Top-Rated Free Essay
Preview

Intrusion Detection Systems

Best Essays
2701 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
Intrusion Detection Systems
HideWikipedia is getting a new look.Help us find bugs and complete user interface translations (before 25/08/2010).
Intrusion detection system
From Wikipedia, the free encyclopediaJump to: navigation, search
An Intrusion Detection System (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.[1] Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.[1] In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.[1] IDPSs have become a necessary addition to the security infrastructure of nearly every organization.[1]

IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports.[1] Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.[1] They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.[1]

Contents [hide]
1 IDS Terminology
1.1 Types of intrusion detection systems
2 Passive and/or reactive systems
3 Comparison with firewalls
4 Statistical anomaly and signature based IDSes
5 Limitations
6 IDS evasion techniques
7 Development
8 See also
9 Free Intrusion Detection Systems
10 References
11 Further readings
12 External links [edit] IDS Terminology
Alert/Alarm: A signal suggesting that a system has been or is being attacked.[2]
True Positive: A legitimate attack which triggers an IDS to produce an alarm.[2]
False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.[2]
False Negative: A failure of an IDS to detect an actual attack.[2]
True Negative: When no attack has taken place and no alarm is raised.
Noise: Data or interference that can trigger a false positive.[2]
Site policy: Guidelines within an organization that control the rules and configurations of an IDS.[2]
Site policy awareness: The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.[2]
Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.[2]
Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.[2]
Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to hack information, inflict harm or engage in other malicious activities.
Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
Misfeasor: They are commonly internal users and can be of two types:
1.An authorized user with limited permissions.
2.A user with full permissions and who misuse his powers.
Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.
[edit] Types of intrusion detection systems
For the purpose of dealing with IT, there are two main types of IDS:

Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors captures all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools and honeypots. In the case of physical building security, IDS is defined as an alarm system designed to detect unauthorized entry.

[edit] Passive and/or reactive systems
In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both "detect" (alert) and/or "prevent."

[edit] Comparison with firewalls
Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

[edit] Statistical anomaly and signature based IDSes
All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS
A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered.[2]
Signature-based IDS
Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.[2]
[edit] Limitations
Noise
Noise can severely limit an Intrusion detection systems effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.[3]
Too few attacks
It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.[3]
Signature updates
Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.[3]
[edit] IDS evasion techniques
Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.

[edit] Development
A preliminary concept of an IDS began with James P. Anderson and reviews of audit trails.[4] An example of an audit trail would be a log of user access.

Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in every case and that the resources needed to detect intrusions grows with the amount of usage.

Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today.[5] Her model used statistics for anomaly detection, and resulted in an early IDS at SRI International named the Intrusion Detection Expert System (IDES), which ran on Sun workstations and could consider both user and network level data.[6] IDES had a dual approach with a rule-based Expert System to detect known types of intrusions plus a statistical anomaly detection component based on profiles of users, host systems, and target systems. Lunt proposed adding an Artificial neural network as a third component. She said all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-generation Intrusion Detection Expert System (NIDES).[7]

The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST and LISP, was developed in 1988 based on the work of Denning and Neumann.[8] Haystack was also developed this year using statistics to reduce audit trails.[9]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.[10] W&S created rules based on statistical analysis, and then used those rules for anomaly detection.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive learning of sequential user patterns in Common LISP on a VAX 3500 computer.[11] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.[12] The Information Security Officer 's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.[13] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.[14]

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed Intrusion Detection System (DIDS), which was also an expert system.[15] The Network Anomaly Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the Los Alamos National Laboratory 's Integrated Computing Network (ICN), and was heavily influenced by the work of Denning and Lunt.[16] NADIR used a statistics-based anomaly detector and an expert system.

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data.[17] Network Flight Recorder (NFR) in 1999 also used libpcap.[18] APE was developed as a packet sniffer, also using libpcap, in November, 1998, and was renamed Snort one month later, and has since become the world 's largest used IDS/IPS system with over 300,000 active users.[19]

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.[20]

In 2003 Dr. Wenke Lee argues for the importance of IDS in networks with mobile nodes.[21]

[edit] See also
Anomaly-based intrusion detection system
Application protocol-based intrusion detection system (APIDS)
Artificial immune system
Autonomous Agents for Intrusion Detection
Host-based intrusion detection system (HIDS)
Intrusion prevention system (IPS)
Network intrusion detection system (NIDS)
Protocol-based intrusion detection system (PIDS)
Security Management
[edit] Free Intrusion Detection Systems
Bro NIDS
OSSEC HIDS
Prelude Hybrid IDS
Snort
Suricata
[edit] References This article incorporates public domain material from the National Institute of Standards and Technology document "Guide to Intrusion Detection and Prevention Systems, SP800-94" by Karen Scarfone, Peter Mell (retrieved on 1 January 2010).

