Introduction to intrusion detection systems (IDS)
Last week we looked into one of the standard techniques in defending our networks and systems – firewalls – which allow us to hide sensitive systems from untrusted networks.
However, there will still be services that we need leave accessible to the outside world. There are measures we need to take to protect such services as well.
This week we are taking our defences a step further and will look into detecting cyber attacks using intrusion detection systems (IDS). We will do a simple set up of an IDS and look into detecting two common attacks on a server.
Simple firewall and antivirus packages are no longer sufficient in protecting an organisation’s network from cyber attacks. We need to have a very good idea of what is happening on our networks and systems and pro-actively control it, ie we need to monitor the traffic moving across our networks, analyse it with the ability to detect any anomalies or malicious activities, and respond to such events. We are now talking about defence in depth: a multi-layered approach to network security. As part of this, we are deploying intrusion detection/prevention systems at critical points in our network and/or critical systems.
IDSs can be divided into two types depending on where they operate:
Network-based IDS (NIDS) are dedicated network devices which monitor and log network traffic. This traffic is then analysed in order to detect any malicious activities.
Host-based IDS (HIDS) are software based and run on the end-points (servers and workstations) and monitor the activities on the systems (eg network connections, running processes, file system, etc) in order to detect the malicious activities.
Further IDSs can be classified into two types depending on the methods they use to analyse the collected data:
Signature-based IDS use a set of pre-defined rules describing malicious activities and will raise an alert when a particular rule is matched in the data.
Anomaly-based IDS typically deploy machine learning algorithms in order to profile what normal network traffic (or system state) looks like – they will then raise an alert when the monitored data does not match the profile of normal operations.
Intrusion prevention systems (IPS) take the functionality of an IDS a step further by being able to take action in response to potential attack, eg block traffic or a system operation if it is classified as malicious. Snort NIDS can operate as an IPS. Some firewalls and antivirus packages now also contain basic IDS/IPS functionality.
We will look in greater detail into IDS/IPS systems, how and where to set them up and configure, as well as how to take action on the alerts later in this course and other courses in the degree. In the next exercise we will have our first look at how an IDS can be used to detect some common attacks.
© Coventry University. CC BY-NC 4.0