15

How do Intrusion Detection Systems (IDS) work? As I understand it, they monitor network traffic but what exactly do they look for? How can they tell apart regular activity from intrusions?

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35

2 Answers2

16

You typically have two kinds of IDS, network-based and host-based, and these can be signature or statistical response types.

Signature IDS's are simple, fast, and can be updated easily. Usually vendors supply signature files - similar to the way anti-virus vendors supply virus signatures. For this reason most IDS's use signature recognition. The downside is that they will not identify a new attack unless it has a signature which matches an existing attack.

Statistical or heuristic IDS's learn what 'good' or normal traffic looks like and alert on anything which isn't normal. This does mean they are much better at spotting new attacks, but does require learning periods when initially installed and regularly on the implementation of new servers, services and when any new traffic types or volumes are expected.

Network based IDS's are usually implemented at the perimeter of an organisation, and they have visibility of all traffic entering (and sometimes exiting) the organisation. Where traffic has indications that it may be malicious it is logged or flagged to a response system or person.

For a large organisation, the amount of different valid traffic types can be very high, and the traffic types can vary over time so the ongoing configuration and tuning of a perimeter network based IDS can take a lot of resource. For this reason, the majority of large companies outsource this to vendors who provide the service to many organisations. These vendors have better visibility of attacks happening, a scale advantage on tuning and response, and the ability to update signatures for all their clients at once.

Host based IDS's are more usually implemented in-house for specific high-value servers. The traffic types and load are usually much lower and more predictable so the resource requirement is usually lower.

Also have a look at this question - some discussion on anomaly based (statistical) IDS.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • There is (sort of) a third kind of IDS, application-based. I dont personally have much experience with this, but see e.g. OWASP's AppSensor project. – AviD Jan 16 '11 at 00:04
  • Yeah - was wondering whether to have that in the list but erred on the side of counting it as the normal app logging and alerting. You are right though - it is still intrusion detection – Rory Alsop Jan 16 '11 at 01:18
  • Weeellll... *sort of*... – AviD Jan 16 '11 at 06:16
3

Wikipedia has a good start on an answer to this question.

An excerpt:

All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS:

A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered.

Signature-based IDS:

Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.

DCookie
  • 131
  • 4