Intrusion Detection and Prevention

What is an Intrusion Detection System?

A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a network or
system for malicious activities or policy violations. Each illegal activity or violation is often recorded
either centrally using an SIEM system or notified to an administration. IDS monitors a network or
system for malicious activity and protects a computer network from unauthorized access from users,
including perhaps insiders. The intrusion detector learning task is to build a predictive model (i.e. a
classifier) capable of distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal)
connections’.

Working of Intrusion Detection System(IDS)

• An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
• It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
• The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
• The system administrator can then investigate the alert and take action to prevent any damage
or further intrusion.
Classification of Intrusion Detection System(IDS)
Intrusion Detection System are classified into 5 types:
1. Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are
set up at a planned point within the network to examine traffic from all devices on the network.
It performs an observation of passing traffic on the entire subnet and matches the traffic that is
passed on the subnets to the collection of known attacks. Once an attack is identified or
abnormal behavior is observed, the alert can be sent to the administrator. An example of a NIDS
is installing it on the subnet where firewalls are located in order to see if someone is trying to
crack the firewall.
 2. Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing
packets from the device only and will alert the administrator if suspicious or malicious activity
is detected. It takes a snapshot of existing system files and compares it with the previous
snapshot. If the analytical system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can be seen on mission-critical
machines, which are not expected to change their layout.

3. Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion detection system

(PIDS) comprises a system or agent that would consistently reside at the front end of a server,
controlling and interpreting the protocol between a user/device and the server. It is trying to
secure the web server by regularly monitoring the HTTPS protocol stream and accepting the
related HTTP protocol. As HTTPS is unencrypted and before instantly entering its web
presentation layer then this system would need to reside in this interface, between to use the
HTTPS.

4. Application Protocol-based Intrusion Detection System (APIDS): An application Protocol-

based Intrusion Detection System (APIDS) is a system or agent that generally resides within a
group of servers. It identifies the intrusions by monitoring and interpreting the communication
on application-specific protocols. For example, this would monitor the SQL protocol explicitly to
the middleware as it transacts with the database in the web server.

5. Hybrid Intrusion Detection System(HIDS): Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid
intrusion detection system, the host agent or system data is combined with network information
to develop a complete view of the network system. The hybrid intrusion detection system is more
effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid
IDS.
Intrusion Detection System Evasion Techniques

• Fragmentation: Dividing the packet into smaller packet called fragment and the process is
known as fragmentation. This makes it impossible to identify an intrusion because there can’t
be a malware signature.
• Packet Encoding: Encoding packets using methods like Base64 or hexadecimal can hide
malicious content from signature-based IDS.
• Traffic Obfuscation: By making message more complicated to interpret, obfuscation can be
utilised to hide an attack and avoid detection.
• Encryption: Several security features, such as data integrity, confidentiality, and data privacy,
are provided by encryption. Unfortunately, security features are used by malware developers to
hide attacks and avoid detection.
Benefits of IDS

• Detects malicious activity: IDS can detect any suspicious activities and alert the system
administrator before any significant damage is done.
• Improves network performance: IDS can identify any performance issues on the network,
which can be addressed to improve network performance.
• Compliance requirements: IDS can help in meeting compliance requirements by monitoring
network activity and generating reports.
• Provides insights: IDS generates valuable insights into network traffic, which can be used to
identify any weaknesses and improve network security.

Detection Method of IDS

• Signature-based Method: Signature-based IDS detects the attacks on the basis of the specific
patterns such as the number of bytes or a number of 1s or the number of 0s in the network
traffic. It also detects on the basis of the already known malicious instruction sequence that is
used by the malware. The detected patterns in the IDS are known as signatures. Signature-
based IDS can easily detect the attacks whose pattern (signature) already exists in the system
but it is quite difficult to detect new malware attacks as their pattern (signature) is not known.

• Anomaly-based Method: Anomaly-based IDS was introduced to detect unknown malware

attacks as new malware is developed rapidly. In anomaly-based IDS there is the use of machine
learning to create a trustful activity model and anything coming is compared with that model
and it is declared suspicious if it is not found in the model. The machine learning-based method
has a better-generalized property in comparison to signature-based IDS as these models can be
trained according to the applications and hardware configurations.

Comparison of IDS with Firewalls

IDS and firewall both are related to network security but an IDS differs from a firewall as a firewall
looks outwardly for intrusions in order to stop them from happening. Firewalls restrict access
between networks to prevent intrusion and if an attack is from inside the network it doesn’t signal.
An IDS describes a suspected intrusion once it has happened and then signals an alarm.
Intrusion Prevention System (IPS)
Intrusion Prevention System is also known as Intrusion Detection and Prevention System. It is a
network security application that monitors network or system activities for malicious activity. Major
functions of intrusion prevention systems are to identify malicious activity, collect information about
this activity, report it and attempt to block or stop it.
Intrusion prevention systems are contemplated as augmentation of Intrusion Detection Systems (IDS)
because both IPS and IDS operate network traffic and system activities for malicious activity.
IPS typically record information related to observed events, notify security administrators of
important observed events and produce reports. Many IPS can also respond to a detected threat by
attempting to prevent it from succeeding. They use various response techniques, which involve the
IPS stopping the attack itself, changing the security environment or changing the attack’s content.

Why Do You Need an IPS?

An IPS is an essential tool for network security. Here are some reasons why:
• Protection Against Known and Unknown Threats: An IPS can block known threats and also
detect and block unknown threats that haven’t been seen before.
• Real-Time Protection: An IPS can detect and block malicious traffic in real-time, preventing
attacks from doing any damage.
• Compliance Requirements: Many industries have regulations that require the use of an IPS to
protect sensitive information and prevent data breaches.
 • Cost-Effective: An IPS is a cost-effective way to protect your network compared to the cost of
dealing with the aftermath of a security breach.
• Increased Network Visibility: An IPS provides increased network visibility, allowing you to see
what’s happening on your network and identify potential security risks.

Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types:
1. Network-based intrusion prevention system (NIPS):
It monitors the entire network for suspicious traffic by analyzing protocol activity.

2. Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.

3. Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as distributed
denial of service attacks, specific forms of malware and policy violations.

4. Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by scanning events
that occur within that host.