1.^ a b c d e f g h Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94). http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf. Retrieved 1 January 2010.
2.^ a b c d e f g h i j k Whitman, Michael E.; Mattord, Herbert J. (2008). Principles of Information Security. Course Technology. pp. 290–301. ISBN 9781423901778.
3.^ a b c Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York: John Wiley & Sons. pp. 387–388. ISBN 9780471389224.
4.^ Anderson, James P., "Computer Security Threat Monitoring and Surveillance," Washing, PA, James P. Anderson Co., 1980.
5.^ Denning, Dorothy E., "An Intrusion Detection Model," Proceedings of the Seventh IEEE Symposium on Security and Privacy, May 1986, pages 119–131
6.^ Lunt, Teresa F., "IDES: An Intelligent System for Detecting Intruders," Proceedings of the Symposium on Computer Security; Threats, and Countermeasures; Rome, Italy, November 22–23, 1990, pages 110–121.
7.^ Lunt, Teresa F., "Detecting Intruders in Computer Systems," 1993 Conference on Auditing and Computer Technology, SRI International
8.^ Sebring, Michael M., and Whitehurst, R. Alan., "Expert Systems in Intrusion Detection: A Case Study," The 11th National Computer Security Conference, October, 1988
9.^ Smaha, Stephen E., "Haystack: An Intrusion Detection System," The Fourth Aerospace Computer Security Applications Conference, Orlando, FL, December, 1988
10.^ Vaccaro, H.S., and Liepins, G.E., "Detection of Anomalous Computer Session Activity," The 1989 IEEE Symposium on Security and Privacy, May, 1989
11.^ Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y, "Adaptive Real-time Anomaly Detection Using Inductively Generated Sequential Patterns," 1990 IEEE Symposium on Security and Privacy
12.^ Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N., Mukherjee, Biswanath, Wood, Jeff, and Wolber, David, "A Network Security Monitor," 1990 Symposium on Research in Security and Privacy, Oakland, CA, pages 296–304
13.^ Winkeler, J.R., "A UNIX Prototype for Intrusion and Anomaly Detection in Secure Networks," The Thirteenth National Computer Security Conference, Washington, DC., pages 115–124, 1990
14.^ Dowell, Cheri, and Ramstedt, Paul, "The ComputerWatch Data Reduction Tool," Proceedings of the 13th National Computer Security Conference, Washington, D.C., 1990
15.^ Snapp, Steven R, Brentano, James, Dias, Gihan V., Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt, Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance, Tim, Teal, Daniel M. and Mansur, Doug, "DIDS (Distributed Intrusion Detection System) -- Motivation, Architecture, and An Early Prototype," The 14th National Computer Security Conference, October, 1991, pages 167–176.
16.^ Jackson, Kathleen, DuBois, David H., and Stallings, Cathy A., "A Phased Approach to Network Intrusion Detection," 14th National Computing Security Conference, 1991
17.^ Paxson, Vern, "Bro: A System for Detecting Network Intruders in Real-Time," Proceedings of The 7th USENIX Security Symposium, San Antonio, TX, 1998
18.^ Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, ISBN 0-9666700-7-8
19.^ Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr. Everett F. (Skip), Jr., Esler, Joel., Foster, James C., Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and IPS Toolkit," Syngress, 2007, ISBN 978-1-59749-099-3
20.^ Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, and Wu, Ningning, "ADAM: Detecting Intrusions by Data Mining," Proceedings of the IEEE Workshop on Information Assurance and Security, West Point, NY, June 5–6, 2001
21.^ Intrusion Detection Techniques for Mobile Wireless Networks, ACM WINET 2003
[edit] Further readings
Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)". Computer Security Resource Center (National Institute of Standards and Technology) (800-94). http://csrc.ncsl.nist.gov/publications/nistpubs/800-94/SP800-94.pdf. Retrieved 1 January 2010.
"Intrusion Detection/Prevention Systems classification tree". IPsec.pl. http://ipsec.pl/intrusion-detection/prevention-systems-classification-tree.html. Retrieved 30 July 2010.
Bezroukov, Nikolai (11 December 2008). "Architectural Issues of Intrusion Detection Infrastructure in Large Enterprises (Revision 0.82)". Softpanorama. http://www.softpanorama.org/Articles/architectural_issues_of_intrusion_detection_infrastructure.shtml. Retrieved 30 July 2010.
[edit] External links
Intrusion Detection Systems at the Open Directory Project
Retrieved from "http://en.wikipedia.org/wiki/Intrusion_detection_system"
Categories: Intrusion detection system
Hidden categories: Wikipedia articles incorporating text from the National Institute of Standards and TechnologyPersonal tools
New featuresLog in / create accountNamespaces
ArticleDiscussionVariantsViews
ReadEditView historyActions
Search

