It is not everyday that we hear cyber attacks to important organization’s database, information systems and even entire network. However, this becomes a common scenario for us. We see in the movies brilliant minds turn into villains through hacking, destroying security systems and other tricks for a rather illegal motive. IDS is one security procedure that makes this scenario somehow seldom, if not impossible, in real life.
For decades, network managers have been finding effective and efficient means to protect the most vulnerable websites in the worlds. As early s 1987, Dorothy Denning released the seminal paper entitled “An Intrusion Detection Model.” This paper provided the methodological framework which in turn inspired many researchers and served as the groundwork for continuous research for the most effective IDS model. This was a response of series to the attacks or intrusions motivated by financial, political and military objectives.
Intrusion detections systems (IDSs) are software and hardware systems that automate the process of monitoring the events occurring in a computer system or network. This includes analyzing any signs of intrusion or security problems. Nowadays, security attacks in various network systems are on the rise. Hence, it is now that the importance of intrusion detection systems is realized. It has become one of the major requirements of security infrastructures of various organizations.
Intrusion detection process is the process wherein signs of intrusions or attempts against confidentiality, integrity, availability, or any of the security mechanisms of a computer system or network are monitored. The attackers could be any of the following: outsiders who access the system from the Internet, authorized users of the system who access components beyond their authorization, or any authorized users who misuse the privileges given to them.
IDSs can be a reliable protection implement with its following strengths: it can monitor and analyze the system and each event within in and other user behaviors; it tests the security states even of system configurations; it provides baseline security of the system; it recognizes patters of system events that corresponds to all deciphered attacks including those which statistically varies from the normal access activities, it can manage OS audit log and its mechanisms including the data each of them generates, it alerts the appropriate staff via appropriate means in cases of attacks with the initiative to measure enforcement of encoded security policies; and can even facilitate non-security experts to perform network security measures.
With these capabilities, the function of IDSs is three-fold. First, IDSs tools are aimed to detect any computer attacks, computer misuse and intrusions. It corresponds to policies that are previously set upon installation of IDSs. Second, it functions to alert the proper individuals or authorities in charge upon detection of the attack. Some IDSs can send out notifications in the form of email, page, or SNMP trap. Third, it responds to the detected attacks through some automatic actions such as logging of the user/attacker, permanent disabling of the user account or launching of scripts.
In contrast the mentioned scope of its functionalities, the following are some security measures that IDSs cannot perform: it cannot compensate for weak security mechanisms (firewalls, link encryption, access control mechanisms, and virus detection and eradication); it cannot immediately respond to attacks in case of heavy network traffic; it cannot detect follow ups of existing attacks; and it cannot implement deep investigation of attacks automatically without human intervention.
Types of IDSs
IDSs can be classified in different ways depending on its implementation, architecture and others. However, the most commonly used classification is to group them based on information source. Under this category, the types of IDSs are: network-based, host-based, and application based IDSs.
Host Based IDSs
The very first type of IDSs developed and implemented is Host-based IDSs. These systems collect and analyze data from a computer or host such as a Web server. After combing all the data needed from a given computer, the data may be analyzed locally or may be sent from a remote machine for further analysis. Some of the host-based IDSs may include: Windows NT/2000 Security Event Logos, Tivoli, and UNIX Syslog.
These IDSs operate based on the information collected within an independent computer system. Host-based IDSs have the reputation in analyzing the activities and attacks with high reliability and precision. Unlike the previous IDSs, host-based IDSs can monitor evaluate the attempt of the attack and monitor the data files and systems process as subjects of the attack. Its information sources include: operating systems audit trails and system logos. Operating systems audit trails, as information source, are generated from the kernel level of the operating system. It works in a more detailed and better protection than that of system logs. The system logs can be simpler and smaller than system audit trails; hence easier to understand and user-friendly. Moreover, their architecture is designed to support the centralized IDSs.
