IDS - what is it? How does this system work? Intrusion detection systems are software or hardware for detecting attacks and malicious activities. They help networks and computer systems give them the proper rebuff. To achieve this, IDS collects information from multiple system or network sources. The IDS then analyzes it for attacks. This article will attempt to answer the question: "IDS - what is it and what is it for?"
What are intrusion detection systems (IDS) for?
Information systems and networks are constantly subjected to cyber attacks. Firewalls and antiviruses to repel all these attacks are clearly not enough, since they are only able to protect the "front door" of computer systems and networks. Various teenagers, imagining themselves to be hackers, are constantly scouring the Internet for cracks in security systems.
Thanks to the World Wide Web, they have at their disposal a lot of completely free malicious software - all sorts of slammers, blindpers, and similar malicious programs. The services of professional crackers are used by competing companies to neutralize each other. So systems that detect intrusion detection systems are a must. Not surprisingly, every day they are increasingly used.
IDS Elements
IDS elements include:
- detector subsystem, the purpose of which is the accumulation of network or computer system events;
- analysis subsystem that detects cyber attacks and dubious activity;
- storage for the accumulation of information about events, as well as the results of the analysis of cyber attacks and unauthorized actions;
- a management console with which you can set IDS parameters, monitor the status of the network (or computer system), have access to information about attacks and illegal actions detected by the analysis subsystem.
By the way, many may ask: "How is IDS translated?" The translation from English sounds like "a system that catches on hot uninvited guests."
The main tasks that intrusion detection systems solve
An intrusion detection system has two main tasks: analysis of information sources and an adequate response based on the results of this analysis. To perform these tasks, the IDS system performs the following actions:
- monitors and analyzes user activity;
- Audits the configuration of the system and its weaknesses;
- checks the integrity of the most important system files, as well as data files;
- conducts a statistical analysis of system states, based on a comparison with those states that occurred during already known attacks;
- audits the operating system.
What an intrusion detection system can provide and what it cannot do
With its help, you can achieve the following:
- Improve network infrastructure integrity settings
- to trace the user's activity from the moment of his entry into the system until the moment of harming her or performing any unauthorized actions;
- Recognize and notify about data changes or deletions;
- automate Internet monitoring tasks in order to search for the latest attacks;
- identify errors in the system configuration;
- detect the beginning of the attack and notify about it.
IDS cannot do this:
- make up for flaws in network protocols;
- play a compensatory role in the case of weak identification and authentication mechanisms in the networks or computer systems that it monitors;
- it should also be noted that IDS does not always deal with problems associated with packet-level attacks.
IPS (intrusion prevention system) - continued IDS
IPS stands for Intrusion Prevention. These are extended, more functional versions of IDS. IPS IDS systems are reactive (as opposed to conventional). This means that they can not only detect, record and notify about an attack, but also perform protective functions. These features include dropping connections and blocking incoming traffic packets. Another hallmark of IPS is that they operate online and can automatically block attacks.
IDS subtypes for monitoring method
NIDS (i.e., IDSs that monitor the entire network) are involved in traffic analysis of the entire subnet and are managed centrally. By correctly positioning several NIDS, monitoring a fairly large network can be achieved.
They work in unintelligible mode (that is, they check all incoming packets, and do not selectively do this), comparing subnet traffic with known attacks from their library. When an attack is identified or unauthorized activity is detected, an alarm is sent to the administrator. However, it should be mentioned that in a large network with high traffic, NIDS sometimes do not cope with checking all information packets. Therefore, it is likely that during the “rush hour” they will not be able to recognize the attack.
NIDS (network-based IDS) are those systems that are easy to integrate into new network topologies, since they do not have a special effect on their functioning, being passive. They only record, record and notify, in contrast to the reactive type of IPS systems discussed above. However, it should also be said about network-based IDS that these are systems that cannot analyze encrypted information. This is a significant drawback, because of the increasingly widespread adoption of virtual private networks (VPNs), encrypted information is increasingly being used by cybercriminals for attacks.
Also, NIDS cannot determine what happened as a result of the attack, whether it caused harm or not. All that they can do is to fix its beginning. Therefore, the administrator is forced to independently re-examine each case of an attack to make sure that the attackers have achieved their goal. Another major issue is that NIDS has difficulty capturing attacks with fragmented packets. They are especially dangerous because they can interfere with the normal operation of NIDS. What this can mean for the entire network or computer system does not need to be explained.
HIDS (host intrusion detection system)
HIDS (IDS monitoring host) only serve a specific computer. This, of course, provides much higher efficiency. HIDS analyzes two types of information: system logs and the results of an audit of the operating system. They take a snapshot of the system files and compare it with an earlier snapshot. If files critical to the system have been modified or deleted, then an alarm is sent to the administrator.
A significant advantage of HIDS is the ability to perform its work in a situation where network traffic is encrypted. This is possible due to the fact that host-based information sources can be created before data can be encrypted, or after decryption on the destination host.
The disadvantages of this system include the possibility of blocking it or even banning it using certain types of DoS attacks. The problem here is that the sensors and some HIDS analysis tools are located on the host that is being attacked, that is, they are also attacked. The fact that HIDS use the resources of the hosts whose work they monitor is also difficult to call a plus, since this naturally reduces their performance.
IDS subtypes for attack detection methods
The anomaly method, the signature analysis method, and the policy method - these are the subspecies for attack detection methods that the IDS system has.
Signature Analysis Method
In this case, data packets are checked for attack signatures. An attack signature is the correspondence of an event to one of the patterns describing a known attack. This method is quite effective, because when it is used, messages about false attacks are quite rare.
Anomaly Method
With its help, illegal actions are detected on the network and on the hosts. Based on the history of the normal operation of the host and the network, special profiles are created with data about this. Then special detectors come into play that analyze events. Using various algorithms, they analyze these events, comparing them with the “norm” in profiles. The lack of the need to accumulate a huge number of attack signatures is a definite plus of this method. However, a considerable number of false signals about attacks during atypical, but quite legitimate events on the network are its undoubted minus.
Policy Method
Another attack detection method is the policy method. Its essence is the creation of network security rules, which, for example, may indicate the principle of interaction between networks and the protocols used for this. This method is promising, but the difficulty lies in the rather complicated process of creating a policy base.
ID Systems Provides Reliable Protection for Your Networks and Computer Systems
Today, ID Systems Group of Companies is one of the market leaders in the field of creating security systems for computer networks. It will provide you with reliable protection against cyber villains. With ID Systems security systems you can not worry about the data that is important to you. Thanks to this, you can enjoy life more, because you will have less anxiety in your soul.
ID Systems - Employee Reviews
A great team, and most importantly, of course, is the right attitude of the company management to its employees. Everyone (even the fledgling newcomers) has the opportunity for professional growth. True, for this, of course, you need to prove yourself, and then everything will work out.
The team has a healthy atmosphere. Beginners will always be taught everything and everyone will be shown. No unhealthy competition is felt. Employees who have been with the company for many years are happy to share all the technical details. They kindly, even without a trace of indulgence, answer the most stupid questions of inexperienced workers. In general, working with ID Systems has some pleasant emotions.
The attitude of management is pleasantly pleasing. It is also encouraging that here, obviously, they know how to work with personnel, because the team has really picked up a highly professional one. The opinion of employees is almost unambiguous: they feel at home at work.