In recent years, network security has been a hotly debated issue for IT managers, who increase investments year after year, in order to protect the privacy, integrity, and availability of information. Much of this is due to malicious actions of internal and external users, which seek to make services, networks and systems of companies unavailable, in all sizes and lines of action. To solve this situation, numerous defense strategies are implemented – such as firewalls, massive use of encryption, private virtual networks, among others – aiming to maintain the security of the infrastructures and the secrecy of communications made through the internet.
Among the commonly used methods, we highlight intrusion detection through IDS (Intrusion Detection System). With this, we can collect and use information from several types of known attacks to defend the whole infrastructure, as well as identify points or attempts to attack, allowing not only the report but also the continuous improvement of the security environment. In this post, you will learn the history, the concept and the main types of IDS. Follow us!
What is intrusion detection?
By the 1960s, financial systems began to introduce audit practice into their processes to inspect data and check for fraud or errors in systems. However, some questions have arisen: what should be detected, how to analyze what has been discovered and how to protect the various levels of security clearance on the same network without compromising security? Between 1984 and 1986, Dorothy Denning and Peter Neumann developed a first model of IDS, a prototype named as Intrusion Detection Expert System (IDES).
The IDES model is based on the hypothesis that the behavior pattern of an intruder is different enough from a legitimate user to be detected by usage statistics analyzes. Therefore, this model tries to create a pattern of behavior for users in relation to programs, files and devices, both in the short and long term, to make the detection, besides feeding the system based on the rules for representing known violations. By the end of the 1980s, many other systems were developed, based on an approach combining statistical and expert systems.
Conceptually, the IDS refers to a mechanism capable of identifying or detecting the presence of intrusive activities. In a broader concept, this encompasses all the processes used in the discovery of unauthorized uses of network devices or computers. This is done through software designed specifically to detect unusual or abnormal activities.
However, we must differentiate between IDS and IPS (Intrusion Prevention System). The first one is a software that automates the process of intrusion detection; the latter is an intrusion prevention software, which aims to prevent possible attacks. One therefore works in a reactive and informative way, while the IPS reduces the risk of compromising an environment.
What are the types of IDS?
Intrusion detection systems can be categorized into four groups, depending on the type of event they monitor and how they are deployed:
Machine and network-based IDS
This type of IDS monitors network traffic on a segment or device, and analyzes network and protocol activity to identify suspicious activity. This system is also capable of detecting numerous types of events of interest, and is generally deployed in a security topology as the boundary between two networks, where traffic is tapered. Because of this, in many cases, the IDS feature itself is integrated directly into the firewall.
Host refers to an actual device or asset. In this case, we can consider a user’s computer, or a server, as a host. Intrusion detection, in this format, monitors device characteristics and the events that happen with it in search of suspicious activity. Usually, a host based IDS can be installed individually for both corporate computers within a corporate network and endpoints. Among its main features are the network traffic to the device, running processes, system logs as well as access and changes in files and applications.
Knowledge and behavior-based IDS
A knowledge-based IDS references a database of known system vulnerability profiles to identify active intrusion attempts. In this case, it is very important that the structure has a policy of continuous updating of the database (signatures) to ensure continuity of security in the environment, since what is not known will literally not be protected.
Behavior-based IDS, on the other hand, analyzes traffic behavior by following a baseline or a pattern of standard system activity to identify intrusion attempts. If there are deviations from this standard or baselines, some actions may be taken, either by blocking that traffic temporarily, through alarms for network operations center (NOC/SNOC), allowing that abnormality to be better investigated, permitted or permanently blocked.
Active and passive IDS
An IDS is defined as being active from the moment it is set to automatically block attacks or suspicious activity that you know of, without any need for human intervention. While potentially an extremely interesting model, it is important for properly parameterizing protected environments to minimize false positives by blocking legitimate connections and causing disruption to business.
A passive IDS, on the other hand, acts in a way to monitor the traffic passing through it, identifying potential attacks or abnormalities and, based on this, generating alerts for administrators and security teams, however, does not interfere with anything at all in the communication.
It is a very interesting model in a security architecture and, regardless of not acting directly on the prevention, serves as an excellent thermometer of unauthorized attacks and attempts to access the infrastructure of a company.
Why is an intrusion detection system important?
Every day, new techniques to compromise computing environments are created, and it is a great challenge for the information security market to keep up with this speed, and even be ahead so as not to act reactively. For this reason, the implementation of a good IDS policy is fundamental in a security architecture, since this feature, if constantly updated, is able to keep the infrastructure away from opportunistic attacks, either from a network perspective, or by compromising a computer itself.
Combining both network-based and host-based intrusion prevention and detection systems is critical to good safety health. None of the models presented is necessarily exclusive; on the contrary, they should be treated as complementary according to the need and criticality of protection demanded by a business.
Are you already using IDS to detect anomalous and unwanted situations in computer systems and networks? Tell us in the comments!
[latest_post type=’boxes’ number_of_posts=’3′ number_of_colums=’3′ order_by=’date’ order=’ASC’ category=’problem-recognition’ text_length=’100′ title_tag=’h4′ display_category=’0′ display_time=’0′ display_comments=’0′ display_like=’0′ display_share=’0′]