Navigation
Main pageContentsFeatured contentCurrent eventsRandom articleInteraction
About WikipediaCommunity portalRecent changesContact WikipediaDonate to WikipediaHelpToolbox
What links hereRelated changesUpload fileSpecial pagesPermanent linkCite this page
Print/export
Create a bookDownload as PDFPrintable version
Languages
العربيةČeskyDeutschEspañolEuskaraFrançais한국어Bahasa IndonesiaItalianoNederlands日本語PolskiPortuguêsРусскийSuomiSve

nskaTürkçe中文سنڌيThis page was last modified on 5 August 2010 at 02:01.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

Contact us
Privacy policyAbout WikipediaDisclaimers

References: This article incorporates public domain material from the National Institute of Standards and Technology document "Guide to Intrusion Detection and Prevention Systems, SP800-94" by Karen Scarfone, Peter Mell (retrieved on 1 January 2010). 18.^ Amoroso, Edward, "Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response," Intrusion.Net Books, Sparta, New Jersey, 1999, ISBN 0-9666700-7-8 19.^ Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr [edit] Further readings Scarfone, Karen; Mell, Peter (February 2007) "Intrusion Detection/Prevention Systems classification tree". IPsec.pl. http://ipsec.pl/intrusion-detection/prevention-systems-classification-tree.html. Retrieved 30 July 2010. Bezroukov, Nikolai (11 December 2008)

You May Also Find These Documents Helpful

  • Powerful Essays

    References: 267. Beijtlich, R. (n.d.). The Practice of Network Security Monitoring: understanding incident detection and response. [Books24x7 Version.…

    • 4846 Words
    • 17 Pages
    Powerful Essays
  • Satisfactory Essays

    c) Logical IDS: Network and workstation mechanisms that monitors network traffic and provide real-time alarms for network-based attacks Service Network.…

    • 1152 Words
    • 4 Pages
    Satisfactory Essays
  • Powerful Essays

    IS3110 U5L1

    • 912 Words
    • 4 Pages

    One of the most important first steps to risk management and implementing a security strategy is to identify all resources and hosts within the IT infrastructure. Once you identify the workstations and servers, you now must then find the threats and vulnerabilities found on these workstations and servers. Servers that support mission critical applications require security operations and management procedures to ensure C-I-A throughout. Servers that house customer privacy data or intellectual property require additional security controls to ensure the C-I-A of that data. This lab requires the students to identify threats and vulnerabilities found within the Workstation, LAN, and Systems/Applications Domains.…

    • 912 Words
    • 4 Pages
    Powerful Essays
  • Better Essays

    Implementing the installation of an IDS or IPS will allow for suspicious traffic to be flagged and reported to administrators based on one of two different factors. These factors are signature based or anomaly based depending on how they are configured.…

    • 1279 Words
    • 6 Pages
    Better Essays
  • Satisfactory Essays

    The explosive growth and popularity of the Internet have resulted in thousands of structured query able information sources. Most organizations are familiar with Penetration Testing and other ethical hacking techniques as a means to understanding the current security status of their information system assets. Consequently, much of the focus of research, discussion, and practice, has traditionally been placed upon active probing and exploitation of security vulnerabilities. Since this type of active probing involves interacting with the target, it is often easily identifiable with the analysis of firewall and intrusion detection/prevention device (IDS or IPS) log files.…

