Intrusion detection
Encyclopedia
In Information Security
, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality
, integrity
or availability
of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system
.
Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, including network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System
(IDS). An IDS can be either host-based
, if it monitors system calls or logs, or network-based
if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems
).
When a probable intrusion is discovered by an IDS, typical actions to perform would be logging relevant information to a file
or database
, generating an email
alert, or generating a message to a pager
or mobile phone.
Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction can be implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.
Some authors classify the identification of attack attempts at the source system as extrusion detection
(also known as outbound intrusion detection) techniques.
Intrusion prevention is an evolution of intrusion detection.
and NP-hard
. In layman's terms, this means that it is impossible to detect every type of an intrusion in every type of case, and that the resources needed to detect intrusions grows with the amount of network traffic.
Paul Helman, et al. in 1992 used a scale of 0 to 1 to represent normal behavior (0) to misuse (1). The purpose of an Intrusion detection system is to provide this rating for computer activities. Helman showed that problems in doing this include imperfect and incomplete information, plus the large number, estimated at 10100, of potential events. When groupings are done to reduce the number of possible events, this becomes an NP-Hard
problem to reduce singleton groups. Helman calls the above a modeling approach. An alternative is non-modeling approaches which include heuristics, clustering algorithms, and statistics.
(NIDS) is one common type of IDS that analyzes network traffic at all layers of the Open Systems Interconnection
(OSI) model and makes decisions about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a network and can often view traffic from many systems at once. A term becoming more widely used by vendors is “Wireless intrusion prevention system” (WIPS) to describe a network device that monitors and analyzes the wireless radio spectrum in a network for intrusions and performs countermeasures.
(NBAD) views traffic on network segments to determine if anomalies exist in the amount or type of traffic. Segments that usually see very little traffic or segments that see only a particular type of traffic may transform the amount or type of traffic if an unwanted event occurs. NBAD requires several sensors to create a good snapshot of a network and requires benchmarking and base-lining to determine the nominal amount of a segment’s traffic.
(HIDS) analyze network traffic and system-specific settings such as software calls, local security policy, local log audits, and more. A HIDS must be installed on each machine and requires configuration specific to that
operating system and software.
configure. However, an attacker can slightly modify an attack to render it undetectable by a signature based IDS. Still, signature-based detection, although limited in its detection capability, can be very accurate.
"Network Intrusion Detection", 3rd ed. ISBN 0-7357-1265-4
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
or availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system
Intrusion-prevention system
Intrusion Prevention Systems , also known as Intrusion Detection and Prevention Systems , are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information...
.
Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, including network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System
Intrusion-detection system
An intrusion detection system is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor...
(IDS). An IDS can be either host-based
Host-based intrusion detection system
A host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
, if it monitors system calls or logs, or network-based
Network intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems
Anomaly-based intrusion detection system
An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of...
).
When a probable intrusion is discovered by an IDS, typical actions to perform would be logging relevant information to a file
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...
or database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
, generating an email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
alert, or generating a message to a pager
Pager
A pager is a simple personal telecommunications device for short messages. A one-way numeric pager can only receive a message consisting of a few digits, typically a phone number that the user is then requested to call...
or mobile phone.
Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction can be implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.
Some authors classify the identification of attack attempts at the source system as extrusion detection
Extrusion detection
Extrusion detection or outbound intrusion detection is a branch of intrusion detection aimed at developing mechanisms to identify successful and unsuccessful attempts to use the resources of a computer system to compromise other systems...
(also known as outbound intrusion detection) techniques.
Intrusion prevention is an evolution of intrusion detection.
Theory
Fred Cohen published in 1984 that detection of computer viruses is undecidableUndecidable
Undecidable may refer to:In mathematics and logic* Undecidable problem - a decision problem which no algorithm can decide* "Undecidable" is sometimes used as a synonym of "independent", where a formula in mathematical logic is independent of a logical theory if neither that formula nor its negation...
and NP-hard
NP-hard
NP-hard , in computational complexity theory, is a class of problems that are, informally, "at least as hard as the hardest problems in NP". A problem H is NP-hard if and only if there is an NP-complete problem L that is polynomial time Turing-reducible to H...
