Intrusion-detection system
Encyclopedia
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.
IDPSes typically record information related to observed events, notify security administrators of important
observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
Network intrusion detection system
(NIDS): is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch
configured for port mirroring
, or network tap
. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone
(DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort
.
Host-based intrusion detection system
(HIDS): It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control list
s, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent
. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC
.
Intrusion detection systems can also be system-specific using custom tools and honeypots
.
.
of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert
the administrator or user when traffic is detected which is anomalous(not normal).
Fred Cohen
noted in 1984 (see Intrusion Detection
) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning
, assisted by Peter G. Neumann
, published a model of an IDS in 1986 that formed the basis for many systems today. Her model used statistics for anomaly detection
, and resulted in an early IDS at SRI International
named the Intrusion Detection Expert System (IDES), which ran on Sun
workstations and could consider both user and network level data. IDES had a dual approach with a rule-based Expert System
to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network
as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).
The Multics
intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann. Haystack was also developed this year using statistics to reduce audit trails.
Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory
. W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp
on a VAX
3500 computer. The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation. The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system. ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
Then, in 1991, researchers at the University of California, Davis
created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory
's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt. NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory
announced Bro
in 1998, which used its own rule language for packet analysis from libpcap data. Network Flight Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort
one month later, and has since become the world's largest used IDS/IPS system with over 300,000 active users.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump
to build profiles of rules for classifications.
In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.
IDPSes typically record information related to observed events, notify security administrators of important
observed events, and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.
Terminology
- Alert/Alarm: A signal suggesting that a system has been or is being attacked.
- True Positive: A legitimate attack which triggers an IDS to produce an alarm.
- False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
- False Negative: A failure of an IDS to detect an actual attack.
- True Negative: When no attack has taken place and no alarm is raised.
- Noise: Data or interference that can trigger a false positive.
- Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
- Site policy awareness: An IDS's ability to dynamically change its rules and configurations in response to changing environmental activity.
- Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
- Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
- Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
- Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
- Misfeasor: They are commonly internal users and can be of two types:
- An authorized user with limited permissions.
- A user with full permissions and who misuses their powers.
- Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.
Types
For the purpose of dealing with IT, there are two main types of IDS:Network intrusion detection system
Network intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
(NIDS): is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
configured for port mirroring
Port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitoring of network traffic, such as an intrusion-detection system...
, or network tap
Network tap
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network...
. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone
Demilitarized zone (computing)
In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet...
(DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort
Snort (software)
Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
.
Host-based intrusion detection system
Host-based intrusion detection system
A host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
(HIDS): It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent
Software agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC
OSSEC
OSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
.
Intrusion detection systems can also be system-specific using custom tools and honeypots
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
.
Passive and/or reactive systems
In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect" (alert) and/or "prevent."Comparison with firewalls
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewallApplication layer firewall
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall...
.
Statistical anomaly and signature based IDSes
All Intrusion Detection Systems use one of two detection techniques:Statistical anomaly-based IDS
A statistical anomaly-based IDS determines normal network activity like what sortof bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert
the administrator or user when traffic is detected which is anomalous(not normal).
Signature-based IDS
Signature based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures. The issue is that there will be lag between the new threat discovered and Signature being applied in IDS for detecting the threat.During this lag time your IDS will be unable to identify the threat.Limitations
- Noise can severely limit an Intrusion detection system's effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
- It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.
- Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.
Evasion techniques
Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.Development
One preliminary IDS concept consisted of a set of tools intended to help administrators review audit trails. User access logs, file access logs, and system event logs are examples of audit trails.Fred Cohen
Fred Cohen
Frederick B. Cohen is an American computer scientist and best known as the inventor of computer virus defense techniques.In 1983, while a student at the University of Southern California's School of Engineering , he wrote a program for a parasitic application that seized control of computer...
noted in 1984 (see Intrusion Detection
Intrusion detection
In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention...
) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning
Dorothy E. Denning
Dorothy Elizabeth Denning is an American information security researcher and a graduate of the University of Michigan. She has published four books and 140 articles...
, assisted by Peter G. Neumann
Peter G. Neumann
Peter G. Neumann is a researcher who has worked on the Multics operating system in the 1960s. He edits the Computer Risks columns for ACM Software Engineering Notes and Communications of the ACM. He founded ACM SIGSOFT and is a Fellow of the ACM, IEEE and AAAS.He studied at Harvard University ,...
, published a model of an IDS in 1986 that formed the basis for many systems today. Her model used statistics for anomaly detection
Anomaly detection
Anomaly detection, also referred to as outlier detection refers to detecting patterns in a given data set that do not conform to an established normal behavior....
