Problem solve Get help with specific problems with your technologies, process and projects.

The ABCs of intrusion detection

What kinds of intrusion detection systems are there?

Intrusion-detection systems (IDS) are the oldest and most prevalent technology. Intrusion-prevention systems (IPS) are newer and generating a lot of discussion. Both of these tools have sub-categories I will discuss briefly. Finally, some firewall vendors are starting to incorporate these kinds of technologies into their products. All of these products should have the ability to report to a central console in some way and many can be managed centrally as well.

Intrusion-detection systems have been around since the late '80s and early 90's, and are classically broken down into signature-based and anomaly-based. Signature-based IDS works like antivirus and looks for patterns that match known malicious events. Anomaly-based IDS looks for anomalies in the network protocol, user and traffic behavior patterns or system (kernel) calls. They are further broken into network and host-based categories. Modern network IDS (NIDS) sniff a single network segment, usually using a hybrid of signature and traffic, and/or protocol anomaly detection. Host IDS (HIDS) live on an individual host and monitor some combination of system logs, calls to the system kernel and/or changes to various important files. The key point with any flavor of IDS is that it is detection only -- the even has already happened.

Intrusion-prevention systems come in many flavors similar to IDS, specifically host (HIPS) and network (NIPS) equivalents. A NIPS is usually inline (essentially a smart bridge) so that it can prevent malicious traffic from traversing the network. A HIPS may prevent an application or thread from doing something deemed questionable or dangerous. That's the key with IPS -- they can break things if they prevent something that is not malicious.

Finally, firewalls have traditionally rarely operated at the application layer, except for application proxies that have mostly been concerned with protocol compliance. They are used to enforce traffic policy of who can talk to what, how. Firewall vendors are now starting to blend IDS signature matching and other technology into their products, which has the effect of creating a combined firewall and IPS.

All of these technologies are infamous for false positives -- alerting on benign events -- and false negatives -- missing new or previously unknown events. Anomaly detection and looking at system calls for truly malicious events are two ways of combating the latter. Tuning and "targeted" IDS are methods of reducing the former.

For more info on this topic, please visit these SearchSecurity.com resources:
  • Best Web Links: Intrusion detection
  • Guest Commentary: Intrusion detection is not dead but evolving into intrusion prevention
  • Web Security Tip: Evaluating and tuning an intrusion-detection system
  • This was last published in January 2004

    Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.