. In layman's terms, this means that it is impossible to detect every type of an intrusion in every type of case, and that the resources needed to detect intrusions grows with the amount of network traffic.
Paul Helman, et al. in 1992 used a scale of 0 to 1 to represent normal behavior (0) to misuse (1). The purpose of an Intrusion detection system is to provide this rating for computer activities. Helman showed that problems in doing this include imperfect and incomplete information, plus the large number, estimated at 10100, of potential events. When groupings are done to reduce the number of possible events, this becomes an NP-Hard
NP-hard
NP-hard , in computational complexity theory, is a class of problems that are, informally, "at least as hard as the hardest problems in NP". A problem H is NP-hard if and only if there is an NP-complete problem L that is polynomial time Turing-reducible to H...
problem to reduce singleton groups. Helman calls the above a modeling approach. An alternative is non-modeling approaches which include heuristics, clustering algorithms, and statistics.
Technologies
Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection, configuration, and cost. Specific categories will be discussed in detail in Section 3, Technologies.Network-based
A Network intrusion detection systemNetwork intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
(NIDS) is one common type of IDS that analyzes network traffic at all layers of the Open Systems Interconnection
Open Systems Interconnection
Open Systems Interconnection is an effort to standardize networking that was started in 1977 by the International Organization for Standardization , along with the ITU-T.-History:...
(OSI) model and makes decisions about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a network and can often view traffic from many systems at once. A term becoming more widely used by vendors is “Wireless intrusion prevention system” (WIPS) to describe a network device that monitors and analyzes the wireless radio spectrum in a network for intrusions and performs countermeasures.
Wireless
A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyze network traffic. However, it will also analyze wireless-specific traffic, including scanning for external users trying to connect to access points (AP), rogue APs, users outside the physical area of the company, and WLAN IDSs built into APs. As networks increasingly support wireless technologies at various points of a topology, WLAN IDS will play larger roles in security. Many previous NIDS tools will include enhancements to support wireless traffic analysis.Network Behavior Anomaly Detection
Network Behavior Anomaly DetectionNetwork Behavior Anomaly Detection
-Network Behavior Anomaly Detection :Network behavior anomaly detection is a solution for helping protection against zero-day attacks on the network.NBAD is the continuous monitoring of a network for unusual events or trends...
(NBAD) views traffic on network segments to determine if anomalies exist in the amount or type of traffic. Segments that usually see very little traffic or segments that see only a particular type of traffic may transform the amount or type of traffic if an unwanted event occurs. NBAD requires several sensors to create a good snapshot of a network and requires benchmarking and base-lining to determine the nominal amount of a segment’s traffic.
Host-based
Host-based intrusion detection systemHost-based intrusion detection system
A host-based intrusion detection system is an intrusion detection system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces...
(HIDS) analyze network traffic and system-specific settings such as software calls, local security policy, local log audits, and more. A HIDS must be installed on each machine and requires configuration specific to that
operating system and software.
Signature based detection
An IDS can use signature-based detection, relying on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy toconfigure. However, an attacker can slightly modify an attack to render it undetectable by a signature based IDS. Still, signature-based detection, although limited in its detection capability, can be very accurate.
Anomaly based detection
An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormal is called anomaly-based detection. This method is useful for detecting unwanted traffic that is not specifically known. For instance, an anomaly-based IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous.Stateful Protocol Inspection
Stateful protocol inspection is similar to anomaly based detection, but it can also analyze traffic at the network and transport layer and vendor-specific traffic at the application layer, which anomaly-based detection cannot do.Resources
For more information about intrusion detection and intrusion prevention:"Network Intrusion Detection", 3rd ed. ISBN 0-7357-1265-4