Basic Intrusion Detection System

Look at this quote by Admiral Grace Hopper


“Life was simpler before world war II. After that we had systems”

So, what does this actually means? With invent of systems (computer systems) came the increase for various needs of networking, and with networking came the idea of data sharing. Today in this era of globalization, with the development of information technology as well as ease of access and development of hacking tools, comes the need for security of important data. Firewalls may provide this, but they never alert the administrator of any attacks. That’s where comes the need for a different system – a sort of detection system.

An Intrusion Detection System is a required solution to the above problem. It is similar to a burglar alarm system in your home or any organization which detects the presence of any unwanted intervention and alerts the system administrator.

It is a type of software that is designed to automatically caution administrators when anyone is trying to breach through the system using malicious activities.

Now before getting to know about an Intrusion Detection System, let us have a brief recall about firewalls.

Firewalls are software programs or hardware devices which can be used to prevent any malicious attack on the system or on the network. They basically act as filters that block any kind of information which can cause a threat to the system or the network. They can either monitor few contents of the incoming packet or monitor the whole packet.

Classification of Intrusion Detection System:

Based on the type of systems the IDS protects:

  • Network Intrusion Detection System: This system monitors the traffic on individual networks or subnets by continuously analyzing the traffic and comparing it with the known attacks in the library. If an attack is detected, an alert is sent to the system administrator. It is placed mostly at important points in the network so that it can keep an eye on the traffic traveling to and from the different devices on the network. The IDS is placed along the network boundary or between the network and the server. An advantage of this system is that it can be deployed easily and at low cost, without having to be loaded for each system.
Network Intrusion Detection System
Network Intrusion Detection System
  • Host Intrusion Detection System: Such a system works on individual systems where the network connection to the system, i.e. incoming and outgoing of packets are constantly monitored and also the auditing of system files is done and in case of any discrepancy, the system administrator is alerted about the same. This system monitors the operating system of the computer. The IDS is installed on the computer. The advantage of this system is it can accurately monitor the whole system and does not require installation of any other hardware.
Host Intrusion Detection System
Host Intrusion Detection System

Based on the method of working:

  • Signature-based Intrusion Detection System: This system works on the principle of matching. The data is analyzed and compared with the signature of known attacks. In case of any matching, an alert is issued. An advantage of this system is it has more accuracy and standard alarms understood by the user.
Signature based Intrusion Detection System
Signature-based Intrusion Detection System
  • Anomaly-based Intrusion Detection System: It consists of a statistical model of normal network traffic which consists of the bandwidth used, the protocols defined for the traffic, the ports, and devices that are part of the network. It regularly monitors the network traffic and compares it with the statistical model. In case of any anomaly or discrepancy, the administrator is alerted. An advantage of this system is it can detect new and unique attacks.
Anomaly based Intrusion Detection System
Anomaly-based Intrusion Detection System

Based on their Functioning:

  • Passive Intrusion Detection System: It simply detects the kind of malware operation and issues an alert to the system or network administrator. (What we have been seeing till now!).The required action is then taken by the administrator.
Passive Intrusion Detection System
Passive Intrusion Detection System
  • Reactive Intrusion Detection System:  It not only detects the threat but also performs specific action by resetting the suspicious connection or blocks the network traffic from the suspicious source. It is also known as Intrusion Prevention System.

Typical Features of an Intrusion Detection System:

  • It monitors and analyzes the user and system activities.
  • It performs auditing of the system files and other configurations and the operating system.
  • It assesses the integrity of system and data files
  • It conducts an analysis of patterns based on known attacks.
  • It detects errors in system configuration.
  • It detects and cautions if the system is in danger.

Free Intrusion Detection Software

Snort Intrusion Detection System

One of the most widely used Intrusion Detection Software is the Snort software. It is a network Intrusion Detection Software developed by Source file. It performs real-time traffic analysis and protocol analysis, pattern matching, and detection of various kinds of attacks.

Snort Intrusion Detection System
Snort Intrusion Detection System

A Snort based Intrusion Detection System Consists of the following Components:

Components of Snort IDS by Intrusion Detection System with Snort
Components of Snort IDS by Intrusion Detection System with Snort
  • A Packet Decoder: It takes packets from different networks and prepares them for preprocessing or any further action. It basically decodes the coming network packets.
  • A Preprocessor: It prepares and modifies the data packets and also performs defragmentation of data packets, decodes the TCP streams.
  • A Detection Engine: It performs packet detection on the basis of Snort rules. If any packet matches the rules, appropriate action is taken, else it is dropped.
  • Logging and Alerting System: The detected packet is either logged in system files or in case of threats, the system is alerted.
  • Output Modules: They control the type of output from the logging and alert system.

Advantages of Intrusion Detection Systems

  • The network or computer is constantly monitored for any invasion or attack.
  • The system can be modified and changed according to the needs of specific clients and can help outside as well as inner threats to the system and network.
  • It effectively prevents any damage to the network.
  • It provides a user-friendly interface which allows easy security management systems.
  • Any alterations to files and directories on the system can be easily detected and reported.

An only disadvantage of the Intrusion Detection System is they cannot detect the source of the attack and in any case of attack, they just lock the whole network. If any further more queries on this concept or on the electrical and electronic projects leave the comments below.