Valuable property needs to be protected from the prospect of theft and
destruction. Some homes are equipped with alarm systems that can deter
burglars, notify authorities when a break-in has occurred, and even warn
owners when their home is on fire. Such measures are necessary to ensure
the integrity of homes and the safety of homeowners.
The same assurance of integrity and safety should also be applied to
computer systems and data. The Internet has facilitated the flow of
information, from personal to financial. At the same time, it has fostered
just as many dangers. Malicious users and crackers seek vulnerable targets
such as unpatched systems, systems infected with trojans, and networks
running insecure services. Alarms are needed to notify administrators and
security team members that a breach has taken place so that they can
respond in real-time to the threat. Intrusion detection
systems have been designed as such a warning system.
An intrusion detection system (IDS) is an active process or device
that analyzes system and network activity for unauthorized entry and/or
malicious activity. The way that an IDS detects anomalies can vary widely;
however, the ultimate aim of any IDS is to catch perpetrators in the act
before they do real damage to resources.
An IDS protects a system from attack, misuse, and compromise. It can
also monitor network activity, audit network and system configurations for
vulnerabilities, analyze data integrity, and more. Depending on the
detection methods you choose to deploy, there are several direct and
incidental benefits to using an IDS.
Understanding what an IDS is, and the functions it provides, is
key in determining what type is appropriate to include in a computer
security policy. This section discusses the concepts behind IDSes, the
functionalities of each type of IDS, and the emergence of hybrid IDSes
that employ several detection techniques and tools in one package.
Some IDSes are knowledge-based, which
preemptively alert security administrators before an intrusion occurs
using a database of common attacks. Alternatively, there are
behavioral-based IDSes that track all resource
usage for anomalies, which is usually a positive sign of malicious
activity. Some IDSes are standalone services that work in the
background and passively listen for activity, logging any suspicious
packets from the outside. Others combine standard system tools,
modified configurations, and verbose logging, with administrator
intuition and experience to create a powerful intrusion detection
kit. Evaluating the many intrusion detection techniques can assist in
finding one that is right for your organization.
The most common types of IDSes referred to in the security field are
known as host-based and
network-based IDSes. A host-based IDS is the
most comprehensive of the two, which involves implementing a detection
system on each individual host. Regardless of which network
environment the host resides on, it is still protected. A
network-based IDS funnels packets through a single device before being
sent to specific hosts. Network-based IDSes are often regarded as less
comprehensive since many hosts in a mobile environment make it
unavailable for reliable network packet screening and protection.