Intrusion Detection Systems And Intrusion Prevention

Published Date: 02 Nov 2017

"Agent: A host-based intrusion detection and prevention program that monitors and analyzes activity and may also perform prevention actions

Alert: A notification of an important observed event

Anomaly-Based Detection: The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations

Blacklist: A list of discrete entities, such as hosts or applications, that have been previously determined to be associated with malicious activity

Console: A program that provides user and administrator interfaces to an intrusion detection and prevention system

Database Server: A repository for event information recorded by sensors, agents, or management servers

False Negative: An instance in which an intrusion detection and prevention technology fails to identify malicious activity as being such.

False Positive: An instance in which an intrusion detection and prevention technology incorrectly identifies benign activity as being malicious

Host-Based Intrusion Detection and Prevention System: A program that checks the features of each host and the actions locating within that host to identify and prevent suspicious activity

Incident: A violation or imminent threat of violation of standard security practices, acceptable use policies, or computer security policies

Intrusion Detection: The system of detecting the actions happening in a network or a computer system and analyzing them for marks of possible incidents

Intrusion Detection and Prevention: The process of detecting the actions taking place in a computer system or network, analyzing them for marks of possible incidents, and attempting to stop detected possible incidents. See also "intrusion prevention"

Intrusion Detection System: Software that automates the intrusion detection process

Intrusion Prevention: The procedure of monitoring the events occurring in a computer system or network, analyzing them for signs of possible incidents, and attempting to stop detected possible incidents. See also "intrusion detection and prevention"

Intrusion Prevention System: Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Also called an intrusion detection and prevention system

Management Network: A separate network strictly designed for security software management

Management Server: A centralized device that receives information from sensors or agents and manages them

Network-Based Intrusion Detection and Prevention System: An intrusion detection and prevention system that monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify and stop suspicious activity

Sensor: An intrusion detection and prevention system component that monitors and analyzes network activity and may also perform prevention actions

Signature: A pattern that corresponds to a known threat

Signature-Based Detection: The process of comparing signatures against observed events to identify possible incidents

Stealth Mode: Operating an intrusion detection and prevention sensor without IP addresses assigned to its monitoring network interfaces

Threshold: A value that sets the limit between normal and abnormal behavior

Whitelist: A list of discrete entities, such as hosts or applications, that are known to be benign

Wireless Intrusion Detection and Prevention System: An intrusion detection and prevention system that monitors wireless network traffic and analyzes its wireless networking protocols to identify and stop suspicious activity involving the protocols themselves"

IPS and IDS both examine traffic looking for attacks but they are significantly different. IPS and IDS both detect malicious or unwanted traffic. They both do so as truly as possible, depending on the speed of the network. The difference between deployment of these system in networks in which IDS are out of band in system while IPS are in-line in the system, means it can pass through in between the devices. Both of them have own architecture and how to deploy in the network.

Moreover, IDPS technology attempts to monitor threats and stops them from progressing. Different types of IDPS technology depend on the types of attacks that they deal with and the methodologies that they use to block them. All these types have similar security capabilities and characteristics

The last chapter discusses the IDPS Technologies. Firstly, it covers the main components of this technology and demonstrates the architectures generally applied for establishing the components. Then it gives illustration of the security capabilities of the technologies, including the methodologies being used to monitor suspect activity. Finally it provides the management capabilities of the technologies, containing some recommendations for operation and implementation.

Previously, intrusion detection depend on a manual research for irregularities. Log files were scanned for actions which could or could not happen in regular operation of network and computer. By performing this task manually, it is possibly inaccurate and takes very long time. Thus, it seemed indispensable to evolve logfile automated viewers, searching for logged events showing anomalies or an unauthorized personnel's intrusion. Since not every irregularity is considered as actual intrusion or attack, the whole process needs more development.

With further research, different kinds of attack patterns are derived from these irregularities. Therefore, the first logfile automated viewers were developed as ID software (not system) individually by few organizations before the age of internet. Thereafter, network based intrusion detection was produced by the IT security industry which could monitor network traffic and examine the TCP/IP packet stream from attack patterns.

Until this point, intrusion detection had analyzed logfile long after the actual actions were occurred with possibility to adjust the infrastructure. Because of the availability of sufficient processing speed, it was potential not only searching for attack patterns after events were happened but also monitoring in actual time and generating alerts when intrusion was revealed. After that, the IT security industry developed this software into Intrusion Detection System including many properties such as having different types of alerts, updating attack patterns and preventing threat in progress.