, and resulted in an early IDS at SRI International
SRI International
SRI International , founded as Stanford Research Institute, is one of the world's largest contract research institutes. Based in Menlo Park, California, the trustees of Stanford University established it in 1946 as a center of innovation to support economic development in the region. It was later...
named the Intrusion Detection Expert System (IDES), which ran on Sun
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
workstations and could consider both user and network level data. IDES had a dual approach with a rule-based Expert System
Expert system
In artificial intelligence, an expert system is a computer system that emulates the decision-making ability of a human expert. Expert systems are designed to solve complex problems by reasoning about knowledge, like an expert, and not by following the procedure of a developer as is the case in...
to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network
Artificial neural network
An artificial neural network , usually called neural network , is a mathematical model or computational model that is inspired by the structure and/or functional aspects of biological neural networks. A neural network consists of an interconnected group of artificial neurons, and it processes...
as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).
The Multics
Multics
Multics was an influential early time-sharing operating system. The project was started in 1964 in Cambridge, Massachusetts...
intrusion detection and alerting system (MIDAS), an expert system using P-BEST and Lisp, was developed in 1988 based on the work of Denning and Neumann. Haystack was also developed this year using statistics to reduce audit trails.
Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory
Los Alamos National Laboratory
Los Alamos National Laboratory is a United States Department of Energy national laboratory, managed and operated by Los Alamos National Security , located in Los Alamos, New Mexico...
. W&S created rules based on statistical analysis, and then used those rules for anomaly detection.
In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common Lisp
Common Lisp
Common Lisp, commonly abbreviated CL, is a dialect of the Lisp programming language, published in ANSI standard document ANSI INCITS 226-1994 , . From the ANSI Common Lisp standard the Common Lisp HyperSpec has been derived for use with web browsers...
on a VAX
VAX
VAX was an instruction set architecture developed by Digital Equipment Corporation in the mid-1970s. A 32-bit complex instruction set computer ISA, it was designed to extend or replace DEC's various Programmed Data Processor ISAs...
3500 computer. The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation. The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system. ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
Then, in 1991, researchers at the University of California, Davis
University of California, Davis
The University of California, Davis is a public teaching and research university established in 1905 and located in Davis, California, USA. Spanning over , the campus is the largest within the University of California system and third largest by enrollment...
created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system. The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory
Los Alamos National Laboratory
Los Alamos National Laboratory is a United States Department of Energy national laboratory, managed and operated by Los Alamos National Security , located in Los Alamos, New Mexico...
's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt. NADIR used a statistics-based anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory
Lawrence Berkeley National Laboratory
The Lawrence Berkeley National Laboratory , is a U.S. Department of Energy national laboratory conducting unclassified scientific research. It is located on the grounds of the University of California, Berkeley, in the Berkeley Hills above the central campus...
announced Bro
Bro (software)
Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...
in 1998, which used its own rule language for packet analysis from libpcap data. Network Flight Recorder (NFR) in 1999 also used libpcap. APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort
Snort (software)
Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
one month later, and has since become the world's largest used IDS/IPS system with over 300,000 active users.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump
Tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
to build profiles of rules for classifications.
In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks with mobile nodes.
See also
- Anomaly-based intrusion detection systemAnomaly-based intrusion detection systemAn Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of...
- Application protocol-based intrusion detection systemApplication Protocol-based Intrusion Detection SystemAn application protocol-based intrusion detection system is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.- Overview :...
(APIDS) - Artificial immune systemArtificial immune systemIn computer science, Artificial immune systems are a class of computationally intelligent systems inspired by the principles and processes of the vertebrate immune system...
- Autonomous Agents for Intrusion DetectionAAFIDAAFID stands for Autonomous Agents for Intrusion Detection, a distributed intrusion detection system. In this architecture, nodes of the ids are arranged in a hierarchical structure in a tree...
- Host-based intrusion detection systemHost-based intrusion detection systemA host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
(HIDS) - Intrusion prevention system (IPS)
- Network intrusion detection systemNetwork intrusion detection systemA Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
(NIDS) - Protocol-based intrusion detection systemProtocol-based intrusion detection SystemA protocol-based intrusion detection system is an intrusion detection system which is typically installed on a web server, and is used in the monitoring and analysis of the protocol in use by the computing system...
(PIDS) - Security ManagementSecurity ManagementSecurity Management magazine is the monthly publication of ASIS International . The publication combines feature articles on topics such as terrorism and corporate espionage with staff-written departments covering news and trends, homeland security, IT security, and legal developments.-External...
Free Intrusion Detection Systems
- AIDE
- Bro NIDSBro (software)Bro is an open source Unix based Network intrusion detection system . It is released under the BSD license.Bro was originally written by Vern Paxson.-External links:* *...
- OSSEC HIDSOSSECOSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
- Prelude Hybrid IDSPrelude Hybrid IDSPrelude is an "agentless", universal, security information management system, released under the terms of the GNU General Public License....
- Samhain
- SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
- SuricataSuricata (software)Suricata is an open source-based intrusion detection system . It was developed by the Open Information Security Foundation . A beta version was released in December 2009, with the first standard release following in July 2010.-Features:...