Aside from the previously mentioned advantage with its ability to monitor and evaluate the success or failure of the attack, host-based IDSs have other edges over network-based IDSs. Host-based IDSs can efficiently operate within a network traffic that is encrypted and it can decrypt data at the destinations host. These IDSs are usually unaffected by the switched network and can even detect attacks against software integrity as that of the Trojan Horse.
On the other hand, the host-based IDSs can be harder to manage since all information must first be configured for the sensors to function. In the case of host-targeted and denial of service attacks, the intruder can disable the IDSs.
Network-based IDSs compose the majority of commercial intrusion detection systems. These IDSs work by capturing and analyzing each of the network packets. With the use of network packet or switch, this type of IDS can monitor the network traffic including multiple hosts which are connected to the network segment. Through this, the network-based IDSs protect the hosts. These are often consists of single-purpose sensors or various hosts within the network. Examples of this type of IDSs include Shadow, Snort!, NFR, RealSecure and NetProwler.
RealSecure is devised by the Internet Security Systems. It is a IDS with three-part architecture: network-based and host-based recognition engines, and an administrators module. The network-based recognition engine has engines placed on crucial workstations to provide intrusion detection and response for the network. Each engine can detect intrusive activity, terminates intrusive connections, sends alerts, records the sessions, and reconfigures firewalls when needed. On the other hand, host-based engine analyzes log data recognized upon intrusion or attack. It can also terminate connection and suspend suspicious user.
The roles of network based IDSs may be summarized as the following: monitor the network traffic, perform local analysis of this traffic, and report attacks to the central management console. These sensors work in stealth mode in order to make the attacker have more difficulties in determining the location and even the presence of these sensors.
The specialty of this type of IDSs could be the following activities: detecting the unauthorized user even before the attempt to log on and recognizing bandwidth theft or denial of service attacks which come from outside the network and single out certain network resources for abuse or overload.
One of the advantages of using network based IDS is that even a few IDSs can monitor a large network. This is especially true if the sensors are well placed. Moreover, the deployment of these sensors relatively has little impact on the network. These are usually passive and work without interfering with the normal operations of a network. More importantly, they can be made very secure against all types of attack and made invisible for attackers.
However, these have some disadvantages too. They usually have difficulty in processing all of the packets especially in a large or busy network. In such cases, the sensors can fail to recognize attacks during heavy traffic. Some of the network-based IDSs vendors try to address this by incorporating these sensors directly in the hardware to make the detection of attack faster. However, this hasty process can also lead to detection of fewer attacks and reduced detections effectiveness. Moreover, they do not apply to modern switch-based networks. Switches used in most of networks nowadays cannot provide universal monitoring ports while limiting the monitoring range of the IDSs to only a single port. This is dangerous as no single port can mirror all traffic that traverse in the switch. Another major pitfall of these IDSs is their inability to analyze encrypted information. This causes an alarming concern as more and more organizations, and even attackers, use virtual networks.
Likewise, network-based IDSs can only identify an attack during its initiations but cannot determine if the attack detected was successful. Hence, upon detection of the attack, the network administrators are necessary to investigate and determine the level of attack penetration manually. This will be laborious on their part. Lastly, network-based IDSs tend to become stable and can eventually crash when the network implements fragmenting packets.
Application based IDSs
The last type of IDSs in terms of information sources is application-based IDSs. These are special sub sets of host-based IDSs that work within the software application. Among the most commonly used information sources of the application-based IDSs are the application’s transaction log files. In order to detect an attack or attempt of authorized users beyond their authorization, it interfaces directly within the application and analyze all application-specific information. This is specially designed to address such problems that occur during the interaction between the user, data, and the application used.
One advantage of the application-based IDSs is that it can monitor all of the interactions between the user and the application, hence allowing it to trace unauthorized activity to individual users. They also work on encrypted environments before reaching the application transaction end points in its unencrypted form. Nevertheless, the disadvantages of application-based IDS can be summarized as follows: more vulnerability to attacks when the application logs are not well protected; only monitor events at the user level and fails to detect software attacks such as Trojan Horse.