Approaches to Intrusion Detection and Prevention
IDS stands for Intrusion Detection System (IDS). It is device or software application that monitors network or systems for malicious activity or policy violations. There are six basic approaches to Intrusion Detection and Prevention. Some of these methods are implemented inside various software packages, and others are simply strategies that an organisation can employ to decrease the likelihood of successful intrusion. Historically when IDs were first developed, Hubs were used very frequently. Today, Switches are used rather than Hubs because with Hub after packet has travelled from its Source network to its Destination network (being routed by its destination IP Address), it finally arrives at network segment on which target is located. After it gets to that final segment, MAC Address is used to find target. All the computers on that segment can see packet but because Destination MAC address does not match MAC address of their Network Interface Card, it ignores packet. At some point, enterprise individuals realise that if they simply chose not to ignore the packets not destined for their network card, they could see all traffic on network segment. In other words, one could look at all packets on that network segment. Thus packet sniffer was born. After that, it was simply matter of time before idea came about analysing those packets for indications of an attack. Thereby giving rise to Intrusion Detection System. Approaches to Intrusion Detection and Prevention : 1. Pre-emptive Blocking : It is also called Banishment vigilance. It seeks to prevent intrusion from happening before they occur. The above method is done by observing any danger signs of imminent threats and then blocking user or IP address from which these signs originate. Example – This technique includes attempts to detect early foot-printing of an imminent intrusion then blocking IP or user that is source of foot-printing activity. If Admin finds that particular IP address is source of frequent port scans and other scans of their system then they will block that IP address at firewall. The above intrusion detection and avoidance can be quite complicated which could potentially block legitimate user by mistake. The complexity arises from distinguishing legitimate traffic from that indicative of an impending attack. This can lead to problem of false positives, in which system mistakenly identifies legitimate traffic as some form of attack.
- A software system will simply alert administrator that suspicious activity has taken place. The human admin then makes decision whether or not to block traffic.
- If software automatically blocks any addresses it deems suspicious, you run risk of blocking out legitimate users.
- It should also be noted that nothing prevents offending user from moving to different machine to continue attack.
- This sort of approach should only be one part of an overall intrusion-detection strategy and not entire strategy.
2. Anomaly Detection :
- It involves actual software that works to detect intrusion attempts and then notify the administrator.
- The general process is simple, system looks for any abnormal behavior. Any activity that does not match pattern of normal user access is noted and logged. The software compares observed activity against expected normal usages profiles.
- Profiles are usually developed for specific user, group of users, or applications. Any activity that does not match definition of normal behaviour is considered an anomaly and is logged.
- Sometimes above situation is referred to as “traceback” detection or “traceback” process. We are able to establish from where this packet was delivered.
The specific ways in which an anomaly is detected includes : Threshold Monitoring, Resource Profiling, User/Group Work Profiling, and Executable Profiling. These are explained as following below. 3. Threshold Monitoring : Threshold monitoring pre-sets acceptable behaviour levels and observes whether these levels are exceeded. This could include something as simple as finite number of failed login attempts or something as complex as monitoring the time user is connected and amount of data user downloads. Threshold monitoring provide definition of acceptable behaviour. Characterizing intrusive behaviour only by threshold limits can be somewhat challenging. It is often quite difficult to establish proper threshold values or proper time frames at which to check those threshold values. This can result in high rate of false positives in which system misidentifies normal usage as probable attack. 4. Resource Profiling : It measures the system-wide use of resources and develops historic usage profile. Abnormal readings can be indicative of illicit activity underway. It might be difficult to interpret meaning of changes in overall system usages. An increase in usage might simply indicate something benign like an increased workflow rather than an attempt to breach security. 5. User/Group Work Profiling : Here, the IDS maintains individual work profiles about user and groups. These users and groups are expected to obey these profiles. As the user changes his/her activities, his/her expected work profile is updated to reflect those changes. Some systems attempt to monitor interaction of short-term versus long-term profiles. The short-term profiles capture recent changing work patterns, whereas long-term profiles provide view of usages over an extended period of time. However, it can be difficult to profile an irregular or dynamic user base. Profiles that are defined too broadly enable any activity to pass review, whereas profiles that are defined too narrowly may inhibit user work. 6. Executable Profiling : Executable profiling seeks to measure and monitor how programs use system resources, paying particular attention to those whose activity can always be traced to specific originating user. Example – system services usually cannot be traced to specific user launching them. Viruses, Trojan horses, worms, Tap-doors and other software attacks are addressed by profiling how system objects such as files and printers are normally used, not only by the user but also by other system subjects on the part of users. If the viruses inherit all of privileges of user executing software. Software is not limited by the principle of least privilege but to only those privileges needed to properly execute. This openness architecture permits viruses to covertly change and infect totally unrelated parts of system. Executable profiling enables IDS to identify activity that might indicate an attack. Once potential danger is identified, method of notifying administrator, such as by network message or email, is specific to individual IDS.