In 1980, James Anderson’s paper, Computer Security Threat Monitoring and Surveillance, bore the notion of intrusion detection. Through government funding and serious corporate interest allowed for intrusion detection systems(IDS) to develope into their current state. So what exactly is IDS? An IDS is used to detect malicious network traffic and computer usage through attack signatures. The IDS watches for attacks not only from incoming internet traffic but also for attacks that originate in the system. When a potential attack is detected the IDS logs the information and sends an alert to the console. How the alert is detected and handled at is dependent on the type of IDS in place. Through this paper we will discuss the different types of IDS and how they detect and handle the alerts, the difference between a passive and a reactive system and some general IDS intrusion invasion techniques.
First lets go over what the difference is between a passive and a reactive IDS. In a passive IDS the sensor of detects an potential threat then logs the information and sends an alert to the console. With a reactive IDS, also known as an intrusion prevention system(IPS), the threat would be detected and logged. Then the reactive IDS would either reset the connection or reprogram the firewall to block network traffic from the suspected source, which could be automatic or at the control of an operator. Therefore a reactive system will act in response to the threat were as a passive system will only log and send an alert to the console informing the operator of a threat.
There are many types of intrusion detection systems, network intrusion detection, host based, protocol based, application protocol based, anomaly based and hybrid. The first one we are going to discus is network intrusion detection systems or NIDS. With NIDS the system attempts to detect threats and attacks, such as denial of service attacks, port scans and attempts