When we speak about network security, we often hear about terms like Intrusion Detection System and Intrusion Prevention System. In this report, let us gain some understanding of these concepts. Intrusion system refers to the process of monitoring computer and network activities and analyzing them for signs of intrusion in your system. The aim of looking for unauthorized intrusions is to alert IT professionals and system administrators within your organization to potential system or network security threats and weaknesses. Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs) are an essential element of IT systems defence and without these techniques our data and our networks are much more vulnerable to malicious behaviours.
Generally, Intrusion Detection Systems (IDSs) tries to identify attacks as they occur. Such technologies are critical to network security, but have limitations. IDSs can monitor and analyze traffic that passes through open ports, but do not stop attacks. IPS can proactively stop attacks.
Get your grade
or your money back
using our Essay Writing Service!
On the other hand, Intrusion Prevention Systems (IPSs) can be considered to be a more advanced generation and evolution of Intrusion Detection Systems, are now making their mark on the IT industry accomplishing a higher standard for the defence of network. IPS is a powerful security system and it's proving to make a significant impact in information systems. These next advanced systems not only detect attacks, but also they try to block them.
The similarity of IPSs and IDSs is that both systems aim to distinguish malicious activity from normal activity. An IPS, like an IDS, has a set of signatures or predefined conditions that, when met, cause a response. Those systems have a similar method of processing with IDSs. However, the response itself varies, and that is what mostly differentiates an IPS from an IDS. With the creation of sophisticated attacks and the discovery of new vulnerabilities, new methods are needed to protect valuable data and network resources. Therefore, Intrusion Prevention Systems use new practical approaches to prevent intrusions before any damage is done.
2. Intrusion Detection Systems
An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviours that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, Trojan horses, and worms).
An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to cause alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.
An intrusion detection system (IDS) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place - not prevent them. An IDS essentially reviews your network traffic and data and will identify probes, attacks, exploits and other vulnerabilities. IDSs can respond to the suspicious event in one of several ways, which includes displaying an alert, logging the event or even paging an administrator. In some cases the IDS may be prompted to reconfigure the network to reduce the effects of the suspicious intrusion.
An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks.
Always on Time
Marked to Standard
Intrusion detection systems do not detect intrusions at all. They only identify evidence of intrusion, either while in progress or after the fact. IDS identify security threats by detecting scans, probes and attacks but does not block these patterns; instead it merely reports that they took place. However, IDS logged data is invaluable as evidence for forensics and incident handling.
Intrusion Detection Systems are designed to aware a user to possibly malicious activity. The main idea of an intrusion detection system is that a human must be present in the system to verify when activity is really unauthorized.
Types of Intrusion Detection Systems
There are two main categories of IDS based on the IDS alarm triggering mechanism - action that causes the IDS to generate an alarm. They are Anomaly detection based IDS and misuse detection based IDS.
Anomaly detection-based IDSs: report deviations from "normal" or expected behaviour. Behaviour other than "normal" is considered an attack and is flagged and recorded. It compares observed activity against expected normal usage profiles (for users, groups of users, applications, etc). Audit event records which fall outside the definition of normal behaviour are considered anomalies.
Misuse detection-based IDSs: look for attack signatures in the audit data which announce known misuse. They are based on a set of rules that match typical patterns of exploits used by attackers. Snort is such a system and actually the most widely deployed intrusion detection technology worldwide. Another system is called Bro, which is a stand-alone system for detecting intruders in real-time by passively monitoring a network link over which the intruder's traffic transits.
Misuse Detection vs. Anomaly Detection
In misuse detection, the IDS analyze the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS look for a specific attack that has already been documented. Like a virus detection system, detection software is only as good as the database of intrusion signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
The advantage of anomaly detection is that it can detect previously unknown attacks and insider attacks, without the need for signatures. On the other hand, the large number of false positives is the most important shortcoming of such systems. Furthermore, besides being complicated and hard to understand, building and updating profiles also require a lot of work.
