What is an Intrusion Detection System?
An intrusion detection system (IDS) is a type of network security tool that can either be a software or hardware device. These systems are often included as a component in a next-generation firewall (NGFW) or a unified threat management (UTM) solution. Intrusion detection systems monitor network traffic for suspicious and malicious activity based on rules and signatures. If such activity is detected, the intrusion detection system will generate an alert. These are most commonly reported and collected centrally through a separate yet interconnected security information and event management (SIEM) system.
A SIEM system correlates information from multiple sources to differentiate between genuine malicious threats and false alarms. A security operations center (SOC) analyst or an incident responder will investigate the issue and decide on an appropriate course of action.
How does an intrusion detection system work?
As mentioned, IDS detects threats and malicious activity based on signatures and rules. Any traffic that matches known malicious signatures or violates preconfigured rules is flagged. Newer generations of IDS may incorporate anomaly-based detection. Anomaly-based detection compares network traffic with a baseline standard of network activity to detect deviations that may indicate a threat.
While this method is sound in theory, anomaly-based detection using IDS can erroneously flag something benign as a threat. These false-positives cause alert fatigue and make it difficult for SOC analysts and incident responders to effectively and timeously respond to genuine threats. Modern anomaly-based solutions like NDR use artificial intelligence and machine learning technology to greatly enhance the accuracy of threat detection.
Types of intrusion detection systems
Intrusion detection systems vary in function based on the systems or environments they are designed for. In this article, we’ll focus on the two most common classifications:
Network intrusion detection system (NIDS):
A network intrusion detection system is designed to detect malicious and threatening traffic on a network. This kind of intrusion detection system is passive. This means it does not interfere with the traffic that it is monitoring.
Network intrusion detection systems are set up at specific points within networks where they examine activity from all devices active on the network. They observe regular traffic and are able to detect unusual behavior.
Host-based intrusion detection system (HIDS):
A host-based intrusion detection system is designed to monitor important operating system files. It protects systems from both internal and external threats. A host-based intrusion detection system has less visibility than other types and operates solely within the limits of its host machine.
However, while its visibility may not necessarily be far-reaching, this kind of intrusion detection system has deep and extended visibility within the internals of its host computer.
Since network intrusion detection systems and host-based intrusion detection systems perform different functions and boast different levels of visibility, they are best used in tandem. When they operate in isolation, they are not able to provide complete protection against all types of threats. However, when used together as a unified threat management solution, systems are provided comprehensive and multi-layered protection.
Evasion techniques
The first step to detecting malicious activity is understanding the ways in which cyber criminals may attempt to gain access to restricted networks. There are five techniques commonly used:
Fragmentation:
To evade detection, attackers may segment traffic into smaller, inconspicuous packets and reassemble them once inside the network. This allows them to disguise their attack signature and bypass the intrusion detection system. A good intrusion detection system together with solutions like next-generation firewalls can effectively protect against fragmentation.
Avoiding default ports:
Hackers may choose to reconfigure a protocol to use a different port. If successful, this can allow a trojan to bypass an intrusion detection system undetected.
Coordinated, low-bandwidth attacks:
Rather than conducting a single scan, attackers may coordinate a malicious scan executed by several individuals. In fact, they may choose to allocate different ports or hosts to different hackers to make the intrusion more difficult to detect.
IP spoofing/proxying:
Attackers may make the detection of malicious activity difficult by utilizing poorly secured or incorrectly configured proxy servers. This will obscure the source of the hacking and allow the source to be spoofed and bounced by a server. Following this, tracking the culprit becomes increasingly complex.
Pattern change evasion:
Most commonly, an intrusion detection system will make use of patterns to pick up unusual activity. Thus, if hackers can slightly adjust attacking architecture, they are more likely to remain undetected.
Why intrusion detection systems are important
As technology continues to advance and cyber attacks intensify, the need for high levels of cybersecurity is ever important. An intrusion detection system can provide adaptable safeguard technology to protect systems when other forms of traditional technology may fail.
For any questions related to intrusion detection systems or securing your organization’s digital presence, do not hesitate to get in touch with a specialist from Sangfor. We can offer bespoke advice when it comes to cyber security solutions and more for your business.