Intrusion detection basics

Intrusion-detection systems (IDS) are a critical component of any security infrastructure. These hardware and/or software devices monitor a network for potentially malicious activity and report it to administrators for further investigation. There are many intrusion-detection systems on the market, ranging from dedicated hardware designed to handle high-bandwidth connections (and costing thousands of dollars) all the way to the absolutely free software-based IDS Snort.

There's actually a relatively simple taxonomy used to classify most intrusion-detection systems. It's based upon two characteristics – the type of monitoring algorithm (signature or anomaly detection) and the monitored environment (network or host). Let's take a brief look at each.

An IDS's monitoring algorithm defines how the system determines whether activity is malicious or benign. The two most common algor...

BROWSE BY TAG Infrastructure and Network Security,   Network Security Tactics,   Intrusion Detection,   Common Vulnerabilities and Prevention Tips,   Intrusion Detection,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   VIEW ALL TAGS

RELATED CONTENT Infrastructure and Network Security VPNs: IPsec vs. SSL Sensitive student data cracked at U. of Georgia Microsoft patches IE spoofing problem IE update clears up spoofing issue Geer slams Windows dominance, calls for government intervention Countdown begins for Mydoom DDoS attacks Microsoft to disable spoofing syntax in IE Mydoom variant targets security features, Microsoft IE flaw could fool users in illicit downloads Hackers scanning for ports opened by Mydoom Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Intrusion Detection The best of SearchSecurity.com Crash course: Snort Q&A: Advanced intrusion defense Audio webcast: Advanced intrusion defense Presentation: Advanced intrusion defense Security Alert: Mydoom-A Intrusion defense Taking aim Comparison chart: Target-based NIDS Target-based IDS muffles the noise to take aim on the alerts that count

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ithm types are:

• Anomaly detection first develops a baseline (which may change over time) of "normal" activity on a system or network and then uses that baseline to detect when abnormal activity takes place. The major advantage to anomaly-detection systems is that they are often capable of detecting new types of malicious activity as soon as they occur. The downside is that systems can be "trained" to accept malicious activity as part of the baseline by slowly introducing it into the monitored environment until it is accepted as normal.

• Signature detection systems, on the other hand, use a database of known attack patterns. When they detect activity matching one of those patterns, an alert is triggered. Signature-detection systems have an extremely low false alarm (or "false positive") rate but require constant updating in order to detect new types of attack.

Intrusion-detection systems may be further classified by the type of environment they monitor:

• Network-based systems monitor an entire network for malicious activity. They can detect distributed attacks, but may miss attacks on individual hosts, such as a virus infection.

• Host-based systems are responsible for monitoring individual systems (although many host-based systems provide centralized monitoring solutions). They are capable of detecting malicious code and other attacks that may only impact one system and not involve any network activity.

It's important to note that every IDS on the market doesn't necessarily fit neatly into these classifications. There are a number of hybrid systems available that combine characteristics of the two major monitoring algorithm types and/or monitor more than one type of environment. When planning an IDS architecture, you should strive to achieve a balance of algorithms and monitored environments.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.