Misuse detection is considered more accurate, since there is a known database of exploits and so there are few false positives. However, this database has to be updated continuously to keep up with new attacks. Furthermore, misuse detection systems are unable to detect any future (unknown) intrusions. IDS products available in the market today, mostly use misuse detection.
Classification of Intrusion Detection Systems
The other way to classify IDS is by monitoring location. Intrusion detection systems are network or host based solutions.
Network based IDS (NIDS): sit behind the firewall, on the demilitarized zone (DMZ) or the private network and sniff packets in promiscuous mode invisible to the attacker. It monitors and analyzes packets and can use anomaly or misuse detection techniques. While the firewall screens out unwanted traffic, the NIDS will alert to what is "leaking" through the firewall. NIDS need to keep up with the high volume of traffic or else it could miss attacks. High speed is also essential for low latency. Thus, it's usually available as dedicated hardware appliances.
Host based IDS (HIDS): software is run on each host. The software monitors and detects user and operating system activity and logs. Attacks on a given host are detected using misuse detection. HIDS have a closer and deeper look at the activity of attack tools on the host and should be employed on Web, DNS servers and target hosts.
Network-based vs. Host-based IDS
Network-based IDS systems (NIDS) are often standalone hardware appliances that include network intrusion detection capabilities. It will usually consist of hardware sensors located at various points along the network or software that is installed to system computers connected to your network, which analyzes data packets entering and leaving the network. Host-based IDS systems (HIDS) do not offer true real-time detection, but if configured correctly are close to true real-time.
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Host-based IDS systems consist of software agents installed on individual computers within the system. HIDS analyze the traffic to and from the specific computer on which the intrusion detection software is installed on. HIDS systems often provide features you can't get with a NIDS. For example, HIDS are able to monitor activities that only an administrator should be able to implement. It is also able to monitor changes to key system files and any attempt to overwrite these files. Attempts to install Trojans or backdoors can also be monitored and stopped by a HIDS. These specific intrusion events are not always seen by a NIDS.
While it depends on the size of your network and the number of individual computers which require intrusion detection system, NIDS are usually a cheaper solution to implement and it requires less administration and training, but it is not as flexible as a HID. Both systems will require Internet access (bandwidth) to ensure the system is kept up-to-date with the latest virus and worm signatures.
3. Intrusion Prevention System
Intrusion Prevention System is referring to any hardware or software device, which can identify both known and unknown attack, and stops it from being successful. IPSs are practical, in-line devices that if they distinguish malicious activity, they can drop attack packets or even disconnect connections before reaching the host and block all traffic with the similar IP address. They quickly finish the intrusion and reduce the total time before the normal return of the network. Through using many detection methods and utilizing its position in the line of network traffic, an IPS can identify attacks and intrusions more precisely and reliably. By relying less on signatures and more on intelligent methods of detection, the IPS generates far fewer false alarms.
An intrusion prevention system is definitely the next level of security technology with its capability to provide security at all system levels from the operating system kernel to network data packets. It provides policies and rules for network traffic along with an IDS for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted. Where IDS informs of a potential attack, an IPS makes attempts to stop it. Another huge leap over IDS, is that IPS has the capability of being able to prevent known intrusion signatures, but also some unknown attacks due to its database of generic attack behaviours.Thought of as a combination of IDS and an application layer firewall for protection, IPS is generally considered to be the "next generation" of IDS.
Some requirements of an IPS are the following:
Accuracy: is one of the most important requirements in an IPS. Having false positives may be extremely annoying in an IDS, but it is absolutely unacceptable in an IPS. False positives are typically generated by systems that rely on a single detection method, and by ones that cannot be configured at different levels to fit into the operational environment. If legitimate traffic is blocked, then problems arise for authorized users. This creates self-inflicted DoS attacks, Denial of Service attacks that originate from the prevention system itself. Sometimes a valid business transaction may act like an attack. In such a case, an "offending" packet may first be dropped and then the entire dataflow. If the source IP is that of a critical business partner, the partner will be prevented from accessing resources.