    • 501 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    NT2580 Project part 1

    • 562 Words
    • 3 Pages

    i. With this security plan being implemented, you can monitor inbound IP traffic anomalies and prevent malicious-intent traffic that may try to intrude and harm your system.…

    • 562 Words
    • 3 Pages
    Good Essays
  • Better Essays

    Hardware can be used to protect the network from outside threats. Intrusion detection systems (IDS) automate detection of threats and attack through traffic analysis. Cisco’s IDS “delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, along with bandwidth and e-Business application attacks” (Cisco Systems, 2007, Cisco Intrusion Detection). They take this one-step further with an intrusion prevention systems (IPS). IPS shifts the focus on the attacker, not the attack itself, by increasing the accuracy of threat prevention through global threat analysis (Cisco Systems, 2012, Intrusion Prevention System with Global Correlation). The Cisco Adaptive Security Appliances (ASA) “combines the industry 's most deployed stateful inspection firewall with…

    • 890 Words
    • 4 Pages
    Better Essays
  • Satisfactory Essays

    Intrusion detection system/intrusion prevention system (IDS/IPS) | * System/Application domain * Remote access domain * LAN-to-WAN domain | Integrity |…

    • 299 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    An automated response approach, in contrast, provides immediate response to detected incidents without human intervention. An automated response essentially addresses the shortcomings of a notification and manual response approach by mitigating the vulnerability between detecting and responding. Although notification and manual responses are inadequate due to its inability to address attacks in real time, there are still drawbacks for the automated response approach. The complications prevalent to the automated response approach includes false…

    • 107 Words
    • 1 Page
    Good Essays
  • Satisfactory Essays

    NT2580

    • 526 Words
    • 5 Pages

    NT2580 Introduction to Information Security Unit 2 Application of Security Countermeasures to Mitigate Malicious Attacks © ITT Educational Services, Inc. All rights reserved. Learning Objective Describe how malicious attacks, threats, and vulnerabilities impact an IT infrastructure. NT2580…

    • 526 Words
    • 5 Pages
    Satisfactory Essays
  • Better Essays

    * IDS and IPS monitoring of incoming and outgoing network traffic, including anti-virus, anti-spyware and signature and anomaly-based traffic monitors.…

    • 932 Words
    • 4 Pages
    Better Essays
  • Good Essays

    A person who is a good leader is like someone who would do anything for their people. he knows what his goal is but it seems impossible. Crazy Horse, a indian who know what the right thing to do is, he was famous for leading the battle of little bighorn. After reading online sources, it is clear that Crazy horse is a brave and fearless indian leader based on the information I read.…

    • 319 Words
    • 2 Pages
    Good Essays
  • Good Essays

    World War II In the 1930s, Japan, Germany and Italy wanted to extend their powers and began invading other countries. Even though the U.S. was in the “Isolationist” mode, President Franklin D. Roosevelt still extended his helping hands to Germany’s opponents. For example, he signed the Lend-Lease Act of 1941 which ended oil sales to Japan. America announced war on the Axis powers by declaring war on Japan first and then on Germany.…

    • 455 Words
    • 2 Pages
    Good Essays
  • Good Essays

    The DHS set up the National Cybersecurity Protection System (NCPS) to detect and monitor potential malicious activity across federal agencies network systems. The NCPS is not meeting the systems objective of intrusions or deviations of abnormal network behavior. This system is not addressing the common security vulnerabilities of unknown signatures across the network. The NCPS is also failing at preventing intrusions in blocked e-mail domains. The DHS plans to deliver a new Cybersecurity System in…

    • 831 Words
    • 4 Pages
    Good Essays
  • Good Essays

    Gettysburg Address Essay

    • 609 Words
    • 3 Pages

    Akers and Lincoln both Sought to memorialize the soldiers from the great Civil War. they have common ways on how they did this, and many different ways too. however they both wrote an article that we are going to be comparing. Lincoln had a dedicatory speech on the battle ground of Gettysburg, also known as the Gettysburg address. Akers wrote an article about a statue that stood for peace.…

    • 609 Words
    • 3 Pages
    Good Essays

Related Topics