Five major types of IDS

Intrusion Detection System as the name implies detects intrusion in the network. It implies both intrusions from inside and from outside the network.
IDS, these days, have become vital component in the security toolbox.

This posing will provide an overview of IDS, their types, detection techniques employed and various popular IDS tools that are widely used. This report also gives the overview of Snort IDS tool followed by a short demo showing the actual working of snort to catch intrusion based on the rules set. The intent of this presentation and report is to make the audience aware of the importance of IDS and also to make them familiar with the usage of Snort IDS tool.


Introduction
Intrusion Detection System is any hardware, software, or a combination of both that monitors a system or network of systems against any malicious activity. This is mainly used for detecting break-ins or misuse of the network. In short, we can say that IDS is the ‘burglar alarm’ for the network because much like a burglar alarm, IDS detects the presence of an attack in the network and raises an alert. An IDS provides three functions: monitoring, detecting and generating an alert.

IDS are often considered as the functionality of firewall. But there is a thin line of difference between them. A firewall must be regarded as a fence that protects the information flow and prevent intrusions where as IDS detects if the network is under attack or if the security enforced by the firewall has been breached. Together firewall and IDS enhance the security of network.

Intrusion Detection System uses a security policy (or rules) to detect unusual activity. These rules are defined by the administrator based on the needs of the organization. Any activity that violates this security policy will be considered a security threat and will be reported to the administrator via email or as page or as SNMP traps. These policies must be updated regularly to keep up with the threats and needs.

Of the security incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder come from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure. Intrusion detection systems remain the only proactive means of detecting and responding to threats that stem from both inside and outside a corporate network.

Types of IDS
There are three main types of Intrusion Detection Systems:
• Host Based
• Network Based
• Stack Based
• Signature Based
• Anomaly Based

Host Based IDS
Intrusion Detection System is installed on a host in the network. HIDS collects and analyzes the traffic that is originated or is intended to that host. HIDS leverages their privileged access to monitor specific components of a host that are not readily accessible to other systems. Specific components of the operating system such as passwd files in UNIX and the Registry in Windows can be watched for misuse. There is great risk in making these types of components available to NIDS to monitor.

Although HIDS is far better than NIDS in detecting malicious activities for a particular host, they have limited view of entire network topology and they cannot detect attack that is targeted for a host in a network which does not have HIDS installed.


Network Based IDS
Network IDSs (NIDS) are placed in key areas of network infrastructure and monitors the traffic as it flows to other host. Unlike HIDS, NIDS have the capability of monitoring the network and detecting the malicious activities intended for that network. Monitoring criteria for a specific host in the network can be increased or decreased with relative ease.

NIDS should be capable of standing against large amount number of network traffic to remain effective. As network traffic increases exponentially NIDS must grab all the traffic and analyze in a timely manner.


Stack Based IDS
Stack based IDS is latest technology, which works by integrating closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. Watching the packet in this way allows the IDS to pull the packet from the stack before the OS or application has a chance to process the packets.


Signature-Based IDS
Signature-Based IDS use a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It is typically connected to a large database which houses attack signatures. It compares the information it gathers against those attack signatures to detect a match.

These types of systems are normally presumed to be able to detect only attacks “known” to its database. Thus, if the database is not updated with regularity, new attacks could slip through. It can, however, detect new attacks that share characteristics with old attacks, e.g., accessing 'cmd.exe' via a HTTP GET request. But, in cases of new, uncataloged attacks, this technique is pretty porous.

Also, signature based IDS’s may affect performance in cases when intrusion patterns match several attack signatures. In cases such as these, there is a noticeable performance lag. Signature definitions stored in the database need to be specific so that variations on known attacks are not missed. This sometimes leads to building up of huge databases which eat up a chunk of space.


Anomaly Based IDS
Anomaly-Based IDS examines ongoing traffic, activity, transactions and behavior in order to identify intrusions by detecting anomalies.

It works on the notion that “attack behavior” differs enough from “normal user behavior” such that it can be detected by cataloging and identifying the differences involved.

In most anomaly-based IDS’s the system administrator defines the baseline of normal behavior. This includes the state of the network's traffic load, breakdown, protocol, and typical packet size.

Anomaly detectors monitor network segments to compare their state to the normal baseline and look for current behavior which deviate statistically from the normal. This capability theoretically gives anomaly-based IDSs abilities to detect new attacks that are neither known nor for which signatures have been created.

On the other hand, anomaly-based IDS systems have been known to be prone to a lot of false positives. In these cases, the attacks are reported based on changes to the current system on which the IDS is installed. This is because there is a change in the normal state of the system which is not perceived by the IDS.

Sometimes, anomaly-based IDS systems can cause heavy processing overheads on the computer system they are installed on. It takes a short period of time for anomaly-based systems to create statistically significant baselines. During this period, they are relatively open to attack.