Intrusion Detection System is a security system that monitors network traffic and computer systems by analyzing attacks occur from inside or outside the organizations. IDS does not detect intrusions whereas it only provides some clue to intrusions either while in progressing or after they occurred. It merely identifies any security threats by referring that they have taken place but does not prevent these attacks. It monitors internal attacks that were not detected by the firewall also helps firewall audits. Furthermore, IDS has various types in detecting threats.

Anomaly detection based IDS classifies any deviations into normal or abnormal behavior. Abnormal behavior is rated and recorded as an attack. Anomaly detection also denotes to profile based detection. This profile is considered as a keystone for normal user tasks. The detection capacity of IDS is influenced by the quality of user profiles. Furthermore, diverse techniques are contracted from user profiles

Rule-based approach.

This technique performs normal use behavior. By analyzing normal traffic, these rules are created which considered a sophisticated task. Moreover, protocol anomaly detection analyzing packets flows comes under this sort.

These systems are fitted with a huge amount of data and rules about analyzing relationships. They distinguish between normal and abnormal traffic. Therefore, if there is abnormal behavior, an alarm is triggered.

This technique deals with normal traffic in which activity profiles determine if an attack is behavior of the system or user traffic. Thus any deviation from normal will arise an alarm.

Anomaly detection has some pros and cons. The advantage of this method is that it has the capability to detect previously unknown attacks from outside or inside the system. It also makes it impossible for any attacker to know what kind of actions can generate the alarm, so they cannot suppose any activity will or will not be detected. On the other hand the disadvantage of this approach is that during some legal activities a lot of false positive alerts are triggered. Moreover, updating profiles need many works and takes a lot of effort and time.

This type is also known as signature-based detection. A signature is a fingerpoint having a signature located in a signature database corresponding to a known attack. The fingerpoint is depended on a number of rules matching certain patterns used by attackers. Thus, this process generates an alarm when it matches identifying incidents. It is very useful at detecting known threat; however it is ineffective at revealing unknown attack. Due to using comparison, misuse detection is the simplest method in which it compares current events with a set of signatures. By having a signature database of attack, false positives alerts are few. Since this technology has little grasp of various application protocols and networks and cannot understand the case of sophisticated communication, so it cannot detect many threats including multiple actions. Furthermore, this methodology has some limitations. It requires it update a signature database continuously to remain in the line with new attacks.

Network-based IDS locates behind the firewall and has two interfaces; management and monitoring. Through the management interface, the IDS management control unit connects with the sensor. The monitoring interface sits in promiscuous mode and is not manageable. In addition, there is no entrance to this interface through the network; however, it is being monitored by contact to network signal. The sensor scans all packets passing the network segment. This type of IDS sits on the demilitarized zone and is able to use both misuse and anomaly detection techniques. It also requires to keep up with elevated quantities of traffic or it could fail in detecting some attacks. High speed is also fundamental for fast response time.

Additionally, the host-based intrusion detection system function outside the hosts. It is a software that runs on each host being protected and monitors event files and system audits. When any changes occur in these logs, the IDS sensor draws an analogy between the ne file and attack signatures to figure if there is any match. If so, the sensor reports to the management console. The host-based sensor does not analyze any packet; however, it monitors the activities of the system. If it detects any irregularity, it generate an alert. Through the years, HIDS is developed to have new features such as examining system files at regular intervals for unexpected threats and checking port based activity and alarming administrators if any attacks are accessed.

All in all, IDS is the second step of defense after the firewall in which it works as a supplement of the firewall security. It detects any attackers trying to break the system through the firewall and alerts administrators if there is any breach in security. It can protect the system from internal and external threats.

Due to computer downtime which leading to loss of finance, loss of image or clandestine data being influenced, the demand increased not only for alerting if there is an attack but also preventing the attack completely from success. This demand has become indispensable. Particularly, with the introduce of some serious attacks such as Denial of Service and Distributed Denial of Service, the demand strongly have moved from intrusion detection to Intrusion Prevention Systems. The term Intrusion Prevention System is completely novel which is produces to solve the negative image of Intrusion Detection System. This system is a combination of Intrusion Detection System access control which are firewall and router. This integration comes in a form that both these technologies use shared technologies. Almost all commercial firewalls use stateful examination and commercial IDS use recognized signature. Both these technologies require to scan the packet before making an access decision or generating an alert in firewall or IDS, respectively. To make this potential in one step, more developments are needed with adequate processing power.

