Intrusion detection system – Part I (The basics)

By | 04/10/2012

In this insecure world of internet where even the governments are struggling against intrusions then there has to be a safeguard that can help companies and individuals to strengthen the defence and retaliation capabilities of their computers. So, In this article we will discuss the basics of Intrusion detection systems or IDS.

Intrusion detection system

 

What is an intrusion?

Before Jumping on to Intrusion detection systems, lets first understand what is an intrusion? An Intrusion is a illegal access to a computer system through which a cracker can steal or compromise the information from your system. An example of larger scale computer system intrusion is where a cracker intrudes into a server of a company and steals information of thousands of credit cards and their owners. A small scale computer system intrusion is where a script kiddie intrudes into the system of a school/college rival and steals e-mail, Facebook, twitter passwords. These type of intrusions can be done through Trojans, back-doors etc.

So we see that the damage that can be caused by a computer system intrusion is limitless so this is where intrusion detection systems comes to rescue.

What is an Intrusion detection system(IDS)?

An intrusion detection system is a hardware or software that is used to detect any intrusion that takes place inside a network or a computer system. An IDS continuously monitors the network or a computer system for any suspicious or malicious activity and as soon as it detects any such kind of activity, it logs information about it, analyses it and alarms the system or network administrator.

How it works?

An intrusion detection system works by analysing both incoming and outgoing traffic for some suspicious activity. It achieves this by analysing the pattern of traffic. If the pattern is found to be suspicious then it starts analysing the traffic closely to see if its a real threat or not. As a part of analysis it can reassemble the fragmented packets into a complete packet.

There are two ways in which an intrusion detection system can analyse the traffic :

  • Profile based analysis : In this type of analysis, the IDS system first collects the pattern of inbound and outbound traffic in a normal scenario and based on this information it generates a profile. This profile acts a source of comparison for the intrusion detection system. An IDS monitors the traffic in real time by comparing it with this profile and when and deviation is detected, it starts analysing the traffic closely for a possibility of intrusion.
  • Signature based analysis : In this type of analysis, the intrusion detection system has a database of signatures against which the comparison of the live traffic patterns are done. A signature can be thought of a traffic pattern that has been already detected as an intrusion. So larger data base of these signatures are available with the IDS and act as templates when analysis of live traffic is done in this mode.

Both the type of analysis (as described above) have some weaknesses.

  • Profile based analysis is more likely to raise a false alarm as change in traffic profiles happen frequently and not every change detected can be an intrusion attempt. Also, with ever changing network topologies its hard to maintain a standard profile against which the pattern matching can be done.
  • Signature based analysis  on the other end compares with a known data base of patterns known as signatures. So this type of analysis cannot determine any new kind of intrusion pattern. Also, if a known pattern or a signature is applied step wise  by an intruder over a long period of time gaps then also this analysis is not guaranteed to produce correct results.

Types of Intrusion detection systems

If broadly classified there are two types of IDS systems :

  1. Network Intrusion detection systems(NIDS) : These type of intrusion detection systems are strategically placed in the network so that they can analyse the data flowing inbound and outbound in a network. NIDS generally work in promiscuous mode. These devices access the network entities like hubs, switches etc. to carry out their work. As soon as NIDS detects an intrusion, it raises an alarm at the central management node from where the network administrator can get the details about the intrusion and can take appropriate action.
  2. Host based Intrusion detection systems(HIDS) : These types of intrusion detection systems  are used for monitoring the inbound and outbound traffic for an individual host. A host based IDS checks for any manipulation that may occur with password files, standard binaries, access control files etc. It also analyses the system calls that are made by various software applications. A host based IDS can specifically check the presence of back-doors and Trojans and can alarm the system/network administrator about the same.

Intrusion detection systems Vs Firewalls

A firewall is different from an IDS in following ways :

  • A firewall only checks an intrusion and takes appropriate action. It generally does not raise an alarm to a system user or a network administrator about any malicious activity. On the other end an IDS is capable of generating alarms for suspicious connections or data packets.
  • A firewall generally checks the incoming traffic but rarely checks the outgoing traffic assuming that the outgoing traffic is trustworthy. On the other end an IDS checks both inbound and outbound data traffic.
  • A basic intrusion detection system can only raise alarm about an intrusion but a firewall is capable of taking action on the packets and related connections that it deems non-trustworthy.

Limitations of Intrusion detection systems

  • An IDS should be able to process millions of packets within a very short span of time. This requires very high end computer systems hardware and very optimized IDS software code.
  • As an IDS can reassemble fragmented packets to form the original packet so IDS systems may have huge memory requirements as these system process hundreds of connects and packets related to them in parallel.
  • As IDS is not magic or power from another world, it can sometimes raise false alarms.
  • A IDS in general is capable of generating alarms only. It cannot take any action on its own.

Note that now days there are Intrusion prevention systems (IPS) that hold the capability to take actions too.

Some useful links

  • SNORT         (A network based Intrusion detection system)
  • TRIPWIRE    (A host based Intrusion detection system)

One thought on “Intrusion detection system – Part I (The basics)

Leave a Reply

Your email address will not be published. Required fields are marked *