An IDS or Intrusion Detection System is often confused with Honeypot since both are related to network security. Many students think of it as an another type of honeypot, which is incorrect. Although, both IDS and Honeypot keep your network secure and alert you about various attacks, both of them have very different functions and working. In this post, we will discuss IDS in brief along with its two famous types: Heuristic and Signature based IDS.
What is IDS?
IDS or Intrusion Detection System is a device that monitors all incoming and outgoing activities for various malicious and suspicious activities and raises an alarm if it encounters one.
The best way to understand IDS is take it as, burglary alarm, i.e. something which goes off when someone unauthorized tries to reach/manipulate data. Often networks have more threats from within that from some outside attacker, because generally you have a firewall to protect the network. But what if the attacker manages to get pass the firewall? There isn’t anything to protect your system if some malicious code enters from inside the network. This is why we need an IDS. It prevents your data and systems in your network, if such case arises. Basically IDS is a device that monitors all the activities going on in your network, sets off an alarm if it encounters any suspicious activities to warn other machines and then takes proper steps to tackle the event
Where is IDS installed?
IDS can be installed anywhere. If the company has its own network Firewall between the LAN and Internet, the IDS is generally installed between the firewall and the network. If there is no firewall, it can also be installed between the local network and the router that helps it connect to the internet.
IDS monitors the incoming and outgoing traffic, checks for viruses and malicious codes in data packets and if found, raises an alarm to notify all the systems to warn everyone. As soon as attacker penetrates the network, the alarm starts telling the administrator about an intrusion. But what if attacker not only penetrates the network but somehow manages to turn off the alarm. This problem can be solved using Stealth mode IDS, where we have two network interfaces, one for monitoring the network and other one specifically installed to generate alarms. We can install a notification alarm, where the notifications are sent in various ways, such as say audit log change.
Objectives of IDS.
An IDS is one of the most important part of your network. Any IDS should fulfill atleast these 3 goals:
- Simple. Any IDS should be simple to install, run and maintain.
- Accurate: While checking any data-packet, IDS should always be as accurate as possible.
- Fast: There is a lot of activity going within the network and between the network and internet. IDS should be fast to scan detect any harmful packets.
How IDS works?
The working of IDS is quite easy and simple to understand. IDS uses four basic elements (EACS):
- EVENTS.
- ANALYSIS.
- COUNTER MEASURE
- STORAGE.
1. Events: Whenever any suspicious activity is detected, the sensors raw inputs to the IDS. IDS treats this as an Event and takes the next step.
2. Analysis: Once the Event is generated, IDS Analyzes the event and checks the level of threat. The analysis report is stored in Storage for future references.
3. Counter Measure: If the Event generated posses a high level of threat, IDS take proper counter-steps to tackle it.
4. Storage: Analysis of every threat is saved in Storage. There might be times when a low-level threat appears. At times like this, it is analyzed and then sent to Storage. IDS doesn’t need to take counter steps in such cases mainly because of the innocuous nature of the threat.
Types of IDS:
There are various types of IDS, but in this post we will focus at two most general types of IDS now in use.
- Signature based IDS: In this type, IDS has a pre-defined signatures installed in it. It checks the signature of each packet with existing and if it matches, the packet is identified as threat. If it doesn’t, IDS just checks another packet.
Advantages: Fast and Accurate. Easy to install and monitor.
Disadvantages: Cannot detect new threats. IDS fails if time-to-time update of signatures is not performed. - Heuristic based IDS. This type doesn’t have any pre-defined rules or signatures. It has a model of acceptable behavior and suspicious behaviors. It checks each packet for malicious activity and if found stores and remembers it’s behavior. Next time, if it finds any packet matching the same, it identifies it as a threat’s behavior it directly considers it as threats and takes proper steps. Hence Heuristic IDS is a Intelligent learning IDS. It learns as it keeps working. The user can to flag certain behavior as suspicious.
Advantages: Effective. Can find and tackle new threats.
Disadvantages: Slow. Has high chance of false positive rate. Can sometimes consider a normal data packet as threat and stop it.
A famous example of IDS for Linux based OS is Snort.