Performance: is also important for IPSs. The problem with inline intrusion prevention is that it tends to become a network bottleneck. All network traffic needs to flow through these devices, and if they don't operate quickly enough, they drop packets, increasing the possibility of false negatives. Thus, they have to work at wire speed.
Anticipation of Unknown Attacks and Easy Signature Update for New Attacks: An IPS must provide flexible methods to update new attack signatures, as well as capabilities to respond to entirely new classes of attacks. In addition, IPS systems should have methods that can respond to new attacks without requiring signature updates. Such methods may include inverse exclusion, where all requests, except those that are legal for a given destination, are dropped. Another method is protocol validation, where illegal request methods are dropped. Attack-independent blocking is another method where hostile attackers are identified, and all traffic from the attacker is dropped, regardless of whether the attacks are known or not.
An IPS should be reliable and high available: Reliability refers to the ability of a system to perform its functions properly without interfering with other systems on the network. Availability is the amount of downtime of the system, due to shutdown, crashes, or maintenance. An IPS gives the network security administrator many options, since it is capable of not only detecting attacks and intrusions, but also directly affecting network traffic through limiting or blocking. It must give the administrator an easy interface for setting and changing configurations on the devices. IPSs should also cooperate with firewalls, antivirus systems, etc.
Classification of Intrusion Prevention Systems
Intrusion Prevention Systems can be divided in two main types that are similar in nature to IDS. They consist of host-based intrusion prevention systems (HIPS) products and network-based intrusion prevention systems (NIPS).
Host-based IPSs (HIPSs): Host-based intrusion prevention systems are similar to antivirus products, but actively respond to any observed intrusion activity. An IPS usually sits between the kernel and the application utility software that issues requests to the kernel of the O.S. Actions of a HIPS include blocking the request or denying access to the kernel, for activities with high certainty as an intrusion. Collections of access control rules based on acceptable behaviour, is available out-of-the-box for common applications such as Microsoft SQL Server, Instant Messenger, and IIS Server.
Network-based IPSs (NIPSs): generally consists of appliance-based systems that sit in-line and block suspicious traffic upon detecting an attack. They utilize different detection methods, signature detection, anomaly detection, and some proprietary methods, to block specific attacks. They statefully analyze packet content and block certain packets that match a signature and alert on others. A NIPS protection is based on the content of packets.
Host-based vs. Network-based IPS
Host-based intrusion prevention systems are used to protect both servers and workstations through software that runs between your system's applications and OS kernel. The software is preconfigured to determine the protection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen. HIPS monitors activities such as application or data requests, network connection attempts, and read or write attempts to name a few.
Network-based IPS is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events, either blocking the requests or passing it along should it be deemed legitimate traffic. Network-based IPSs works in several ways. Usually package- or software-specific features determine how a specific NIPS solution works, but generally you can expect it to scan for intrusion signatures, search for protocol anomalies, detect commands not normally executed on the network and more.
One interesting aspect of NIPS is that if the system finds an offending packet of information it can rewrite the packet so the hack attempt will fail, but it means the organization can mark this event to gather evidence against the would be intruder, without the intruder's knowledge. As with all technology, NIPS is not perfect. In some instances you may end up blocking a legitimate network request.
Problems associated with implementing NIPS exist as well. We already mentioned the possibility of blocking legitimate traffic, and you also have to take network performance into consideration. Since all data moving through the network will pass through the IPS it could cause your network performance to drop. To combat this problem, network-based IPSs that consist of appliance or hardware and software packages are available today (at a larger cost), but it will take most of the load from running a software-based NIPS off your network.
