We have covered honeypots as a tool for detection which runs with minimal maintenance and with high-quality alerts if you choose the right honeypots and set them up correctly. Now we’re going to move on to IDS which is intrusion detection systems which can require a significant amount of administration, time, tuning, man-hours and operational costs. So they are less relevant for home users and for small businesses. They are ideal for the domain of enterprises with significant budget and security operation centres or SOCs manned by competent staff and they will need to have enough staff as well.
However, even then in my opinion many of the intrusion detection systems provide a poor return on security investment versus other options within the detection space such as honeypots or honeypot type technologies that we have already gone through and other endpoint protection technologies.
In this article we’re going to go through what intrusion detection systems are out there and the methods of how they work.
Network Intrusion Detection Systems
So first of all we have NIDS or network intrusion detection systems which are network based intrusion detection systems which monitor as the name suggests – network communication often using what it calls sensors and you place the sensors dotted around the network in order to scoop up traffic which is then analyzed. It’s like having a permanent wireshark in promiscuous mode.
So in a switched network you often put sensors on mirror or spanning ports because those don’t pull the traffic to the sensor and you can see all the traffic and these give you a view over the whole network. The most popular NIDS is snort and another popular one which is sort of a snort on steroids is Suricata
Host based intrusion detection systems
You also have HITS or host-based intrusion detection which are installed as the name suggests on the endpoint which can then analyze the activity within a particular computer system. So these give you a view over a single endpoint only. OSSEC and Osquery are examples of tools that are used or can be used as HITS among other HITS that are available
How do intrusion detection systems detect threats?
Signature Based
The first type of method is signature based. So pattern matching as you can see below which is similar to anti-virus software and signatures must be continuously maintained and updated. However you also have all the same problems that we have with antivirus on signature based HITS. So they cannot identify new attacks and they can easily be bypassed. On the positive they have low false positives.
And even within a signature base you can sort of define them into two types. You have pattern matching which compares packets to signatures and you also have stateful matching which compares patterns to several activities at once.
Anomaly /Heuristic Based
Another way they work is Anomaly based which can also fold into behavioral based or heuristic, they sort of all get folded into the same name within this arena.
These learn the normal activities in an environment and detect deviations from it. Again similar to AV technologies but they can detect new attacks some what and generally they require a lot of tuning.
There are three types of these so you’ve got like statistical and anomaly-based versions which create a profile for normal and compares activities to this profile. You also have protocol anomaly-based where it identifies protocols used outside of their common bounds. So for example, if someone was using DNS to tunnel traffic through it and it would be noticed that the traffic profile was different than regular DNS lookups.
And then you have traffic anomaly-based which identifies unusual activity in the network traffic. So for example, if someone starts to telnet or port scanning that would be considered an anomaly or at least it would be if it was tuned that way. You can also have rule-based systems so they can use the IF THEN WHO rule-based programming within expert systems and those expert systems allow for the use of artificial intelligence characteristics, machine learning and so on.
Application Based Intrusion Detection systems
You can also get specific application based Intrusion detection systems. These are specialized IDS products that can monitor a specific application for malicious activities. Since their scope is very focused on a single application they can gather fine-grained and detailed activities. They can be used to capture very specific application attack types but it is important to realize that these prototypes will miss more general operating system based attacks because it is not what it’s been programmed to detect.
It might be important to implement these type of IDSs if a critical application is carrying out encryption functions that would obfuscate its communication channels and activities from other types of host-based and network-based IDS if you need to peek into that encrypted traffic. You can consider a WAF web application firewall as a type of application-specific IDS or actually more an IPS which is an intrusion prevention system which brings onto prevention.
Intrusion Prevention Systems
We were just talking about detection but for completeness, I do want to mention the prevention systems as well even though this article is about detection. So an IPS is an intrusion prevention system and a proactive technology wherein an IDS is a detective and after the fact technology.
IPS has its advantages in that it prevents but it can also prevent activity that you require. So for example you would never install an IPS in a safety-critical system or even in a system where you really don’t want it to stop things or have false positives because the IP itself could prevent a system from working or through error or attack it can stop the system running. So you should never install those and things like a safety-critical system like a Scottish system or a control system
In the prevention space, we also have wireless intrusion prevention systems which monitor a wireless network for suspicious traffic by analyzing wireless network protocols. And you also have network behaviour analysis which examines network traffic to identify threats that generate unusual traffic flow such as a distributed denial of service attacks or DDOS and certain forms of malware and policy violations.
So that there is a quick roundup of Intrusion detection systems and prevention systems and the methods by which they detect and prevent.