Contact
Back to Insights

Intrusion Detection and Intrusion Prevention Systems

23/06/2012 Article

BG

In this article, we will give you definitions of the different intrusion detection systems. Namely IDS, NIDS, HIDS, IPS. Moreover, we will provide you with an explanation of intrusion prevention systems.

IDS Definition

Intrusion Detection System or IDS’ is the overall group of technology.  IDS’ are any systems that detect service attacks based on signatures and known baselines and sends out pre-configured alerts and/or records logs.  IDS’ are further split into NIDS and HIDS; Network IDS and Host IDS systems. 

IPS’ are similar in that they also use signatures and known baselines and they can even send out pre-configured alerts and/or record logs, but IPS’ also make service changes to help better protect the services it is looking after.

NIDS Definition

Network intrusion detection systems (NIDS) are devices that sit on the network layer and analyse the traffic passing across it.  Its a passive device that takes advantage of a network technology called “promiscuous mode” whereby the network adapter listens to all traffic presented on its cable rather than just packets that contain its mac address. 

Consider switches versus hubs when deploying – a basic switch should only send the traffic intended for the devices connected to each port to those ports. NIDS is better placed in-line with routers (or part of the router), on a hub or on a reasonably advanced switch where network ports can be mirrored onto other ports.  Make sure the NIDS has the capacity to handle the traffic given to it (probably worth while giving it a margin of 5% or so as well). 

If it can’t handle the traffic it is likely to drop data.  Should the NIDS actually be a NIPS (prevention as well as detection). It is possible to inject reset packets into the network stream. Therefore close any connections that are deemed to be dangerous.  Encryption can be a problem for accurate detection.

HIDS Definition

Host intrusion detection systems are essentially the same as NIDS but from a different viewpoint.  Instead of viewing network traffic, HIDS analyse processes, logs and memory of a single system.  Not hindered as much by encryption and certainly not in the same way as NIDS.  Negatives for HIDS are that they are invasive and have the capability to interfere with applications and processes in unexpected ways.  They are also quite capable of using significant system resources potentially becoming a denial of service vector on their own.

Analysis Engine Methods

There are two main methods of analysis.  Pattern or signature matching and anomaly detection.  Pattern matching methods are reliant on having an up-to-date signature database to test against and can only recognise known methods of attack.  Not only does this mean that new and unknown methods are not caught, but also that should the attacker alter the data streams enough, it would be possible to perform known attacks and still not get noticed as the signatures no longer match.

The alternative is anomaly detection which is a system that learns how systems behave. Also, it learns how the detection system operates and creates a base line. We can compare the current condition to the base line and flag it up as necessary.  The drawback of anomaly detection is that it requires much greater management and if well configured it will flag more false positives that signature based IDS’.

More specifically:

  • Stateful Matching
    • Step up from straight pattern matching. This is signature based but not on single packets.  Instead, it takes the stream of data and matches patterns of streams.
  • Statistical Anomaly Based
    • An anomaly detection method based on previous and predicted activity.
  • Protocol Anomaly Based
    • Sort of like a whitelist pattern matching function.  This analyses packets and checks whether they conform (enough) to the protocol standards.  Difficult to implement for custom protocols.
  • Traffic Anomaly Based
    • What it says on the tin – what usually happens when someone connects is the base line, if it differs too much flag it.

IPS Definition

Intrusion prevention systems are where the device can alter the network or devices stance in response to what it has identified. 

For obvious reasons, we recommend proceeding with caution. Such systems as these have the ability to disrupt normal service as well as prevent successful attacks.  To labour the point, even what appears to be sensible alterations, to say a firewall, can have an extensive knock on effect.  The example given is that a particular company has two offices, office one has an IPS and a Firewall, the IPS decides to alter a firewall rule that works as anticipated.  Office two also has a firewall and its configuration is replicated from office one – that same firewall rule has a different effect here and prevents normal service.  Risk assessments should be made and varying levels of response should be considered for each circumstance.

Configuration Considerations

  • Sensors
    • The bit that detects the attack
  • Control and Communications
    • The alert delivery methods
  • Annunciators
    • Essentially a more advanced delivery method.  Makes decisions about who, what, when, where and why…
  • Staff alerting and alert order
    • As on the tin
  • Regular management
    • To keep it accurate it must be regularly maintained with new signatures and evaluating baselines etc

Learn how you can prevent malicious characters from your technologies

Contact YGHT

You may also like

Document Object Model Cross Site Scripting example
Article
New Burp extention: Trusted Types Checker

New Burp plugin that helps identify Trusted Types DOM-XSS protection misconfigurations

Read Article
Black and white image of Santa's sleigh
Podcast
Attacking Santa’s Christmas deliveries

Start listening
House with Solar panels
Article
SolaX Pocket WiFi vulnerability: December 2024 update

Read Article
View all insights

Get in touch