Definition
Intrusion Detection System
A passive system for the detection of harmful activities in a computer or a network. It is an observation system and, hence, does not prevent those activities.
Responsibilities
- collecting data
- detecting attacks
- triggering alarm
Intrusion and Incident Response
Intrusion Response
Measures automatically initiated by the systems are called “Intrusion Response”.
Incident Response
Definition
Link to originalIncident Response
Technical and organisational measures for malicious activities in a computer or a network.
Types
Host-based IDS (HIDS)
HIDS are installed on user’s host machine directly and they use host sensors to detect malicious activities. For example, the following data could be observed:
- log files
- network traffic
- user input (clicks, keystrokes, …)
- kernel information
- registry
- …
Due to their nature, they can detect attacks, such as:
- permission violations
- failed logins
- Trojans
Types of HIDS:
- System Integrity Verifies (SIV): Checks the integrity of system files, permissions, registry entries, settings, …
- Log File Monitors (LFM): Monitors the log file of system services
- Deception Systems (DCS): Emulates intentional security vulnerabilities to monitor and learn about the pattern of the new, yet unknown, malicious activities
- Honeypots: Distract attackers from attacking the “real system” to detect new attack patterns, similar to DCS
Benefits of HIDS:
- comprehensive analysis of the host device is possible
- analysis is very specific
- encryption does not affect the analysis
Drawbacks of HIDS:
- must be installed on the host machine → high uncertainty
- OS-specific and application-specific → not every application is supported by HIDS
- visible to the host machine’s users → HIDS can be affected by client-side attacks
- if system affected → HIDS affected
Network-based IDS (NIDS)
NIDs monitor the network traffic of entire networks. They are installed in intermediate devices to intercept the incoming and outgoing traffic. Hence, they are could be capable of detecting malicious activities affecting multiple devices.
Problem: If the amount of data exceeds the bandwidth of the sensor, packets are dropped, meaning seamless monitoring is not guaranteed.
Common Network-based Attacks:
- network scans
- port scans across multiple hosts
- increasing number of TCP connection attempts
Benefits of NIDS:
- no further load for the end devices
- detection of attacks targeting multiple devices
- “invisible” for attackers → harder to attack than HIDS
- able to monitor entire networks
Drawbacks of NIDS:
- seamless monitoring not guaranteed
- limited in understanding attack patterns
- can’t intercept encrypted data
- error-prone
Analysis Procedures
Types of Analyses:
- Signature analysis: Only detects known attacks. It often compares the hashes of traffic with hashes from a database, containing malicious hashes.
- Anomaly detection (heuristics): Can detect unknown attacks.
- Policy-based: policies are pre-defined for types of network devices
- Honeypot-based: access to honeypots are always anomalies
- Statistics: Correlation, AI, Machine Learning, Neural Network → allowing to detect time- and location-independent attacks
Products
- Snort
- Samhain
- Prelude
- …