25-02-2013, 12:57 PM
Intrusion Detection System(IDS)
Abstract :
Intrusion detection is the act of detecting unwanted traffic on a network or a device.
An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control.
Intrusion detection is just as essential to your network as a burglar alarm system is to commercial buildings or homes where valuables are kept. A good IDS will also include IPS functionality; rather than just telling you someone is breaking into your network, it will do something about it.
Progress of the work :
The IDS consists of at least the following subsystems:
1.IDS engine,
2.Monitoring subsystem,
3.Reporting subsystem,
4.Responding subsystem,
5.Storage,
6.Model base subsystem,
7.Database system, and
8.Feeders.
The IDS engine is the control unit of the intrusion detection system. Its main purpose is to manage the system, i. e., supervise all operations of the intrusion detection system. Its duty depends on the intrusion detection method used. These methods are addressed later in the full paper.
Several ways to categorize intrusion detection systems. The first is based on the scope of the IDS's monitoring; that is, whether it is installed on and uses data from a single host computer, or is a network-based product that monitors traffic on the network as a whole, as well as analyzes data from individual computers.
1)Host-based intrusion detection:
A host-based IDS is one in which the software is installed on a single system and the data from that system is used to detect intrusions. Because the host-based IDS protects the server "at the source," it can more intensely protect that specific computer.
The host-based system usually examines log files on the computer to search for attack signatures. Important system files and executables may also be checked periodically for unexpected changes. A host based system will also monitor ports and trigger an alert if certain ports are accessed.
2)Network-based intrusion detection:
A network-based IDS monitors data from network traffic as well as data from one or more host computers to detect intrusions. A network-based IDS analyzes data packets sent over the network, and generally uses a "promiscuous" network adapter (one that is capable of reading all of the packets sent over the network, rather than just those packets addressed to it). The network-based IDS examines packet headers, which are generally not seen by the host-based IDS. This allows the detection of Denial of Service (DOS) and other types of attacks that may not be detected by a host-based IDS.
How Intrusion Detection System works:
IDS systems can use different methods for detecting suspected intrusions . The two most common broad categories are by patten matching and detection of statistical anomalies.
Pattern matching:
Pattern matching is used to detect known attacks by their "signatures," or the specific actions that they perform. It is also known as signature-based IDS or misuse detection. The IDS looks for traffic and behavior that matches the patterns of known attacks. The effectiveness is dependent on the signature database, which must be kept up to date.
Pattern matching is analogous to identifying a criminal who committed a particular crime by finding his fingerprint at the scene. Fingerprint analysis is a type of pattern matching.
The biggest problem with pattern matching is that it fails to catch new attacks for which the software doesn't have a defined signature in its database.
Statistical anomalies :
Anomaly-based detection watches for deviations from normal usage patterns. This requires first establishing a baseline profile to determine what the norm is, then monitoring for actions that are outside of those normal parameters. This allows you to catch new intrusions or attacks that don't yet have a known signature.
To be effective, response must be as immediate as possible. That's why your IDS needs to include notification features and you need to set them up so that the alerts get to the proper people as quickly as possible after an intrusion is detected.
The best solution for your organization depends on your network's size, security needs, existing security infrastructure, budget and IT department structure and workload.
Components involved in detecting the intrusion :
Sensors: These are deployed in a network or on a device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized, and then forwarded to one or more analyzers.
Analyzers: Analyzers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. Output from the analyzers should include evidence supporting the intrusion report.
The analyzers may also provide recommendations and guidance on mitigation (action that to take before risk assessment) steps.
User interface : The user interface of the IDS provides the end user a view and way to interact with the system. Through the interface the user can control and configure the system. Many user interfaces can generate reports as well.
Conclusion :
Government funding and corporate interest helped to develop their concept into a tangible technology that eventually found its way into the mainstream of network security. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. From theory to practice, and finally to commercially viable tools, IDS technology has gone through countless iterations and numerous owners. Nonetheless, the use of intrusion detection as a means of deterring misuse has ultimately become commonplace. Moreover, IDS has become essential.