While host-based IPSs are considered to be more secure than network-based intrusion prevention systems, the cost to install the software to each and every server and workstation within your organization may be quite costly. Additionally, the HIPS on each system must be frequently updated to ensure the attack signatures are up-to-date.
4. Real World Applications
We will briefly take a look into some implementations of Intrusion Detection and Prevention Systems.
SafeCard: is a Gigabit IPS, able to cope with all levels of abstraction in communication (packets, streams, layer-7 data units etc), designed as a compound, pipelined IPS built from independent function elements.
In SNORT (IDS): , every captured packet goes through the following steps: header information decoding at the different layers, application of pre-processor functions like IP fragment or TCP stream reassembly, evaluation of a subset of rules according to the information from step one, and finally if a match is found, the corresponding action is carried out. We see that SNORT does not take into account any behavioural aspects of traffic e.g. unusual amounts of traffic. Moreover, SafeCard uses superior regular expression matching and checks packets for higher protocol specific rules if they exist.
CardGuard: is a signature detection system for intrusion detection and prevention that scans the entire payload of packets for suspicious patterns, and is implemented in software. It is non-intrusive in the sense that no cycles of the host CPUs are used for intrusion detection and the system operates at Fast Ethernet link rate. Again, TCP flows are first reconstructed before they are scanned with the Aho Corasick algorithm.
Radware: is one of other implementations are available in the market already. it provides solutions that block attacks and malicious activity before they get anywhere near applications, with advanced security intelligence based on, signature vulnerability, behaviour-based traffic anomaly and protocol anomaly.
Cisco: is also in the market with true Intrusion prevention systems (IPS Sensor Software). Systems that detect and slow down the malicious code based on its behaviour, even in the form of an unknown attack, do not fit our definition of IPS. Such a system is the Virus Throttle module from HP, which mitigates harm to other systems, and other systems that focus on the harm already done to an individual machine.
AIDE: also known as "AIDE (Advanced Intrusion Detection Environment). It is a free replacement for Tripwire. Its functions are similar with the semi-free Tripwire and more. There are also other free alternative available so why bother build a new one? However, the alternatives do not accomplish the level of Tripwire and I required a program that would surpass the limitations of Tripwire."
File System Saint: also known as, "File System Saint is a lightweight host-based intrusion detection system with focus on its speed and being user friendly."
Furthermore, there are a few more open source intrusion detection systems which include Bro NIDS, OSSEC HIDS, Prelude Hybrid IDS, Suricata (also IPS). While in Intrusion Prevention Systems Open Source, there are something called HLBR, Lokkit (GNOME), Untangle, Vyatta and Winpooch.
If you are looking for some Commercial Intrusion Detection Systems, there are some examples such Internet Security Systems (Real Secure Server Sensor), Tripwire, eEye Digital Security (Secure IIS Web Server Protection) and Touch Technology Inc (POLYCENTER Security Intrusion Detector).
5. Overall Comparison
What are the similarities and the differences between an IDS and an IPS? Can they be used to perform the same functions in a network? Actually, intrusion detection systems and intrusion prevention systems are quite similar in technology, but they perform slightly different functions on the network. The following table shows a comparative analysis of IDS and IPS:
IDS and IPS are not substitutes for each other but complement each other. Though it is generally believed that IPS would replace IDS in the future, IDS is a much more matured technology and cost beneficial when compared to IPS.
Both IPS and IDS tools are designed to monitor network activity for signs of misuse. Signature detection and Anomaly-detection are two basic strategies that they may follow to identify potentially malicious traffic:
Systems have databases containing patterns of known malicious activity, similar to those used by antivirus software. They watch all network traffic for any communications that match those patterns and, if they see any matches, trigger an alert. Systems monitor the network and build models of normal behavior over a period of time known as the "training period." They then watch the network for activity that deviates from those standards. If the deviation is significant, the anomaly-detection system triggers an alert.
