detect.
Intrusion Detection System
• It looks at the entire system’s file set and compares it to its previous “snapshots”
of the file set. It then looks at whether there are significant differences outside
normal business use and alerts the administrator as to whether there are any
missing or significantly altered files or settings.
• There are also two main approaches to detecting intrusion: signature-based IDS
and anomaly-based IDS.
Signature-Based IDS
• This type of IDS is focused on searching for a “signature,” patterns, or a known
identity, of an intrusion or specific intrusion event. Most IDS are of this type.
• It needs regular updates of what signatures or identities are common at the
moment to ensure its database of intruders is current. This means signature-
based IDS is only as good as how up to date its database is at a given moment.
NIDS vs HIDS
Intrusion Detection System
• Attackers can get around signature-based IDS by frequently changing small things
about how the attack takes place, so the databases cannot keep pace.
• In addition, it means a completely new attack type may not be picked up at all by
signature-based IDS because the signature doesn’t exist in the database.
Signature based IDSes are prone to false negatives.

Signature based IDS

Intrusion Detection System
Anomaly-Based IDS
• Anomaly-based IDS was introduced to detect the unknown malware attacks as
new malware are developed rapidly.
• In anomaly-based IDS there is use of machine learning to create a trustful activity
model and anything coming is compared with that model and it is declared
suspicious if it is not found in model.
• Machine learning based method has a better generalized property in comparison
to signature-based IDS as these models can be trained according to the
applications and hardware configurations.
• However, previously unknown, but legitimate, behavior can be accidentally
flagged as well and depending on the response, this can cause some problems.
Anomaly based IDSes are prone to false positives.
Intrusion Detection System

Anomaly based IDS

Intrusion Detection System
Intrusion Prevention System
• An Intrusion Prevention System (IPS) is a network security/threat prevention
technology that identifies malicious activity, collects information about this
activity, reports it and attempts to block or stop it.
• IPSes have two predominant methods of detecting malicious activity: signature-
based detection and anomaly-based detection.
• There are a number of different threats that an IPS is designed to prevent,
including:
a. Denial of Service (DoS) attack
b. Distributed Denial of Service (DDoS) attack
c. Various types of exploits
d. Worms
e. Viruses
Intrusion Detection System
Intrusion Prevention System
• IPS false positives are more serious than IDS false positives because legitimate
traffic is stopped from entering the network in case of IPS. This could impact any
part of the organization.
• The IPS performs real-time packet inspection, deeply inspecting every packet that
travels across the network. If any malicious or suspicious packets are detected,
the IPS will carry out one of the following actions:
a. Terminate the TCP session that has been exploited and block the offending
source IP address or user account from accessing any application, target
hosts or other network resources unethically.
b. Reprogram or reconfigure the firewall to prevent a similar attack occurring in
the future.
c. Remove or replace any malicious content that remains on the network
following an attack.
IDS/IPS deployment in Network
Intrusion Detection System
How is IPS different from Firewall?
• Generally, a firewall is supposed to be configured to block all traffic, and then you
set it up to allow specific types through.
• The IDS and IPS work in the opposite direction, by allowing all traffic and then
flagging or blocking specific traffic only. As a result, you should use a firewall in
combination with an IDS or IPS, not one or the other.
• Set up your firewall to let only specific kinds of traffic through, and then use the
IDS to detect anomalies or problems in the traffic you permit. The combination of
these tools provides a comprehensive security boundary for your network.
THANK YOU