Intrusion detection and prevention are two broad terms describing
application security practices used to mitigate attacks and block new threats.
An IDS( Intrusion detection system) is either a hardware device or
software application that uses known intrusion signatures to detect and analyze
both inbound and outbound network traffic for abnormal activities.
This is done through:
- System
file comparisons against malware signatures.
- Scanning
processes that detect signs of harmful patterns.
- Monitoring
user behavior to detect malicious intent.
- Monitoring
system settings and configurations.
Despite its benefits, including in-depth network traffic analysis and
attack detection, an IDS has inherent drawbacks. Because it uses previously
known intrusion signatures to locate attacks, newly discovered (i.e., zero-day)
threats can remain undetected.
An IDS only detects ongoing attacks, not incoming assaults. To block
these, an intrusion prevention system is required.
An IPS(Intrusion Prevention system) complements an IDS
configuration by proactively inspecting a system’s incoming traffic to weed out
malicious requests. A typical IPS configuration uses web application firewalls
and traffic filtering solutions to secure applications.
An IPS prevents attacks by dropping malicious packets, blocking offending
IPs and alerting security personnel to potential threats. Such a system usually
uses a preexisting database for signature recognition and can be programmed to
recognize attacks based on traffic and behavioral anomalies.
While being effective at blocking known attack vectors, some IPS systems
come with limitations. These are commonly caused by an overreliance on
predefined rules, making them susceptible to false positives.
Different types of intrusion detection systems:
1. Network based intrusion detection system (NIDS)
2. Host based intrusion detection system( HIDS)
Different types of intrusion prevention systems:
1. Network based intrusion prevention system (NIPS)
2. Host based intrusion prevention system( HIPS)
Ø Network
Based Intrusion Detection System
A Network Based Intrusion Detection System (NIDS), or
Network Based IDS, is security hardware that is placed strategically to monitor
critical network traffic. Traditional Network Based IDS analyzes passing
network traffic and matches that traffic to a library of known attacks in its
system.
Network Intrusion Detection Services is an advanced and expensive
proposition for it to work properly and effectively within a company’s
environment. It is often used in Data Centers with Cloud Hosting providers
to provide a higher level of cyber security assurance on their critical
networks.
There are two main Intrusion Detection methods to identify malicious
attacks or intrusion.
1. Signature-based
Intrusion Detection Method
The IDS developed the Signature-based intrusion detection method to
examine the network traffic and to detect attack patterns.
Signature-based IDS detects the attacks on the basis of the specific
patterns such as number of bytes or number of 1’s or number of 0’s in the
network traffic. It also detects on the basis of the already known malicious
instruction sequence that is used by the malware. The detected patterns in the
IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern
(signature) already exists in system but it is quite difficult to detect the
new malware attacks as their pattern (signature) is not known.
2. Anomaly-based
Intrusion Detection Method
Organizations use the anomaly-based intrusion detection method to
identify new and unknown suspicious attacks and policy breaching which the
Signature-based detection method cannot identify easily.
In anomaly-based IDS there is use of machine learning to create a
trustful activity model and anything coming is compared with that model and it
is declared suspicious if it is not found in model.
Limitations of IDS
- Noise can
severely limit an intrusion detection system's effectiveness. Bad packets
generated from software bugs, corrupt DNS data, and local
packets that escaped can create a significantly high false-alarm rate.
- Encrypted
packets are not processed by most intrusion detection devices. Therefore,
the encrypted packet can allow an intrusion to the network that is
undiscovered until more significant network intrusions have occurred.
- Due to
the nature of NIDS systems, and the need for them to analyse protocols as
they are captured, NIDS systems can be susceptible to the same
protocol-based attacks to which network hosts may be vulnerable. Invalid
data and TCP/IP stack attacks may cause a NIDS to crash.
- Intrusion
detection software provides information based on the network address that
is associated with the IP packet that is sent into the network. This is
beneficial if the network address contained in the IP packet is accurate.
However, the address that is contained in the IP packet could be faked or
scrambled.
Ø Network-based
Intrusion Prevention System (NIPS)
A network-based intrusion prevention system (NIPS) is a system used to
monitor a network as well as protect the confidentiality, integrity, and
availability of a network. Its main functions include protecting the network
from threats, such as denial of service (DoS) and unauthorized usage.
An intrusion prevention system (IPS) sits in-line on the network and
monitors the traffic. When a suspicious event occurs, it takes action based on
certain prescribed rules. An IPS is an active and real-time device unlike an
intrusion detection system, which is not inline and is a passive device. IPSs
are considered to be the evolution of the intrusion detection system.
The majority of NIPSs utilize one of the three detection methods as
follows:
·
Signature-based detection: Signatures are attack patterns predetermined and
preconfigured. This detection method monitors the network traffic and compares
it with the preconfigured signatures so as to find a match. On successfully
locating a match, the NIPS takes the next appropriate action. This type of
detection fails to identify zero-day error threats. However, it has proved to
be very good against single packet attacks.
·
Anomaly-based detection: This method of detection creates a baseline on
average network conditions. Once a baseline has been created, the system
intermittently samples network traffic on the basis of statistical analysis and
compares the sample to the created baseline. If the activity is found to be
outside the baseline parameters, NIPS takes the necessary action.
·
Protocol state analysis detection: This type of detection method identifies
deviations of protocol states by comparing observed events with predefined
profiles.
Ø Host
intrusion detection system (HIDS)
A host intrusion detection system (HIDS) runs on all
computers or devices in the network with direct access to both the internet and
the enterprise's internal network. A HIDS has an advantage over an NIDS in that
it may be able to detect anomalous network packets that originate from inside
the organization or malicious traffic that an NIDS has failed to detect.
A HIDS may also be able to identify malicious traffic that originates
from the host itself, such as when the host has been infected with malware and
is attempting to spread to other systems.
Protocol-based
Intrusion Detection System (PIDS)
Organizations set up a Protocol-based Intrusion Detection System at the
front end of the server. It interprets the protocols between the server and the
user. PIDS monitors the HTTPS server regularly to secure the web. Similarly, it
allows the HTTP server which is related to the protocol.
Application
Protocol-based IDS (APIDS)
APIDS is set up within a group of servers. It interprets communication
with the applications within the server to detect the intrusion. It identifies
the intrusions by monitoring and interpreting the communication on
application-specific protocols.
Ø Host-based
intrusion prevention system (HIPS)
A host-based intrusion prevention system (HIPS) is a system or a program
employed to protect critical computer systems containing crucial data against
viruses and other Internet malware. Starting from the network layer all the way
up to the application layer, HIPS protects from known and unknown malicious
attacks. HIPS regularly checks the characteristics of a single host and the
various events that occur within the host for suspicious activities.
HIPS can be implemented on various types of machines, including servers,
workstations, and computers.
A HIPS uses a database of system objects monitored to identify intrusions
by analyzing system calls, application logs, and file-system modifications
A HIPS has numerous advantages:
1. Enterprise and home users have increased protection from unknown
malicious attacks.
2. HIPS use a peculiar prevention system that has a better chance of
stopping such attacks as compared to traditional protective measures.
3. Another benefit of using such system is the need to run and manage
multiple security applications to protect PCs, such as anti-virus,
anti-spyware, and firewalls.