Intrusion Detection Systems: a Primer
Intrusion detection systems can be a key tool in protecting data. This primer can help you determine which kind of IDS is right for you.
By Nazar Tymoshyk, SoftServe
For developers and end users of today's software, security is a matter of mounting concern, regardless of whether it is private or business data that needs protection. Many people view security exclusively in black and white: Either a system is damaged, or it is safe and sound. However, digging a bit deeper there is a golden medium to be laid between these two conditions: namely, intrusion detection.
Let's examine the crux of intrusion detection and the latest techniques emerging in the information security world.
To cut a long story short, the main task of intrusion detection is to track the slightest signs of malicious activity and keep record of it. Intrusion detection is not aimed at preventing suspicious traffic; rather it monitors a system under protection and logs invasion attempts.
Intrusion Detection System vs. Intrusion Prevention System
In spite of a common misconception, IDS and IPS are not the same thing. While they root from a common stem of monitoring a protected system, their goals and means of achieving them head in different directions.
IDS is a passive system meant to keep track of a system's traffic and log it for further reporting. By its nature, IDS is looking for a "green light" in the traffic flow. IPS works one step ahead and takes the bull by the horns by sending an alert and preventing the attempt of intrusion. As opposed to IDS, it waits for the red signal and may drop the traffic if a malicious act is detected.
Monitoring the activity of a system is mostly conducted through either anomaly-based IDS or signature-based IDS. Having proven its efficiency over time, the signature-based approach is considered to be a more advanced and better developed detection system since the anomaly-based IDC has a range of drawbacks:
- It is slow working and time consuming
- It requires additional time for education
- It creates false positives, i.e. blocks good traffic
- Its false negatives generation is not scientifically proven
Being too raw and undeveloped, we will no longer discuss anomaly-based IDS in this article.
A signature-based IDS' key function is to identify all possible signs of an attack. For collection and generation, most vendors use specially prepared systems, honeypots, or apply heuristic methods of antivirus systems (as in the case of host-based IDS) that are able to detect suspicious activity. The retrieved data is collected into a centralized warehouse, known as cloud intelligence, for further analysis and signature creation. Considering the abundance of daily attacks' data, these systems are based on Big Analytics.
Three Types of Intrusion Detection Systems
Today's intrusion detection systems collect data and parsed it with Big Analytics to produce signatures and spread them to each instance that requires protection. IDS may be divided into three main groups providing unique specific information to cloud intelligence:
- Host-based intrusion detection systems (HIDS) that collect data via endpoint security management systems
- Network-based intrusion detection systems (NIDS) that collect data through anomaly detection systems
- Application-based intrusion detection systems (AIDS) that collect data by integrating a Web application firewall with dynamic application security testing systems
Host-based IDS monitors individual hosts or devices on the network. It is the oldest and probably the least harmful type of intrusion detection systems. So far, any thought-out antivirus or endpoint protection may detect unwelcome traffic and log it for further analysis.
Information collected from honeypots and AIDS systems is critical for network-based IDS, since the easiest way to prevent an attack is to identify it on the level of network packets.
Analysis and correlation appear to be the major challenge for NIDS, with host and network being its main data providers. But the main question is: How should it arrange the retrieved data for further analysis by an intrusion detection analyst? The solution lies in a carefully thought-out design involving interface, traffic analysis, NIDS and HIDS integration, as well as integration of IDS console with the wider network architecture. This is exactly the reason why the next couple of years will be marked with NIDS market development.
Since HIDS and NIDS are not always able to analyze data from a Layer 7 OSI model, applications should be capable of protecting themselves independently, especially when it comes to Web and mobile apps.
Application-based IDS appears to be the latest novelty in the intrusion detection field. By the principles of its work, IDS may be identified with:
- Application self-protection (with OWASP being the most well-known Web application security project)
- Web application firewall (WAF)
- Dynamic application security testing (DAST)
When it comes to Web applications, the majority of companies do not have either a possibility or time to fix vulnerabilities. That's why the best option to handle this issue is to apply an automated process combining WAF and DAST. Being a passive security system, firewall itself is not capable of recognizing bad content in the traffic. Redirecting the flow to DAST and receiving an "alert" about malicious traces, firewall memorizes the rules and collects them. In its turn, DAST produces reports on application security vulnerabilities.
What's Ahead for IDS
This year will witness a growing demand in high-quality Web application firewall systems. What's more, intrusion detection systems will receive signatures for identifying attacks on applications from honeypots connected with DAST. Anomaly-based systems will keep developing; however, their share in the market will still be small as they haven't proven their efficiency yet.
Nazar Tymoshyk is a highly-regarded IT security and network infrastructure expert. In his role at SoftServe, Inc., Nazar specializes in many security disciplines including computer forensics, malware analysis, intrusion detection, and mobile application security assessments. He holds a Ph.D. in Information Security from the State University, Lviv Polytechnics, is the chapter leader of the OWASP in Lviv, Ukraine, and a regular contributor to the SoftServe United blog.
By Jeff Goldman
December 03, 2014
The FBI warning appears to refer to last week's cyber attack on Sony Pictures Entertainment.