The difference between IPS and IDS systems comes in their handling of alerts. Pure IDS systems simply inform the administrator that suspicious activity took place. IPS systems, on the other hand, have the ability to block the suspicious traffic from entering the network. In fact, the two technologies have already converged for all intents and purposes. Most intrusion detection products have the ability to run in either IPS or IDS mode depending upon the user's configuration.
While many in the security industry believe IPS is the way of the future and that IPS will take over IDS, it is somewhat of an apples and oranges comparison. The two solutions are different in that one is a passive detection monitoring system and the other is an active prevention system. The age-old debate of why you want to would be passive when you could be active comes into play. You can also evaluate the implementation of a more mature IDS technology, versus the younger, less established IPS solutions. The drawbacks mentioned regarding IDS can largely be overcome with proper training, management, and implementation. Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of the intuitive IPS systems and believing that IPS is the next generation of IDS choose to use the newer IPSs as opposed to the IDSs. Adding to the muddle, of course, will be your initial decision of choosing host-based or network-based systems for either IDS or IPS security solutions.
Intrusion prevention systems can be considered an evolution of IDS technology. Their proactive capabilities help keep the networks safer from more sophisticated attacks. However, there is still much to be done. The battle against false positives is not easy; neither is it easy to handle all the traffic at wire speed and perform operations without adding latency. Zero-day attacks will always be a threat with a difficult cure to find.
It is important to remember that no single security device will stop all attacks all the time. The network security can be strengthened by implementing IDS or IPS.
Intrusion signatures: When a malicious attack is launched against a system, the attack typically leaves evidence of the intrusion in the systems logs. Each intrusion leaves a kind of footprint behind.
Denial of Service (DoS): Prevent authorized access and normal functioning to a system resource or delay system operations and functions, In which a system can no longer respond to normal requests (e.g., inability to login to an account or access a service). DoS can be caused by the destruction or modification of data, by bringing down the system, or by overloading the system's servers (flooding) to the extent that service to authorized users is delayed or prevented.
False Positive and Negatives: The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or security breaches. Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is prone to false negatives where the system fails to detect something it should. Both of these problematic problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result, it is not believed that IDS detects a high percentage of false positive or false negatives. Still, it is a topic worth consideration when looking at different IDS solutions.
- Beal, V. '. (2005, July 15). Intrusion Detection and Prevention. Retrieved January 8, 2010, from Webopedia: http://www.webopedia.com/didyouknow/Computer_Science/2005/intrusion_detection_prevention.asp
- Chapple, M. (2008, November 27). What are the differences between intrusion detection and intrusion prevention? . Retrieved January 2, 2010, from Search Security Asia: http://www.searchsecurityasia.com/content/what-are-differences-between-intrusion-detection-and-intrusion-prevention
- Cummings, J. (2002, September 23). From intrusion detection to intrusion prevention. Retrieved January 6, 2010, from NetworkWorldFusion: http://www.networkworld.com/buzz/2002/intruder.html
- Hayden, L. (n.d.). Intrusion Detection Systems. Retrieved January 10, 2010, from http://www.ischool.utexas.edu/~netsec/ids.html
- Ierace, N., Urrutia, C., & Bassett, R. (2005). Intrusion prevention Systems. 6 (19).
- Kemmerer, R., & Vigna, G. (2002). Intrusion Detection: A Brief History and Overview. 35 (4).
- Launch of Intrusion Detection Systems. (n.d.). Retrieved January 5, 2010, from Zeal Jason's space: http://zeal-jason.blogspot.com/2009/10/what-are-intrusion-detection-systems.html
- Sequeria, D. (2002). Intrusion Prevention systems: Security's silver bullet? Business Communications Review , 33 (3).
- Sundaram, A. (1996). An Introduction to Intrusion Detection (Vol. 2.4). Association for Computing Machinery, Inc.
- Tan, L., & Sherwood, T. (2005). A High Throughput String Matching Architecture for Intrusion Detection and Prevention. Washington: IEEE Computer Society.