NETWORK INTRUSION DETECTION SYSTEM

Network Intrusion Detection System

Network Intrusion Detection System

What Is Network Intrusion Detection System?

An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break into or misuse your system. The word "misuse" is broad? and can reflect something severe as stealing confidential data to something minor such as misusing your email system for spam (though for many of us? that is a major issue!). An "Intrusion Detection System (IDS)" is a system for detecting such intrusions. For the purposes of this FAQ? IDS can be broken down into the following categories:

network intrusion detection systems (NIDS) monitors packets on the network wire and attempts to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large number of TCP connection requests (SYN) to many different ports on a target machine? thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine who watches its own traffic (usually integrated with the stack and services themselves)? or on an independent machine promiscuously watching all network traffic (hub? router? probe). Note that a "network" IDS monitors many machines? whereas the others monitor only a single machine (the one they are installed on). system integrity verifiers (SIV) monitors system files to find when a intruder changes them (thereby leaving behind a backdoor). The most famous of such systems is "Tripwire". A SIV may watch other components as well? such as the Windows registry and chron configuration? in order to find well known signatures. It may also detect when a normal user somehow acquires root/administrator level privleges. Many existing products in this area should be considered more "tools" than complete "systems": i.e. something like "Tripwire" detects changes in critical system components? but doesn't generate real-time alerts upon an intrusion.

log file monitors (LFM) monitor log files generated by network services. In a similar manner to NIDS? these systems look for patterns in the log files that suggest an intruder is attacking. A typical example would be a parser for HTTP server log files that looking for intruders who try well-known security holes? such as the "phf" attack. Example: swatch

deception systems (A.K.A. decoys? lures? fly-traps? honeypots) which contain pseudo-services whose goal is to emulate well-known holes in order to trap hackers. See The Deception ToolKit http://www.all.net/dtk/ for an example. Also? simple tricks by renaming "administrator" account on NT? then setting up a dummy account with no rights by extensive auditing can be used. There is more on "deception" later in this document.

The goal of intrusion detection is to monitor network assets to detect anomalous behavior and misuse. This concept has been around for nearly twenty years but only recently has it seen a dramatic rise in popularity and incorporation into the overall information security infrastructure. Beginning in 1980? with James Anderson's paper? Computer Security Threat Monitoring and Surveillance? the notion of intrusion detection was born. Since then? several pivotal events in IDS technology ...