GLOSSARY: IDSAn intrusion detection system (IDS) may be part of an intrusion prevention system (IPS). It is a device or software application that monitors a network or systems for malicious activity or policy violations.
Intrusion detection systems (IDS) may be a dedicated device or software. They are typically divided into two types depending on their responsibilities:
An IDS can support a network firewall - ideally the firewall should be closed to all traffic apart from that which is known to be needed by the organisation (such as web traffic, email and FTP). An IDS can then be used to scan any traffic passing through the firewall for potential attacks using a NIDS, as well as being able to detect those coming from within – such as from a personal computer infected with malware – using a HIDS. Intrusion detection may be considered passive; it identifies that an intrusion is taking place and informs an administrator who must take appropriate action. However, they can also be reactive – as well as informing the administrator, the IDS can actively attempt to stop the intrusion, in most cases by blocking any further data packets sent by the source IP address. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. The SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms. These systems are also referred to as an Intrusion Prevention or Protection System (IPS). WeaknessesAutomated intrusion detection systems have a number of weaknesses:
TechniquesIntrusion detection typically uses one of two techniques:
HoneypotsSometimes network administrators want to study attacks, either so the attackers' methods can be understood more fully and countermeasures prepared, or as part of an investigation that might lead to civil or criminal prosecutions. One method of safely studying an attack is to deflect attackers towards an isolated computer or network which appears to be completely legitimate, but is in fact a closely-monitored trap known as a honeypot. There, every action performed by the attacker can be recorded and analysed without risking important data. Honeypots are also used by researchers to identify new attacks that are circulating in the hacking community, as well as by anti-spam organisations which use them to identify the location and identities of spam email senders. |
|