A computer system should provide confidentiality, integrity and assurance against intrusion attempts. However, due to increased connectivity on the Internet, more and more systems are subject to attack by intruders. Intrusion Detection Systems (IDS) are used by organizations to extend their security infrastructure by detecting and responding to unauthorized access of resources in real time. This paper discusses what is an intrusion detection system, the models and the main techniques.

What is an IDS?

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. An Intrusion Detection System (IDS) analyze a system for filesystem changes or traffic on the network, this system, learns what normal traffic looks like, then notes changes to the norm that would suggest an intrusion or otherwise suspicious traffic. So an IDS protect a system from attack, misuse, and compromise. It can also monitor network activity, audit network and system configurations for vulnerabilities, analyze data integrity, and more. Depending on the detection methods someone choose to deploy.

IDS Types

There are basically 3 main types of IDS being used today: Network based (a packet monitor), Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time), and Application Based IDS (monitor only specific applications).


Host-Based IDS (HIDS)

Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. On the down side, host-based systems can get unwieldy. With several thousand possible endpoints on a large network, collecting and aggregating separate specific computer information for each individual machine may prove inefficient and ineffective.

Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris' BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept, etc.

Network-Based IDS (NIDS)