Please enable JavaScript.
Coggle requires JavaScript to display documents.
INTRUSION DETECTION SYSTEM (IDS), intrusion-detection-system-ids-8-638,…
INTRUSION DETECTION SYSTEM (IDS)
INTRODUCTION TO IDS
Deployed as sensored
Use signature to detect patterns of misuse in network traffic
A system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.
Can detect atomic patterns(single-packet) or composite patterns(multi-packet)
DIFFERENT TYPES OF IDS
A network intrusion detection system (NIDS)-deployed at a strategic point or points within the network, where it can monitor inbound and outbound traffic to and from all the devices on the network.
A host intrusion detection system (HIDS) -runs on all computers or devices in the network with direct access to both the internet and the enterprise's internal network.
A signature-based intrusion detection system (SIDS) -monitors all the packets traversing the network and compares them against a database of attack signatures or attributes of known malicious threats, much like antivirus software.
An anomaly-based intrusion detection system (AIDS) monitors network traffic and compares it against an established baseline to determine what is considered normal for the network with respect to bandwidth, protocols, ports and other devices.
WHY USE IDS ?
To detect attacks & other security violations that are not prevented by other security measures
To document the existing threat to an organization
To provide useful information about intrutions that do take place, allowing improved diagnosis, recovery, & correction of causative factors.
To act as quality control for security design & administration, especially for large & complex enterprises.
EVASION TECHNIQUES
Being aware of the techniques available to cyber criminals who are trying to breach a secure network can help IT departments understand how IDS systems can be tricked into not missing actionable threats:
FRAGMENTATION
- sending fragmented packets allow the attacker to stay under the radar, bypassing the detection system's ability to detect the attack signature.
AVOIDING DEFAULTS
- a port utilized by a protocol does not always provide an indication to the protocol that's being transported. If an attacker had reconfigured it to use a different port, the IDS may not be able to detect the presence of a trojan.
COORDINATED, LOW-BANDWIDTH ATTACKS
- coordinating a scan among numerous attackers, or even allocating various ports or hosts to different attackers. This makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
ADDRESS SPOOFING/PROXYING
- attackers can obscure the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server, it makes it very difficult to detect.
PATTERN CHANGE EVASION
- IDS rely on pattern matching to detect attacks. By making slight adjust to the attack architecture, detection can be avoided.
WHY IDS IS IMPORTANT ?
Detection system is to ensure IT personnel is notified when an attack or network intrusion might be taking place.
Cyber attacks will only become more sophisticated, so it is important that protection technologies adapt along with their threats.
Modern networked business environments require a high level of security to ensure safe and trusted communication of information between various organizations.
IDS VS IPS
IDS
Name:intrusion detection system
Description:a system that monitors network traffic for suspicious activity and alerts users when such activity is discovered
Location: a host-based intrusion detection system is installed on the client computer.A network-based intrusion detection system resides on the network
Use:warns of suspicious activity taking place,but it doesn't prevent it
IPS
Name:intrusion prevention system
Description:a system that monitors network traffic and alerts for suspicious activity,like an IDS,but also take preventative action against suspicious activity
Location:located between a company's firewall and the rest of its network
Use:warns of suspicious activity taking place and prevent it
CAPABILITIES OF IDS
IDS monitor network traffic in order to detect when an attack is being carried out by unauthorized entities. IDS do this by providing some -- or all -- off these functions to security professionals :
monitoring the operation of routers,
firewalls
,
key management
servers and files that are needed by other security controls aimed at detecting, preventing or recovering from cyberattacks
providing administrators a way to tune, organize and understand relevant OS
audit trails
and other logs that are otherwise difficult to track or parse
providing a user-friendly interface so none expert staff members can assist with managing system security
including an extensive attack signature database against which information from the system can be matched
recognizing and reporting when the IDS detects that data files have been altered
generating an alarm and notifying that security has been breached
reacting to intruders by blocking them or blocking the server
BENEFITS OF IDS
Early warning of attack
Flexible configuration options
Allerts that a network invasion may be in progress
Help identify the source of the incoming probes or attacks
Identify atacker [proof]
Determine what has been compromised
