Intrusion detection
by ac3 - Security Lab - Wednesday, 11 June 2003.
A computer system should provide confidentiality, integrity and assurance against intrusion attempts. However, due to increased connectivity on the Internet, more and more systems are subject to attack by intruders. Intrusion Detection Systems (IDS) are used by organizations to extend their security infrastructure by detecting and responding to unauthorized access of resources in real time. This paper discusses what is an intrusion detection system, the models and the main techniques.

What is an IDS?

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. An Intrusion Detection System (IDS) analyze a system for filesystem changes or traffic on the network, this system, learns what normal traffic looks like, then notes changes to the norm that would suggest an intrusion or otherwise suspicious traffic. So an IDS protect a system from attack, misuse, and compromise. It can also monitor network activity, audit network and system configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection methods someone choose to deploy.

IDS Types

There are basically 3 main types of IDS being used today: Network based (a packet monitor), Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time), and Application Based IDS (monitor only specific applications).

Host-Based IDS (HIDS)

Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris' BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept, etc.

Network-Based IDS (NIDS)

Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //