Intrusion Detection System and Its Detailed Working Function – SOC/SIEM

Intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

There are a multiple ways detection is performed by an Intrusion detection system. In signature-based detection, a pattern or signature is compared to previous events to discover current threats. This is useful for finding already known threats, but does not help in finding unknown threats, variants of threats or hidden threats.

How Intrusion detection system Works

The main purpose of Intrusion detection system are they not only prevent intrusion but they also alert administrators immediately when the attack going on.

IDS having sensors to detect signatures, some advanced IDS having a behavioral activity to determine malicious behaviors. Even if the signature doesn’t match this system can notify the behavior of attack.
If the signature match it will move to next step or the connections cut down from source IP, the packet is dropped and an alarm notifies the administrator.
Once the signature is matched, then sensors pass on anomaly detection,whether the received packet or request matches or not.
If the packet passes the anomaly stage, astateful protocol analysis will be done. After that, through the switch, the packets are passed on the network. If anything mismatches again, the connections are cut down from the source IP address and the packet is dropped, also an alarm will be raised and notified to the administrator.

Ways to Detect an Intrusion

Intrusion can be identified in three ways.

Signature Detection:

It is also known as misuse detection, it tries to identify the events that indicate an abuse of the system.It is achieved by creating models of intrusions.

Incoming events are compared with the intrusion models for detection and decision.While making signature the model should detect the incoming intrusion without making any impact on regular traffic, only malicious traffic should match the model or else the false alarm will be raised.

The simplest form of signature reorganization uses simple patterns matching to compare the network packets against binary signatures of known attacks. Binary signature defined as the specific portion of the packet such as TCP
Signature recognization can find known attacks, But there is a possibility other packets that match the same signature will trigger bogus signals. Signatures need to be customized.
A signature that termed improperly may trigger bogus signals,the bandwidth of the network is consumed with the increase in the signature database.
Despite problems with signature-based intrusion detection, such systems are popular and work well when configured correctly and monitored closely.

Anomaly Detection

In this traditional method, important data is kept for checking in various network traffic model.However, in reality, there is less variation in network traffic and too many statistical variations making these models imprecise.
In this type of approach, the inability to instruct a model thoroughly on the normal network is of grave concern.

Protocol Anomaly detection

This technique based on the anomalies specific to a protocol, this model integrated with IDS recently. This identifies TCP/IP specific flaws with the network. Protocols are created with specifications, know as RFCs(RFC1192) for dictating proper use and communication.

There are new attack methods and exploits that violate protocol standards being discovered frequently.
The pace at which the malicious signature attacker is growing is incredibly fast. But the network protocol, in comparison, is well defined and changing slowly. Therefore, the signature database must be updated frequently to detect attacks.
Protocol anomaly detection systems are easier to use because they require no signature updates.
The best way to present alarms is to explain which part of the state system was compromised. For this, the IDS operators have to have a thorough knowledge of the protocol design; the best way is the documentation provided by the IDS.

Network-based Intrusion

NIDS check’s every packet entering into the network for anomalies and incorrect data. Unlike firewall that is confined to be filtering packets malicious packets, IDS inspects every packet thoroughly.

A NIDS captures and inspects all the traffic regardless of it permitted. Based on the content, either the application or IP level, an alert is generated.

Network-based intrusion systems tend to be more distributed than host-based. NIDS is designed basically to identify the anomalies in the network and the host level.

It audits information contained in data packets and logs information of malicious packets.

A threat level is assigned to each packet after the data packet received. These mechanisms typically consist of a black box that is placed on the network in the promiscuous mode, listening for patterns indicative of an intrusion.

Four Best Intrusion Detection Systems

Snort
Bro Intrusion Detection System
Cisco Intrusion Prevention System (IPS)
Juniper Networks Intrusion Detection & Prevention (IDP)

Snort

Snort is an open source network intrusion prevention and detection system (IDS/IPS) created by Martin Roesch and put out by Sourcefire (acquired by Cisco in 2013).

The best deal for the money (it’s free). It does an amazing job of combining the benefits of signature, protocol, and anomaly-based inspection. Snort is without a doubt the most widely deployed IDS/IPS technology across the globe. With millions of downloads and approximately 300,000 registered users.

Bro Intrusion Detection System

Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity.

Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome.

Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (for example, certain hosts connecting to certain services, or patterns of failed connection attempts).

Cisco Intrusion Prevention System (IPS)

Besides being one of the most expensive, Cisco IPS is one of the most widely deployed intrusion prevention systems thanks to its acquisition of Surefire. The company’s Firepower network security appliances are based on Snort.

Juniper Networks Intrusion Detection & Prevention (IDP)

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method Detection (MMD), offers an impressive comprehensive coverage by leveraging multiple detection mechanisms.

For one example, by utilizing signatures, as well as other detection methods including protocol anomaly traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as well as possible future variations of the attack.