Intrusion Detection Systems
The purpose of intrusion detections systems (IDSs) is to monitor networks or systems with the express purpose of identifying and responding to suspicious activity. In this chapter we will learn about the concepts and basics of intrusion detection systems.
An Overview of Intrusion Detection Systems
Intrusion detection systems are typically grouped into one of two categories:
- Host-based IDS - A host-based IDS monitors the activity on individual systems with a view to identifying unauthorized or suspicious activity taking place on the operating system.
- Network-based IDS - A network-based IDS is solely concerned with the the activity taking place on network (or more specifically, the segment of a network on which it is operating).
An IDS also falls into either Knowledge-based or Behavior-based categories:
- Knowledge-based - Includes a database of signatures known to be associated with malicious or unauthorized activity. A knowledge-based IDS compare activity data against the signature database and responds when a match is identified.
- Behavior-based - Monitors for deviations from the normal operation of systems or networks based on knowledge gathered over time of the normal usage patterns of users and systems.
IDS Architecture
Regardless of the type of IDS there are a few common components that typically constitute an IDS:
- Traffic Collector - The component is resposnible for gathering activity and event data for analysis. On a host-based IDS this will typically include metrics such as inbound and outbound traffic and activity recorded by the operating system in log and audit files. A network-based IDS will pull data off a segment of a network for analysis.
- Analysis Engine - The analysis engine is responsible for analyzing the data gathered by the traffic collector. In case of a knowledge-based IDS the data will compared against a signature database. A behavior-based IDS, on the other hand, will compare it against baseline behvior information gathered over time to see if the current behavior deviates from the norm.
- Signature Database - Used in knowledge-based systems, the signature database contains a collection of signatures known to be associated with known suspicious and malicious activities. it could be said that a knowledge based IDS is only as good as its database.
- Management and Reporting Interface - A management interface provide a mechanism by which system administrators may manage the systema nd receive alerts when intrusions are detected.
Host-based Intrusion Detections Systems (HIDS)
A host-based IDS runs directly on a server or desktop system and uses the resources of that system to examine log and audit files together with network traffic entering and leaving the system. In addition some host-based systems are able to monitor the log files for specific services such as web or ftp servers. These systems either work in real-time or in a batch mode where logs are checked at pre-defined intervals.
A host based IDS might, for example, look for anomalies such multiple failed login attempts, logins occurring at unusual times and access to system files not usually accessed by users.
Host-based intrution detection system have a number of strengths and weaknesses.
Host-based IDS - Strengths
- Fewer False Positives - A false positive is legitimate and authorized activity on a system which is incorrectly identified by an IDS as being suspicious or malicious. By running directly on the host and analyzing log files in context with overall system activity the number of false positives is reduced.
- Narrow Operating System Focus - Host based systems are usually developed for specific operating systems, avoiding the pitfalls of a more general, cross-platform approach to intrusion detection.
- Decrypted Data Monitoring - Because malicious network traffic is more often than not encrypted it is often missed by network-based IDSs. Because host-based systems examine data after it has been decrypted by the operating system and network stack it is better placed to identify malicious activity.
- Non-Network Based Attacks - While many attacks are initiated via the network it is also common for attacks to be performed directly at the system by disgruntled or dishonest employees. The advantage of a host-based IDS over a network-based IDS is that is capable of identify suspicious activity taking place at the physical machine (i.e the keyboard and mouse attached to the computer).
Host-based IDS - Weaknesses
- 'Use of Local System Resources - Host-based IDSs use CPU and memory resources of the systems they are designed to protect. Whilst not a serious issue for typical users this can have a significant impact on system where high performance or real-time demands are made on the system.
- Scalability - Whilst host-based intrusion detection systems work well for deployment on smaller numbers of systems the tracking, monitoring and maintaining of hundreds or thousands of systems can quickly become a cumbersome overhead in terms of costs and resources.
- Local IDS Logging Vulnerable - Because host-based systems often log locally on the systems they are protecting they are vulnerable to having those log files compromised to remove any record of malicious activity.