Intrusion Detection System (IDS) at a

Glance

Intrusion Detection System or IDS is a security software which is designed to help administrator to automatically alert or notify at any case when a user tries to compromise information system through any malicious activities or at point where violation of security policies are taken. It helps to deals with such attacks by inspecting all of the inbound or outbound traffic on a network.

Types Of Intrusions / AttacksWeb Based Attacks

SQL Injection, Web Shells

LFI, RFI and XSS Attacks

Network Based AttacksUnauthorized LoginDenial Of Service attacksScanning ports and servicesReplication of Worms, Trojan, VirusSpoofing Attacks ( Arpspoof, Dns spoof Attacks )

Zero Day AttacksAttacks that aren’t known.

How detection is performed in IDS Software?

IDS Signature Based detection- This type of detection work well with the threads that are already determined or known.

Anomaly-based detection-- This detection works on the basis of Comparison. It determines the traits of a normal action against characteristics that marks them as abnormal.

A Typical Intrusion detection functions include :

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize typical patterns of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

Major component of an IDS System

Network Intrusion Detection System (NIDS): This does analysis for traffic on a whole subnet and will

make a match to the traffic passing by to the attacks already known in a library of known attacks.

Network Node Intrusion Detection System (NNIDS):

This is similar to NIDS, but the traffic is only monitored on a single host, not a whole subnet.

Host Intrusion Detection System (HIDS): This takes a “picture” of an entire system’s file set and compares it to a previous picture. If there are significant differences, such as missing files, it alerts the administrator.

PROS of an IDS System

CAN add a greater degree of integrity to the rest of your infrastructureCAN trace user activity from point of entry to point of impact

CAN recognize and report alterations to data

CAN automate a task of monitoring the Internet searching for the latest attacks

CAN detect when your system is under attack

CAN make the security management of your system possible bynon-expert staff

CONS Related to an IDS System

CAN NOT compensate for a weak identification and authentication mechanismsCAN NOT conduct investigations of attacks without human interventionCAN NOT compensate for weaknesses in network protocolsCAN NOT analyze all the traffic on a busy networkCAN NOT always deal with problems involving packet-level attacksCAN NOT deal with some of the modern network hardware and features

How to protect IDS

• Don’t run any service on your IDS sensor• The platform on which you are Running IDS should be

patched with the latest release from your vendor• Configure the IDS machine so that it doesn't respond to

ping packets• User account should not be created except those that are

necessary