Basic Intrusion Detection System

Look at this quote by Admiral Grace Hopper

“Life was simpler before world war II. After that we had systems”

So, what does this actually means? With invent of systems (computer systems) came the increase for various needs of networking, and with networking came the idea of data sharing. Today in this era of globalization, with the development of information technology as well as ease of access and development of hacking tools, comes the need for security of important data. Firewalls may provide this, but they never alert the administrator of any attacks. That’s where comes the need for a different system – a sort of detection system.

An Intrusion Detection System is the required solution to the above problem. It is similar to a burglar alarm system in your home or any organization which detects the presence of any unwanted intervention and alerts the system administrator.

It is a type of software which is designed to automatically caution administrators when anyone is trying to breach through the system using malicious activities.

Now before getting to know about an Intrusion Detection System, let us have a brief recall about firewalls.

Firewalls are software programs or hardware devices which can be used to prevent any malicious attack on the system or on the network. They basically act as filters which block any kind of information which can cause a threat to the system or the network. They can either monitor few contents of the incoming packet or monitor the whole packet.

Classification of Intrusion Detection System:

Based on the type of systems the IDS protects:

  • Network Intrusion Detection System: This system monitors the traffic on individual networks or subnets by continuously analyzing the traffic and comparing it with the known attacks in the library. If an attack is detected, an alert is sent to the system administration. It is placed mostly at important points in the network so that it can keep an eye on the traffic travelling to and from the different devices on the network. The IDS is placed along the network boundary or between the network and the server. An advantage of this system is that it can be deployed easily and at low cost, without having to be loaded for each system.
Network Intrusion Detection System
Network Intrusion Detection System
  • Host Intrusion Detection System: Such system works on individual systems where the network connection to the system, i.e. incoming and outgoing of packets are constantly monitored and also the auditing of system files is done and in case of any discrepancy, the system administrator is alerted about the same. This system monitors the operating system of the computer. The IDS is installed on the computer. Advantage of this system is it can accurately monitor the whole system and does not require installation of any other hardware.
Host Intrusion Detection System
Host Intrusion Detection System

Based on the method of working:

  • Signature based Intrusion Detection System: This system works on the principle of matching. The data is analyzed and compared with the signature of known attacks. Incase of any matching, an alert is issued. An advantage of this system is it has more accuracy and standard alarms understood by user.
Signature based Intrusion Detection System
Signature based Intrusion Detection System
  • Anomaly based Intrusion Detection System: It consists of a statistical model of a normal network traffic which consists of the bandwidth used, the protocols defined for the traffic, the ports and devices which are part of the network. It regularly monitors the network traffic and compares it with the statistical model. In case of any anomaly or discrepancy, the administrator is alerted. An advantage of this system is they can detect new and unique attacks.
Anomaly based Intrusion Detection System
Anomaly based Intrusion Detection System

Based on their Functioning:

  • Passive Intrusion Detection System: It simply detects the kind of malware operation and issues an alert to the system or network administrator. (What we have been seeing till now!).The required action is then taken by the administrator.
Passive Intrusion Detection System
Passive Intrusion Detection System
  • Reactive Intrusion Detection System:  It not only detects the threat but also performs specific action by resetting the suspicious connection or blocks the network traffic from the suspicious source. It is also known as Intrusion Prevention System.

Typical Features of an Intrusion Detection System:

  • It monitors and analysis the user and system activities.
  • It performs auditing of the system files and other configurations and the operating system.
  • It assesses the integrity of system and data files
  • It conducts analysis of patterns based on known attacks.
  • It detects errors in system configuration.
  • It detects and cautions if the system is in danger.

Free Intrusion Detection Software

Snort Intrusion Detection System

One of the most widely used Intrusion Detection Software is the Snort software. It is a network Intrusion Detection Software developed by Source file. It performs real time traffic analysis and protocol analysis, pattern matching and detection of various kinds of attacks.

Snort Intrusion Detection System
Snort Intrusion Detection System

A Snort based Intrusion Detection System Consists of the following Components:

Components of Snort IDS by Intrusion Detection System with Snort
Components of Snort IDS by Intrusion Detection System with Snort
  • A Packet Decoder: It takes packets from different networks and prepares them for preprocessing or any further action. It basically decodes the coming network packets.
  • A Preprocessor: It prepares and modifies the data packets and also perform defragmentation of data packets, decodes the tcp streams.
  • A Detection Engine: It performs the packet detection on basis of Snort rules. If any packet matches the rules, appropriate action is taken, else it is dropped.
  • Logging and Alerting System: The detected packet is either logged in system files or incase of threats, the system is alerted.
  • Output Modules: They control the type of output from the logging and alert system.

Advantages of Intrusion Detection Systems

  • The network or computer is constantly monitored for any invasion or attack.
  • The system can be modified and changed according to needs of specific client and can help outside as well as inner threats to the system and network.
  • It effectively prevents any damage to the network.
  • It provides user friendly interface which allows easy security management systems.
  • Any alterations to files and directories on the system can be easily detected and reported.

An only disadvantage of Intrusion Detection System is they cannot detect the source of the attack and in any case of attack, they just lock the whole network. If any furthermore queries on this concept or on the electrical and electronic projects leave the comments below.

Add Comment