What is an Intrusion Detection System (IDS)?
Photo by Flex Point Security
An intrusion detection system (IDS) monitors network traffic or system information for suspicious activity. Once an IDS discovers a potential intrusion, it typically sends the information to a security information event management system (SIEM) for suitable alerting, logging, etc.
Some IDSs can automatically respond to detected intrusions upon discovery. These are known as intrusion prevention systems (IPS).
Types of IDS
There are two main types of IDS:
- Network-based intrusion detection system (NIDS): analyses incoming network traffic.
- Host-based intrusion detection system (HIDS): monitors important operating system files.
There are typically two main techniques used by IDS for detecting an intrusion:
- Signature-based detection: analyses data for specific patterns, such as byte sequences in network traffic, or known malicious intrusion sequences in malware. Similarly to how antivirus detects malware using known signatures. Signature-based detection cannot detect new threats which have not been identified.
- Anomaly-based detection: uses statistical anomaly detection (i.e. machine learning) to create a baseline model of trustworthy behaviour. New activity is compared against the trust model. Whilst this technique can detect behaviour which signature-based detection cannot, is can suffer from false-positives whereby legitimate activity is classified as malicious.
Cyber attack are becoming most advanced and sophisticated. Many attackers are aware of IDS and will attempt to bypass such systems. Common evasion techniques include:
- Fragmentation: by splitting data into fragments, the IDS may be unable to detect an attack signature.
- Avoiding defaults: some attack signatures may state specific details such as a port number. But if an attack uses a different port number, then the attack may bypass detection.
- Coordinated, low-bandwidth attacks: an IDS may be configured to detect standard post scans. However, a coordinated scan from multiple attackers may -- segmenting the scan between them -- may bypass detection.
- Address spoofing/proxying: an attack coming from a spoofed source is difficult to detect and block. Since blocking the spoofed source won't actually block the attack.
- Pattern change evasion: IDS that rely on pattern-matching may be unable to detect an attack if small alterations have been made to the payload.
Popular intrusion detection systems
There are many IDS available to organisations and individuals. Here are some of the most popular open-source options:
- Fail2ban: an IPS software solution that protects servers from brute-force attacks
- Snort: an IDS and IPS offering a sniffer, packet logger, and network intrusion detection.
- OSSEC: a HIDS that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response.
- Segan: offers high performance log and event analysis
- Suricata: a signature and network-based IDS and IPS