What is Intrusion detection system

This article is about the computing term. For other uses, see Burglar alarm.
http://www.ids-sax2.com/articles/IntrusionDetectionSystem.htm


An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.


Contents
1 Types of Intrusion-Detection systems
2 Passive system vs. reactive system
3 IDS evasion techniques
4 Development


Types of Intrusion-Detection systems


In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. In systems, PIDS and APIDS are used to monitor the transport and protocols illegal or inappropriate traffic or constructs of language (say SQL). In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed. Hybrids of these two systems also exist.
A network intrusion detection system (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
A protocol-based intrusion detection system (PIDS) consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system). For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer.
An application protocol-based intrusion detection system (APIDS) consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example; in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database.
A host-based intrusion detection system (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.
A hybrid intrusion detection system combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.

Passive system vs. reactive system


In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.
The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".

IDS evasion techniques


Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.

Development


A preliminary concept of an IDS began with James P. Anderson and reviews of audit trails.[1] An example of an audit trail would be a log of user access.
Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning, assisted by Peter Neuman, published a model of an IDS in 1986 that formed the basis for many systems today.[2] Her model used statistics for anomaly detection, and resulted in an early IDS at SRI named the Intrusion detection expert system (IDES), which ran on Sun Workstations and could consider both user and network level data.[3] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).[4]
The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and LISP, was developed in 1988 based on the work of Denning and Neuman.[5] Haystack was also developed this year using statistics to reduce audit trails.[6]
Wisdom & sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.[7] W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based inductive machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common LISP on a VAX 3500 computer.[8] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.[9] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.[10] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.[11]
Then, in 1991, researchers at the University of California created a prototype Distributed intrusion detection system (DIDS), which was also an expert system.[12] The Network anomaly detection and intrusion reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.[13] NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory announced Bro in 1998 which used its own rule language for packet analysis from libpcap data.[14] Network Flight Recorder (NFR)in 1999 also used libpcap.[15] APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later.[16]
The Audit data analysis and mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.[17]