Study Mumbai

ICSE, CBSE study notes & home schooling, management notes, solved assignments

You are here: Home / Technology Study Notes / IDS (Intrusion Detection System)

IDS (Intrusion Detection System)

by Leave a Comment

Spread the love

As the name suggests, an intrusion detection system (IDS) monitors network traffic for suspicious activities and alerts the system or network administrator if any deviation is found.

In some cases. the IDS may have some intelligence built in, and may respond to anomalous or malicious traffic by taking actions such as blocking the user or source IP address from accessing the network.

GET INSTANT HELP FROM EXPERTS!

  • Looking for any kind of help on your academic work (essay, assignment, project)?
  • Want us to review, proofread or tidy up your work?
  • Want a helping hand so that you can focus on the more important tasks?

Hire us as project guide/assistant. Contact us for more information

IDS (Intrusion Detection System) can be categorized in the following three types:

  • Host-based intrusion detection system (HIDS): Here the ID resides on the host and scans the hosts systems (various log files) for activity traces. These are most cost-effective for small to medium-sized networks. Also, in multi-tiered security architecture, an HID can provide additional level of security by detecting attacks missed by other security tools in the architecture. Since the HIDs works at the host level, it has more control and command over the system resources such as memory, registry, system files, etc.
  • Network Based intrusion detection system (NIDS): This is a network based IDS. Most NIDS are pattern based and are responsible for detecting inappropriate or any kind of data, which may be considered unauthorized or inappropriate for the given network.
  • Hybrid intrusion detection system: This IDS combines both the features of host based IDS and network based IDS.

Contents hide
1 Components of Multi-tier IDS
2 Pros & Cons of Using IDS Agent
3 Network-based IDS in Heavily Switched Environment
4 Heuristics in IDS

Components of Multi-tier IDS

A multi-tier IDS architecture consists of:

  • Sensors: They are responsible for collection of data from network interfaces, logs and other information sources.
  • Analyzers or Agents: They are responsible for analyzing the input provided by the Sensors for their assigned individual hosts.
  • Manager: It provides the master control capability for an IDS or IPS. When an agent determines that an attack has occurred or is occurring, it transfers the related information to the manager component, which then performs variety of functions.

  1. Sensors can usually be placed in different patterns; the more common ones being:

    Outside of Exterior Firewalls: Sensors that are placed outside the exterior firewalls record information about attacks that originates from the Internet.

  2. Inside the network protected by a firewall: Sensors that are placed inside the network protected by a firewall mainly record information about attacks that originate from the internal network and also the attacks that was able to bypass the security fencing implemented by the external firewall.
  3. Both the locations (outside and inside of firewall protected network): This type of sensors are used for highly secure networks like defense establishments, research organizations, etc. where a high degree of security and monitoring is required.

Pros & Cons of Using IDS Agent

Advantages of using an IDS agent:

  • Independence: Agents are implemented in an independent pattern, which means that if some of the agents go down for any reason, it will not affect the functioning of the other IDS agents.
  • Scalability & Adaptability: Agents are highly adaptable and can be deployed for both large and small scale intrusion detection and intrusion prevention deployments.
  • Efficient: Because the agent implementation is simple and deals with independent functions, they are more efficient.

Disadvantages of using an IDS agent:

  • False Alarms: Agents are known to raise a large number of false alarms, which causes a variety of problems in the implemented security framework.
  • Dedicated Administration: Maintaining an IDS agent requires continuous and dedicated administration, as the agents needs to be changed according to an organization’s requirement. It must be configured to minimize false alarms and must be monitored continuously for any bottlenecks.
  • Resource Consumption: IDS agents cause system overheads in terms of memory consumption and CPU allocation, which in turn cause IDS performance bottlenecks. This can impact the performance and reliability of an IDS.

Network-based IDS in Heavily Switched Environment

Hubs and switches connect the various systems and servers in a network. A Hub has no concept of a connection whereas a switch is based on connections. In a hub environment the IDS sensors can be paced almost anywhere, but it is not the case with switches. In a switched network, the IDS will not be able to monitor the connection between the switch and the client machine.

The various options to overcome this constraint are to use either one or a combination of the following:

Spanning Ports
A spanning port configures the switch to behave like a hub for a specific port. You need to configure a switch to span the data from the resource machine port to the IDS port. This can be configured for transmitting the data, receiving the data or both.

GET INSTANT HELP FROM EXPERTS!

  • Looking for any kind of help on your academic work (essay, assignment, project)?
  • Want us to review, proofread or tidy up your work?
  • Want a helping hand so that you can focus on the more important tasks?

Hire us as project guide/assistant. Contact us for more information

Disadvantages include:

  • Not all switches support spanning port
  • Spanning port is not 100 percent reliable
  • Monitoring multiple machines is not possible as switches only allow one port to be spanned at a time.

Hubs
The next option is to place a Hub between the connections to be monitored. So if you place a hub between the client machine and the switch, it will enable the IDS to copy the traffic going through the hub.

Disadvantages include:

  • Only suitable for a single machine.
  • Multiple machines on the Hub would cause network problems and remove the benefits of a switched network
  • Setting up a fault tolerant hub would be a costly affair.

Test Access Ports (TAPs)
A TAP is used to create permanent access ports for passive monitoring. It falls under the passive network device category as it does not act on the network traffic directly. A TAP can be installed for monitoring the traffic between any two network devices, such as switches, routers and firewalls. TAP has the feature for sending traffic data to the subject device by splitting or regenerating the network signal received by the TAP (this does not delay or change the content, structure of the network packets).



Heuristics in IDS

In IDS terminology, heuristics refers to the use of Artificial Intelligence (AI) in detecting intrusions.

In theory, an IDS will identify anomalies to detect an intrusion based on the traffic pattern and analysis carried out over a period of time.

To use heuristics, an AI scripting language can apply the analysis to the incoming data. Heuristics is still in its initial stages and developing. The concentration is now on a pattern-matching language that can use programming constructs to learn and identify malicious activity more accurately.

GET INSTANT HELP FROM EXPERTS!

  • Looking for any kind of help on your academic work (essay, assignment, project)?
  • Want us to review, proofread or tidy up your work?
  • Want a helping hand so that you can focus on the more important tasks?
Hire us as project guide/assistant. Contact us for more information

Reader Interactions

Leave a Reply