Intrusion Detection Systems
From Techotopia
Revision as of 19:41, 26 February 2008 by Neil (Talk | contribs) (New page: The purpose of intrusion detections systems (IDSs) is to monitor networks or systems with the express purpose of identifying and responding to suspicious activity. In this chapter we will ...)
The purpose of intrusion detections systems (IDSs) is to monitor networks or systems with the express purpose of identifying and responding to suspicious activity. In this chapter we will learn about the concepts and basics of intrusion detection systems.
An Overview of Intrusion Detection Systems
Intrusion detection systems are typically grouped into one of two categories:
- Host-based IDS - A host-based IDS monitors the activity on individual systems with a view to identifying unauthorized or suspicious activity taking place on the operating system.
- Network-based IDS - A network-based IDS is solely concerned with the the activity taking place on network (or more specifically, the segment of a network on which it is operating).
An IDS also falls into either Knowledge-based or Behavior-based categories:
- Knowledge-based - Includes a database of signatures known to be associated with malicious or unauthorized activity. A knowledge-based IDS compare activity data against the signature database and responds when a match is identified.
- Behavior-based - Monitors for deviations from the normal operation of systems or networks based on knowledge gathered over time of the normal usage patterns of users and systems.
IDS Architecture
Regardless of the type of IDS there are a few common components that typically constitute an IDS:
- Traffic Collector - The component is resposnible for gathering activity and event data for analysis. On a host-based IDS this will typically include metrics such as inbound and outbound traffic and activity recorded by the operating system in log and audit files. A network-based IDS will pull data off a segment of a network for analysis.
- Analysis Engine - The analysis engine is responsible for analyzing the data gathered by the traffic collector. In case of a knowledge-based IDS the data will compared against a signature database. A behavior-based IDS, on the other hand, will compare it against baseline behvior information gathered over time to see if the current behavior deviates from the norm.
- Signature Database - Used in knowledge-based systems, the signature database contains a collection of signatures known to be associated with known suspicious and malicious activities. it could be said that a knowledge based IDS is only as good as its database.
- Management and Reporting Interface - A management interface provide a mechanism by which system administrators may manage the systema nd receive alerts when intrusions are detected.