Intrusion Detection System (IDS)
A computer intrusion is the number of events that breaches the security of a system. Such number of events must be detected in proactive manner in order to guarantee the confidentiality, integrity and availability of resources of a computer system. An intrusion into an information system is a malicious activity that compromises its security (e.g. integrity, confidentiality, and availability) through a series of events in the information system. For example intrusion may compromise the integrity and confidentiality of an information system by gaining root level access and then modifying and stealing information. Another type of intrusion is denial-of-service intrusion that compromises the availability of an information system by flooding a server with an overwhelming number of service requests to the server over short period of time and thus makes services unavailable to legitimate users. According to D. Yang, A. Usynin & W. Hines, they describe intrusion and intrusion detection as: "Any action that is not legally allowed for a user to take towards an information system is called intrusion and intrusion detection is a process of detecting and tracing inappropriate, and incorrect, or anomalous activity targeted at computing and networking resources".
Why we need Intrusion Detection System
To provide guarantee of integrity, confidentiality and availability of the computer system resources, we need a system that supervise events, processes and actions within an information system [1]. The limitations of current traditional methods, misconfigured control access policies and also the misconfigured firewalls policies in computer systems and computer network security systems (Basic motivation to prevent security failures), along with increasing number of exploitable bugs in computer network software, have made it very obvious to design security oriented monitoring systems to supervise system events in context of security violations [1].
These traditional systems do not notify the system administrator about the misuses or anomaly events in the system. So we need a system which provides proactive decision about misuse or anomaly events, so therefore from last two decades the intrusion detection systems importance is growing day by day. Now a day's intrusion detection system plays vital role in an organization computer's security infrastructure.
Thresholds are used to set the limit between normal behavior and abnormal behavior that may indicate a potential attack. As an example, consider a TCP SYN flood attack where an attacker sends a SYN packet but not the ACK packet to complete a connection. If this happened once in a ten minute period, it probably isn’t an attack. If it happened one thousand times within a minute, it very likely is an attack. An IDS would use some number between 1 and 1,000 to as the threshold and when that number is reached, it raises an alert.
A computer intrusion is the number of events that breaches the security of a system. Such number of events must be detected in proactive manner in order to guarantee the confidentiality, integrity and availability of resources of a computer system. An intrusion into an information system is a malicious activity that compromises its security (e.g. integrity, confidentiality, and availability) through a series of events in the information system. For example intrusion may compromise the integrity and confidentiality of an information system by gaining root level access and then modifying and stealing information. Another type of intrusion is denial-of-service intrusion that compromises the availability of an information system by flooding a server with an overwhelming number of service requests to the server over short period of time and thus makes services unavailable to legitimate users. According to D. Yang, A. Usynin & W. Hines, they describe intrusion and intrusion detection as: "Any action that is not legally allowed for a user to take towards an information system is called intrusion and intrusion detection is a process of detecting and tracing inappropriate, and incorrect, or anomalous activity targeted at computing and networking resources".
Why we need Intrusion Detection System
To provide guarantee of integrity, confidentiality and availability of the computer system resources, we need a system that supervise events, processes and actions within an information system [1]. The limitations of current traditional methods, misconfigured control access policies and also the misconfigured firewalls policies in computer systems and computer network security systems (Basic motivation to prevent security failures), along with increasing number of exploitable bugs in computer network software, have made it very obvious to design security oriented monitoring systems to supervise system events in context of security violations [1].
These traditional systems do not notify the system administrator about the misuses or anomaly events in the system. So we need a system which provides proactive decision about misuse or anomaly events, so therefore from last two decades the intrusion detection systems importance is growing day by day. Now a day's intrusion detection system plays vital role in an organization computer's security infrastructure.
Host-based and Network-based
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are either host-based (HIDS or HIPS) or network-based (NIDS or NIPS).- Host-based. A host-based system is installed on a single computer such as a workstation or server. Its goal is to protect local resources on the host and it can detect attacks or intrusions on this system, but it cannot detect attacks on other systems.
- Network-based. A network-based system monitors network activity and will include multiple sensors installed on network devices such as routers and firewalls. These sensors report activity back to a central monitoring console. It can detect network-based attacks, but it cannot detect anomalies on individual systems.
Detection Methods
IDSs and IPSs primarily detect intrusions using one of two methods, knowledge-based or behavior-based.- Knowledge-based. This uses a database of known attack patterns and is similar to the signature file used to detect different types of viruses. It is also called signature-based and definition-based. The key is that the intrusion is using a known method that can be recognized. It’s important to keep antivirus definitions up-to-date to detect emerging threats. Likewise, it’s important to keep a knowledge-based IDPS signature file up-to-date.
- Anomaly-based. Anomaly-based detection starts by creating a baseline of normal behavior. This baseline can take days or even weeks to create and is often called a training period. After the baseline is created, it then monitors activity and can report when activity varies from the baseline. For example, if network bandwidth usage is typically at 50 percent utilization for a specific connection, but increases to 95 percent sustained utilization, it indicates a change from the norm or an anomaly and will raise an alert. If the environment is updated or changed, the baseline needs to be updated.
False Alarms
Both knowledge-based and anomaly-based systems are susceptible to false alarms (also called false alerts and false positives). In other words, they may report an attack that isn’t actually an attack. The goal of security administrators is to reduce the number of false alarms to a minimum, while also ensuring that actual attacks are reported.Thresholds are used to set the limit between normal behavior and abnormal behavior that may indicate a potential attack. As an example, consider a TCP SYN flood attack where an attacker sends a SYN packet but not the ACK packet to complete a connection. If this happened once in a ten minute period, it probably isn’t an attack. If it happened one thousand times within a minute, it very likely is an attack. An IDS would use some number between 1 and 1,000 to as the threshold and when that number is reached, it raises an alert.
Responses
When an IDS or IPS detects a potential intrusion it can respond either passively or actively.- Passive. A passive response will log the event and possibly provide a notification. The notification can be an email, text message, or page sent to key personnel, or perhaps a pop-up dialog box on the system.
- Active. An active response will include the passive capability but will also take action to block the attack. It may terminate a connection or modify the access control list (ACL) on a router or firewall to block the attack.
No comments:
Post a Comment