Intrusion detection and intrusion prevention techniques

Intrusion detection and prevention are two broad terms describing application security practices used to mitigate attacks and block new threats.

An IDS( Intrusion detection system) is either a hardware device or software application that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities.

This is done through:

• System file comparisons against malware signatures.
• Scanning processes that detect signs of harmful patterns.
• Monitoring user behavior to detect malicious intent.
• Monitoring system settings and configurations.

Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS has inherent drawbacks. Because it uses previously known intrusion signatures to locate attacks, newly discovered (i.e., zero-day) threats can remain undetected.

An IDS only detects ongoing attacks, not incoming assaults. To block these, an intrusion prevention system is required.

An IPS(Intrusion Prevention system) complements an IDS configuration by proactively inspecting a system’s incoming traffic to weed out malicious requests. A typical IPS configuration uses web application firewalls and traffic filtering solutions to secure applications.

An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting security personnel to potential threats. Such a system usually uses a preexisting database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies.

While being effective at blocking known attack vectors, some IPS systems come with limitations. These are commonly caused by an overreliance on predefined rules, making them susceptible to false positives.

Different types of intrusion detection systems: 

1. Network based intrusion detection system (NIDS) 

2. Host based intrusion detection system( HIDS)

Different types of intrusion prevention systems: 

1. Network based intrusion prevention system (NIPS) 

2. Host based intrusion prevention system( HIPS)

Ø  Network Based Intrusion Detection System

A Network Based Intrusion Detection System (NIDS), or Network Based IDS, is security hardware that is placed strategically to monitor critical network traffic. Traditional Network Based IDS analyzes passing network traffic and matches that traffic to a library of known attacks in its system.

Network Intrusion Detection Services is an advanced and expensive proposition for it to work properly and effectively within a company’s environment.  It is often used in Data Centers with Cloud Hosting providers to provide a higher level of cyber security assurance on their critical networks.

There are two main Intrusion Detection methods to identify malicious attacks or intrusion.

1. Signature-based Intrusion Detection Method

The IDS developed the Signature-based intrusion detection method to examine the network traffic and to detect attack patterns.

Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already known malicious instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures.

Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.

2. Anomaly-based Intrusion Detection Method

Organizations use the anomaly-based intrusion detection method to identify new and unknown suspicious attacks and policy breaching which the Signature-based detection method cannot identify easily.

In anomaly-based IDS there is use of machine learning to create a trustful activity model and anything coming is compared with that model and it is declared suspicious if it is not found in model.

Limitations of IDS

• Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
• Encrypted packets are not processed by most intrusion detection devices. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
• Due to the nature of NIDS systems, and the need for them to analyse protocols as they are captured, NIDS systems can be susceptible to the same protocol-based attacks to which network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause a NIDS to crash.
• Intrusion detection software provides information based on the network address that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.

Ø  Network-based Intrusion Prevention System (NIPS)

A network-based intrusion prevention system (NIPS) is a system used to monitor a network as well as protect the confidentiality, integrity, and availability of a network. Its main functions include protecting the network from threats, such as denial of service (DoS) and unauthorized usage.

An intrusion prevention system (IPS) sits in-line on the network and monitors the traffic. When a suspicious event occurs, it takes action based on certain prescribed rules. An IPS is an active and real-time device unlike an intrusion detection system, which is not inline and is a passive device. IPSs are considered to be the evolution of the intrusion detection system.

The majority of NIPSs utilize one of the three detection methods as follows:

·         Signature-based detection: Signatures are attack patterns predetermined and preconfigured. This detection method monitors the network traffic and compares it with the preconfigured signatures so as to find a match. On successfully locating a match, the NIPS takes the next appropriate action. This type of detection fails to identify zero-day error threats. However, it has proved to be very good against single packet attacks.

·         Anomaly-based detection: This method of detection creates a baseline on average network conditions. Once a baseline has been created, the system intermittently samples network traffic on the basis of statistical analysis and compares the sample to the created baseline. If the activity is found to be outside the baseline parameters, NIPS takes the necessary action.

·         Protocol state analysis detection: This type of detection method identifies deviations of protocol states by comparing observed events with predefined profiles.

 

Ø  Host intrusion detection system (HIDS)

A host intrusion detection system (HIDS) runs on all computers or devices in the network with direct access to both the internet and the enterprise's internal network. A HIDS has an advantage over an NIDS in that it may be able to detect anomalous network packets that originate from inside the organization or malicious traffic that an NIDS has failed to detect.

A HIDS may also be able to identify malicious traffic that originates from the host itself, such as when the host has been infected with malware and is attempting to spread to other systems.

Protocol-based Intrusion Detection System (PIDS)

Organizations set up a Protocol-based Intrusion Detection System at the front end of the server. It interprets the protocols between the server and the user. PIDS monitors the HTTPS server regularly to secure the web. Similarly, it allows the HTTP server which is related to the protocol.

Application Protocol-based IDS (APIDS)

APIDS is set up within a group of servers. It interprets communication with the applications within the server to detect the intrusion. It identifies the intrusions by monitoring and interpreting the communication on application-specific protocols.

Ø  Host-based intrusion prevention system (HIPS)

A host-based intrusion prevention system (HIPS) is a system or a program employed to protect critical computer systems containing crucial data against viruses and other Internet malware. Starting from the network layer all the way up to the application layer, HIPS protects from known and unknown malicious attacks. HIPS regularly checks the characteristics of a single host and the various events that occur within the host for suspicious activities.

HIPS can be implemented on various types of machines, including servers, workstations, and computers.

A HIPS uses a database of system objects monitored to identify intrusions by analyzing system calls, application logs, and file-system modifications

A HIPS has numerous advantages:

1. Enterprise and home users have increased protection from unknown malicious attacks.

2. HIPS use a peculiar prevention system that has a better chance of stopping such attacks as compared to traditional protective measures.

3. Another benefit of using such system is the need to run and manage multiple security applications to protect PCs, such as anti-virus, anti-spyware, and firewalls.