It is a device either software or hardware that is able to monitor not only known attacks but also unknown ones and prevent them from being successful. IPS is an in-line system focusing on matching and blocking harmful network traffic in real time. It has some basic functions of firewall. However, all traffic are passed by IPS excluding that which having a cause to be blocked, whereas firewall prevent all traffic excluding that which having a cause to be passed. Moreover, IPS is the next step of the development of IDS. While IDS technology generate an alert when an attack is detected, IPS can block the attack from progressing. Another characteristic that differentiates between IDS and IPS is that IPS can immediately respond to any threat whilst IDS may allow threat to access before it responds.

An in-line detection system is a frontal barrier between one's network and others' networks around the world. It takes place around the front of the firewall at the external brink of the network. For more accurate prevention, it can be installed on inside the network. Additionally, most NIDS have two NICs; management and monitoring. The NIC that responsible for detection does not have an identified IP address on it which in turn present it as a stealth interface. As a result this interface cannot receive packets or make the NIDS replays by using it. The in-inline detection functions as a combination between layer two bridge and firewall. Through the in-line NIDS, all traffic will go along in which it checks packets from any gaps. Thus, if a packet includes a signature, the packet will be passed or blocked. In other words, when a packet contains useful data, in-line IPS will pass it through to all the network; however, if it consists of any identified vulnerabilities, the firewall will prevent the packet or cut the connection.

Layer seven switches take place in the front of the firewall. In the past, switches were layer two devices; however, they are now raised at layer seven. Their task is to make balance in web-based applications. They inspect HTTP, DNS and SMTP requests to know where to route the traffic. In addition, companies that produce these devices have now tried to put more additional security features to protect their productions from attacks as DDoS and DoS. These devices are developed and built on custom hardware to produce high performance if there is a lot of traffic on a network. For example, they are able to deal with gigabit and multi-gigabit traffic. Layer seven switches have similar task as an in-line IPS in which both can stop attacks. Also, they have the same limitation in which they only prevent known attacks; however, layer seven switches can stop DoS attacks that most other devices cannot. Furthermore, they have a power to alleviate DoS attacks without influencing the rest of the network performance. What makes layer seven switches unique is that they can be initialized in a load-balancing mode or in a hot standing mode.

Application firewalls are installed on each server being protected. This type detects each application on a server, API calls, the way applications interact with the system and memory management. This function contributes in protecting the system from unknown threats and poor programming. By monitoring the interaction of the applications towards the system and the user's interaction towards the applications, application firewalls build a behavioral profile to distinguish between legitimate use and malicious use. After creating this policy of the applications, it can be set to protect the applications. Unlike the two previous methodologies of IPS, if application firewalls monitor some events which are not predefined before, these events will be blocked from taking place. One limitation of this sort is that during building a profile it is required from the user to make certain that every aspect of the application is used to allow application firewall to create a rule for legitimate interaction. If this is not performed in a perfect way, some parts of the application may not work. Another drawback is that after updating the application it may require to be profiled again to ensure that the application will not prevent legitimate use.

Hybrid switches are a cross between layer seven switches and application firewalls. These system are device located in the front of the server similar to the layer seven switches; however, they do not use a NID type for setting rule. They utilize policy comparable to application firewalls.

They monitor certain traffic for harmful content determined by the policy that is created. Moreover, The hybrid switches have similar function as the layer seven switches. However, despite of having few signatures preventing threats aimed at the Web server, they are able to have detailed information about the Web server and the applications that located on the top of the Web server. They are also closed if the requests from the user do not match the allowable orders. In addition, hybrid switches can be integrated with the layer seven switches if the protected application has many traffic to make high performance. Furthermore, the layer seven switches can be formed to transfer certain requests to the hybrid switches for more examination which can result decreasing the number of requests that the hybrid switches have to detect and increasing performance.

Deceptive systems work a little differently from other types of IPS. This methodology was firstly shown at a RAID conference in 1998. Its idea is to use some deceptive ways in which it detects all network traffic to differentiate between good and harmful traffic.

Thus, in this step it functions as the application firewalls in profiling phase. Then, when it figures any try to contact to exist or not exist services, it will send back a reply to the hacker. The reply will be marked and includes some fake data; therefore, when the hacker returns back and attempts to attack the server, the IPS will notice the marked data and block all traffic sent from the hacker. In short, Intrusion Prevention Systems are the next step of IDS revolution. According to the Gartner Group, during 2004 there is a study argued that only IPS will survive by 2005. The market demand significantly increases towards IPS rather than IDS. Each type of IPS produces different kinds of protection and they have some advantages and disadvantages. Users may figure which type they need to solve their problems and they may use more than one type. For example, they can load the layer seven switches in the front of the firewall to protect their system from DoS attacks and known attacks. They can also use hybrid switches or application firewalls in order to protect their Web servers.

