Table of contents
What is an Intrusion Detection System?
An intrusion detection system (IDS) is a device or software application that monitors a network for malicious activity or policy violations. Any malicious activity or violation is typically reported or collected centrally using a security information and event management system. Some IDS’s are capable of responding to detected intrusion upon discovery. These are classified as intrusion prevention systems (IPS).
IDS Detection Types
There is a wide array of IDS, ranging from antivirus software to tiered monitoring systems that follow the traffic of an entire network. The most common classifications are:
- Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic.
- Host-based intrusion detection systems (HIDS): A system that monitors important operating system files.
There is also subset of IDS types. The most common variants are based on signature detection and anomaly detection.
- Signature-based: Signature-based IDS detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This terminology originates from antivirus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.
- Anomaly-based: a newer technology designed to detect and adapt to unknown attacks, primarily due to the explosion of malware. This detection method uses machine learning to create a defined model of trustworthy activity, and then compare new behavior against this trust model. While this approach enables the detection of previously unknown attacks, it can suffer from false positives: previously unknown legitimate activity can accidentally be classified as malicious.
IDS Usage in Networks
When placed at a strategic point or points within a network to monitor traffic to and from all devices on the network, an IDS will perform an analysis of passing traffic, and match the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator.
Being aware of the techniques available to cyber criminals who are trying to breach a secure network can help IT departments understand how IDS systems can be tricked into not missing actionable threats:
- Fragmentation: Sending fragmented packets allow the attacker to stay under the radar, bypassing the detection system's ability to detect the attack signature.
- Avoiding defaults: A port utilized by a protocol does not always provide an indication to the protocol that’s being transported. If an attacker had reconfigured it to use a different port, the IDS may not be able to detect the presence of a trojan.
- Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers, or even allocating various ports or hosts to different attackers. This makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
- Address spoofing/proxying: attackers can obscure the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server, it makes it very difficult to detect.
- Pattern change evasion: IDS rely on pattern matching to detect attacks. By making slight adjust to the attack architecture, detection can be avoided.