IDS are mostly used for detecting anomalies with the aim of catching the hackers before they do any real damage to the network. They can be either host-based or network-based. Host-based IDS are installed on the client computer while the Network based IDS protection are residing in the network.
Intrusion detection systems work by either looking for signatures of known attacks or deviations from normal activity. These deviations or anomalies are pushed up the stack and examined at the protocol and application layer. They can effectively detect events such as Christmas tree scans and domain name system (DNS) poisonings.
You can implement an IDS protection as a software application that runs on your customer hardware or it can be run as a network security appliance too. There are intrusion detection systems that are cloud-based and are available to protect systems and data in cloud deployments.
What are the types of IDS?
Intrusion detection systems can be categorized into four groups, depending on the type of event they monitor and how they are deployed:
1. Network Based IDS (NIDS)
A Network Intrusion Detection System (NIDS) is generally deployed or placed at strategic points throughout the network, intended to cover those places where traffic is most likely to be vulnerable to attack. Generally, it’s applied to entire subnets, and it attempts to match any traffic passing by to a library of known attacks. It passively looks at network traffic coming through the points on the network on which it’s deployed. They can be relatively easy to secure and can be made difficult for intruders to detect. This means an intruder may not realize their potential attack is being detected by the NIDS.
Network-based intrusion detection system software analyzes a large amount of network traffic, which means they sometimes have low specificity. This means sometimes they might miss an attack or might not detect something happening in encrypted traffic. In some cases, they might need more manual involvement from an administrator to ensure they’re configured correctly.
This type of IDS monitors network traffic on a segment or device, and analyzes network and protocol activity to identify suspicious activity. This system is also capable of detecting numerous types of events of interest, and is generally deployed in a security topology as the boundary between two networks, where traffic is tapered. Because of this, in many cases, the IDS feature itself is integrated directly into the firewall.
2. Host Based IDS (HIDS)
Host refers to an actual device or asset. In this case, we can consider a user’s computer, or a server, as a host. Intrusion detection, in this format, monitors device characteristics and the events that happen with it in search of suspicious activity.
The Host Intrusion Detection System (HIDS) runs on all the devices in the network with access to the internet and other parts of the enterprise network. HIDS have some advantages over NIDS, due to their ability to look more closely at internal traffic, as well as working as a second line of defense against malicious packets a NIDS has failed to detect.
It looks at the entire system’s file set and compares it to its previous “snapshots” of the file set. It then looks at whether there are significant differences outside normal business use and alerts the administrator as to whether there are any missing or significantly altered files or settings. It primarily uses host-based actions such as application use and files, file access across the system, and kernel logs.
Usually, a host based IDS can be installed individually for both corporate computers within a corporate network and endpoints. Among its main features are the network traffic to the device, running processes, system logs as well as access and changes in files and applications.
Modern IDS systems basically work upon two methods of identifying the intrusions:
Knowledge/Signature Based Intrusion Detection
A knowledge-based IDS references a database of known system vulnerability profiles to identify active intrusion attempts.
This type of IDS is focused on searching for a “signature,” patterns, or a known identity, of an intrusion or specific intrusion event. Most IDS are of this type. It needs regular updates of what signatures or identities are common at the moment to ensure its database of intruders is current. This means signature-based IDS is only as good as how up to date its database is at a given moment.
Attackers can get around signature-based IDS by frequently changing small things about how the attack takes place, so the databases cannot keep pace. In addition, it means a completely new attack type may not be picked up at all by signature-based IDS because the signature doesn’t exist in the database. Furthermore, the larger the database becomes, the higher the processing load is for the system to analyze each connection and check it against the database.
In this case, it is very important that the structure has a policy of continuous updating of the database (signatures) to ensure continuity of security in the environment, since what is not known will literally not be protected.
Behavior/Anomaly Based Intrusion Detection
Behavior-based IDS, on the other hand, analyzes traffic behavior by following a baseline or a pattern of standard system activity to identify intrusion attempts. If there are deviations from this standard or baselines, some actions may be taken, either by blocking that traffic temporarily, through alarms for network operations center (NOC/SNOC), allowing that abnormality to be better investigated, permitted or permanently blocked.
In contrast to signature-based IDS, anomaly-based IDS looks for the kinds of unknown attacks signature-based IDS finds hard to detect. Due to the rapid growth in malware and attack types, anomaly-based IDS uses machine learning approaches to compare models of trustworthy behavior with new behavior. As a result, strange- or unusual-looking anomalies or behavior will be flagged. However, previously unknown, but legitimate, behavior can be accidentally flagged as well and depending on the response, this can cause some problems.
In addition, anomaly-based IDS assumes network behavior always stays predictable and it can be simple to tell good traffic from bad. But anomaly-based IDS looks at the behavior of traffic, not the payload, and if a network is running on a non-standard configuration, the IDS can have problems figuring out which traffic to flag.
However, anomaly-based IDS is good for determining when someone is probing or sweeping a network prior to the attack taking place. Even these sweeps or probes create signals in the network the anomaly-based IDS will pick up on. This type of IDS needs to be more distributed across the network, and the machine learning processes need to be guided and trained by an administrator.
-
Guys, what do you think of this post on -- how does IDS actually work?
Kindly leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM