IDS (Intrusion Detection System) and Its Detailed Working Function – SOC/SIEM
An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or through security policy violations.
An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious acitivity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.
An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and conducting an analysis of patterns based on already known attacks.
An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.
An attack is an attempt to compromise confidentiality, integrity, or availability.
The two primary methods of detection are signature-based and anomaly-based. Any type of IDS(HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.
The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.
Host-based intrusion detection system (HIDS)
A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.
It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.
The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:
- OSSEC – Open Source Host-based Intrusion Detection System
- AIDE – Advanced Intrusion Detection Environment
- Prelude Hybrid IDS
The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC).Many host-based IDSs have expanded to monitor application activity on the system.
It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.
Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is primarily used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.
Network-based intrusion detection system (NIDS)
A network-based intrusion detection system (NIDS) monitors activity on the network. An
administrator installs NIDSs sensors on network devices such as routers and firewalls.
These sensors gather information and report to a central monitoring server hosting a NIDS console.A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic.
Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.
Signature-based IDS s (also called definition-based) use a database of known vulnerabilities or known attack patterns. For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack.
The attack tool then floods the target system with synchronize (SYN) packets, but never completes the three-way Transmission Control Protocol (TCP) handshake with the final acknowledge (ACK) packet. If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash.
If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash. However, this is a known attack with a specific pattern of successive SYN packets from one IP to another IP.
The IDS can detect these patterns when the signature database includes the attack
definitions. The process is very similar to what antivirus software uses to detect malware. You need to update both IDS signatures and antivirus definitions from the vendor on a regular basis to protect against current threats.
Anomaly-based (also called heuristic-based or behavior-based) detection first identifies normal operation or normal behavior. It does this by creating a performance baseline under normal operating conditions.
The IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified the baseline), it gives an alert indicating a potential attack.
Anomaly-based detection is similar to how heuristic-based antivirus software works. Although the internal methods are different, both examine activity and make decisions that are outside the scope of a signature or definition database.
Physical (Physical IDS)
Physical intrusion detection is the act of identifying threats to physical systems. Physical intrusion detection is most often seen as physical controls put in place to ensure CIA. In many cases physical intrusion detection systems act as prevention systems as well. Examples of Physical intrusion detections are:
- Security Guards
- Security Cameras
- Access Control Systems (Card, Biometric)
- Man Traps
- Motion Sensors
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: