Protecting your network is comparable to protecting your home. You first close the doors and check the windows. A boundary wall, with a watchman at the gate is the next step. For more safety, you would put a surveillance camera to watch for any suspicious activity. For your network, server hardening, firewalls and Intrusion Detection Systems(IDS), do the same things. Hardening closes unused ports; firewalls protect the perimeter by preventing unauthorized traffic from entering your internal network; and an IDS monitors network activity.

Cyber criminals conduct extensive reconnaissance surveys before launching an attack, such scouting activity is an early warning signal to be alerted against. In computer networks, attackers are usually interested in learning about the network topology, the versions of operating systems and applications running on the system. Attackers may use a wide variety of tools to collect this information—they may access your network as a normal user to conduct these probes. By analyzing the network traffic and the activities in your systems, you can identify such probes as early warning signals.

Role of IDS

An IDS is an additional layer of protection against intrusive activities in the networked information systems. It is understood that no reasonable access control system can preclude intrusions. Despite the best access control systems, intruders are still able to enter computer networks with greater frequency than anyone would like. IDSs can help track an intruder’s activity from entry to exit, guard against many known types of attacks, detect network policy violations, and keep tabs on normal network activity, making abnormal behavior easier to spot. A good IDS would have a high probability of detection and a low false alarm rate.

The Detection Paradigms

Every IDS can be conceptually broken down into a sensor, an analyzer, a response engine and an user interface. A sensor listens to the traffic on the network and sends it to the analysis engine. The analysis engine determines if the captured traffic corresponds to an attack. The analyzer triggers the response engine for appropriate action. The user interface is used to manage IDS.

The types of data examined and the data generated by different IDSs could vary significantly. The detection procedure is either based on the behavior (statistical) or on knowledge (rule-based). The vast majority of IDSs use knowledge-based detection with defined signatures for attacks.

In rule-based detection, attempts are made to define a set of rules that can be used to decide whether a given behavior is that of an intruder or not. It looks for defined types of intrusions against a database of attackers’ signatures. In contrast, the statistical approach involves the collection of data related to the behavior of legitimate users, over a period of time. Then, statistical analysis is applied to the observed behavior to determine whether that behavior belongs to that user or not. If a discrepancy is identified, the network administrator will be notified.

Statistical detection includes misuse detection and anomaly detection methods. In misuse detection system, intruders’ actions are determined by the illegal commands performed within the system. Anomaly detection analyzes normal user’s activities, any irregular variation could lead to suspicion. Anomaly detection relies on such advanced techniques as neural networks, machine- learning classification techniques and even biological immune systems.

IDS use various methods to raise alerts when a suspicious activity is detected, these include—sending alarms to a console, e-mailing the network administrator, generating a SNMP trap or sending pager messages. Beyond this, IDS can also be configured to log the raw network data, kill a suspicious TCP connection, reconfigure a firewall to dynamically block an attacker, disable a user account or similar pre-defined user actions.

Types of IDS

There are three principle categories of IDS systems available in the market, based on the types of data they examine.

• Application IDS: An application-based IDS examines the behavior of an application program, generally in the form of log files. This is a very specialized software and often custom-built to understand the application processes.

• Host IDS: Host IDS uses software to analyze data from a variety of system files, including event logs, configuration files, log files, password files and other security files. This software must be installed on each networked computer for maximum security. The software examines the host’s activity logs looking for suspicious activity. Since they operate on logs and not actual traffic, attacks through encrypted channels can also be detected. These software can verify whether an attack was successful or not. They can also look for very specific system activities like log-on/log-off times, etc.

• Network-based IDS: These take their data from live packets on the networks in a process analogous to wiretapping. The systems’ sensors capture the data and examine it in a rule-based or statistical approach. The sensors work in a promiscuous mode and capture all the packets destined for the segment of network where they are installed.

Typically, network-based systems are better for keeping unwanted users out, and host-based systems excel at tracking security problems inside the network. Advanced intrusion tools base their attacks on the headers and payloads of TCP/IP packets. These cannot be detected by a host-based IDS. Moreover, network-based IDS will detect intrusion instantaneously, while host-based will wait till logs are created.