Abstract :
Intrusion detection is the act of detecting unwanted traffic on a network or a device.
An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control.
Intrusion detection is just as essential to your network as a burglar alarm system is to commercial buildings or homes where valuables are kept. A good IDS will also include IPS functionality; rather than just telling you someone is breaking into your network, it will do something about it.
Progress of the work :
The IDS consists of at least the following subsystems:
1.IDS engine,
2.Monitoring subsystem,
3.Reporting subsystem,
4.Responding subsystem,
5.Storage,
6.Model base subsystem,
7.Database system, and
8.Feeders.
The IDS engine is the control unit of the intrusion detection system. Its main purpose is to manage the system, i. e., supervise all operations of the intrusion detection system. Its duty depends on the intrusion detection method used. These methods are addressed later in the full paper.
Several ways to categorize intrusion detection systems. The first is based on the scope of the IDS's monitoring; that is, whether it is installed on and uses data from a single host computer, or is a network-based product that monitors traffic on the network as a whole, as well as analyzes data from individual computers.
1)Host-based intrusion detection:
A host-based IDS is one in which the software is installed on a single system and the data from that system is used to detect intrusions. Because the host-based IDS protects the server "at the source," it can more intensely protect that specific computer.
The host-based system usually examines log files on the computer to search for attack signatures. Important system files and executables may also be checked periodically for unexpected changes. A host based system will also monitor ports and trigger an alert if certain ports are accessed.
2)Network-based intrusion detection:
A network-based IDS monitors data from network traffic as well as data from one or more host computers to detect intrusions. A network-based IDS analyzes data packets sent over the network, and generally uses a "promiscuous" network adapter (one that is capable of reading all of the packets sent over the network, rather than just those packets addressed to it). The network-based IDS examines packet headers, which are generally not seen by the host-based IDS. This allows the detection of Denial of Service (DOS) and other types of attacks that may not be detected by a host-based IDS.
How Intrusion Detection System works:
IDS systems can use different methods for detecting suspected intrusions . The two most common broad categories are by patten matching and detection of statistical anomalies.
Pattern matching:
Pattern matching is used to detect known attacks by their "signatures," or the specific actions that they perform. It is also known as signature-based IDS or misuse detection. The IDS looks for traffic and behavior that matches the patterns of known attacks. The effectiveness is dependent on the signature database, which must be kept up to date.
Pattern matching is analogous to identifying a criminal who committed a particular crime by finding his fingerprint at the scene. Fingerprint analysis is a type of pattern matching.
The biggest problem with pattern matching is that it fails to catch new attacks for which the software doesn't have a defined signature in its database.
Statistical anomalies :
Anomaly-based detection watches for deviations from normal usage patterns. This requires first establishing a baseline profile to determine what the norm is, then monitoring for actions that are outside of those normal parameters. This allows you to catch new intrusions or attacks that don't yet have a known signature.
To be effective, response must be as immediate as possible. That's why your IDS needs to include notification features and you need to set them up so that the alerts get to the proper people as quickly as possible after an intrusion is detected.
The best solution for your organization depends on your network's size, security needs, existing security infrastructure, budget and IT department structure and workload.
Components involved in detecting the intrusion :
Sensors: These are deployed in a network or on a device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized, and then forwarded to one or more analyzers.
Analyzers: Analyzers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. Output from the analyzers should include evidence supporting the intrusion report.
The analyzers may also provide recommendations and guidance on mitigation (action that to take before risk assessment) steps.
User interface : The user interface of the IDS provides the end user a view and way to interact with the system. Through the interface the user can control and configure the system. Many user interfaces can generate reports as well.
Conclusion :
Government funding and corporate interest helped to develop their concept into a tangible technology that eventually found its way into the mainstream of network security. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. From theory to practice, and finally to commercially viable tools, IDS technology has gone through countless iterations and numerous owners. Nonetheless, the use of intrusion detection as a means of deterring misuse has ultimately become commonplace. Moreover, IDS has become essential.