Intrusion detection is the technique of detecting the attacks trying to take place in a computer system or network analyzing them for signatures of known incidents. Intrusion prevention is the process of implementing intrusion detection and trying to block attacks. Furthermore, intrusion detection and prevention system are fundamentally based on monitoring possible incidents, gathering data about them, attempting to prevent them and informing admincistration about them. IDPS generally log date related to identified actions and reported them to administrators of security. Furthermore, IDPS's can prevent an observed attack from progressing. However, IDPS cannot produced entirely precise monitoring; they provide false negative (failing recognize harmful events) as well as false positive (incorrectly referring to good activity as malicious one).

There are four main types of IDPS technologies depending on the type of incidents that they detect and the methodologies that they use to stop them. These types are First, network-based which detect network traffic for specific networks sections or devices and examine application protocol activity to figure any suspect actions. Second, wireless monitors the network traffic access from wireless and scan it to watch any suspect event occur in wireless networking protocol activities. Then, network behavior analysis scan network traffic to monitor any serious attack that cause unusual traffic influx. The last type is host-based which looks at the feature of each host and the activities happening within the host to identify suspect activity. All previous types of IDPS apply the following technologies which are components and architecture, security capabilities and management.

The prime components of IDPS solution are sensor or agent, management server, database server and console. Sensor examines and analyzer activity. The different between sensor and agent is that sensor is a term used for IDPS products that scan networks which consists of wireless, network-based and network behavior analysis process while agent is a term that is applied for host-based IDPS technologies. Management server is a central system receiving data from sensor and agent and arrange them. Database server records information sent by agent, sensor and management servers. The last component of IDPS solution is console which is a software working as a mediator between administrations and users of IDPS. This program is loaded on laptop or standard desktop components. IDPS components are related to each other via standard or separated network performed for security program management recognized as a management network. When a management network is applied, every agent host and sensor will have another network interface called a management interface connecting with the management network. Thus, any sensor and agent hast cannot transfer traffic from their management interface to their other network interfaces. In addition, the database servers, management servers and sensor are only linked to the management network. This is an efficient architecture that separate the management network from other production networks.

Almost all IDPS technologies produce efficient set of security capabilities. These are information gathering , logging, detection and prevention. Information gathering capacities includes collection of data on networks or hosts from monitored activity, identification of network characteristics and explanation of application used by hosts and the operating system. IDPS basically record inclusive logging of information about observed actions. This data can be utilized to investigate alert validity, confirm incidents and connect incidents between logging sources and IDPS. Furthermore, this information consists of time, data and type of event s and their rating such as confidence, impact, security or priority. In addition, IDPS usually performs inclusive, which detection capabilities. Most IDPS types use a collection of detection techniques to provide accurate detection with fixable customization and sitting some examples of detection capabilities are threshold, blacklist and whitelist, alert sittings and code viewing and editing. Thresholds are values that put border between abnormal and normal behaviors. A blacklist is a list of separate inputs such as codes and types and ICMP, port numbers of TCP or UDP, applications, URLs, file extensions, filenames, usernames or hosts that have been detected before as pernicious activity while a whitelist is a list of separated inputs that have been determined as being activity. Likewise, most IDPS technologies offer various prevention capabilities depending on the types of IDPS such as deforming features of prevention capabilities for each kinds of alert. This contains appointing which type of prevention techniques be used as well as disabling or enabling blocking .

Typically, all many IDPS product offer comparable management capabilities such as implementation, operation and maintenance. When administrators select an IDPS product, they have to plan an architecture, test IDPS components and protect these components. Some architectural possibilities are changing of security centrals, architecture of management network, compatibility with other systems and reliability of solutions. Before introducing a production implementation, organization have to test the performing of the components to avoid probability of implementation problems that may damage production. Because a new production may trigger a lot of false positives until it will be fully customized and set, organization should not activate all IDPS agent and sensors initially. Software-based IDPS components should be up to date and secured properly. Administrators should create distinct account for every IDPS administrator and user, restrict network access to the components of IDPS, and make certain that management communications are fully protected. Using encryption for prevention should be matched FIP8-approved encryption algorithms. Moreover, maintaining IDPS should be done continuously such as updating IDPS software and signature, fixing any vulnerabilities occur in the IDPS components and assessing these vulnerabilities regularly.