Comparison of Network Intrusion Detection Systems
✅ Paper Type: Free Essay | ✅ Subject: Information Technology |
✅ Wordcount: 2651 words | ✅ Published: 9th Nov 2021 |
Introduction
A network intrusion detection system (NIDS) is a network security technology that monitors network traffic for suspicious activity and issues alerts when action is required to deal with the threat. Any malicious activity is reported and can be collected centrally by using security information and event management (SIEM) method. Security information and event management (SIEM) software gives enterprise security professionals both insight into and a track record of the activities within their IT environment. The SIEM method incorporates outputs from multiple sources and employs alarm filtering techniques to identify malicious actions.[1] There are two types of systems, host-based intrusion and network intrusion detection. In this essay, I will be looking at both techniques, identifying what classifies as a NID and comparing different types of NIDS.
NID Classification
As previously highlighted in the introductory part of the essay, there are two types of systems, host-based intrusion and network intrusion detection. They are known as HIDS or NIDS. They are different from each other as host-based intrusion monitors malicious activities on a single computer whereas network intrusion detection monitors traffic on the network to detect intrusions. The main difference between both systems is that network intrusion detection systems monitor in real time, tracking live data for tampering whilst host-based intrusion systems check logged files for any malicious activity. Both systems can employ a strategy known as signature-based detection or anomaly-based detection.
Anomaly-based detection searches for unusual or irregular activity caused by users or processes. For instance, if the network was accessed with the same login credentials from several different cities around the globe all in the same day, it could be a sign of anomalous behaviour. A HIDS using anomaly-based detection surveys log files for indications of unexpected behaviour, while a NIDS monitors for the anomalies in real time.[2]
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Find out more about our Essay Writing Service
Signature-based detection monitors data for patterns. HIDS running signature-based detection work similarly to anti-virus applications which search for bit patterns or keywords within files by performing similar scans on log files. Signature based NIDS work like a firewall, except the firewall performs scans on keywords, packet types and protocol activity entering and leaving the network. They also run similar scans on traffic moving within the network.[3]
Comparison of different type of NIDS
There are various types of NIDS available in order to protect the network from external threats. In this essay, we have discussed both HIDS (Host-based) and NIDS (Network Intrusion Detection System) and signature-based IDS and anomaly-based IDS.
Both of them are very similar but they function differently but when combined, they complement each other.
For example, HIDS only examine host-based actions such as what are being applications used, kernel logs, files that are being accessed and information that resides in the kernel logs. NIDS analyse network traffic for suspicious activity. NIDS can detect an attacker before they begin an unauthorised breach of the system, whereas HIDS cannot detect that anything is wrong until the attacker has breached the system.
Both signature-based IDS and anomaly-based IDS contrast each other. For example, anomaly-based IDS monitor activities on the network and raise an alarm if anything suspicious i.e. other than the normal behaviour detected.
There are many flaws with anomaly-based IDS. Both Carter[4] (2002) and Garcia-Teodoro[5] (2009) have listed disadvantages
- Appropriate training is required before the IDS is installed into any environment
- It generates false positives
- If the suspicious activity is similar to the normal activity, it will not be detected.
However, there are flaws with signature-based IDS. Carter (2002) highlights some disadvantages on signature-based IDS.
- It cannot detect zero-day attacks
- It is vital that the database is updated daily
- The system must be updated with each and every possible attack signature
- If an attack in a database is slightly modified, it is harder to detect
Advances and developments of NID
There has been many advances and developments towards NID over the last few years such as honeypots and machine learning.
Spitzner defines honeypots as computer systems which are designed to lure & deceive attackers by simulating a real network.[6] Whilst these systems seem real, they have no production value. Any interaction with these systems should be illicit.
There are many kinds of honeypots such as low interaction systems to high interaction and more complex systems to lure and attract advanced attackers.
For example, high interaction honeypots provide attackers with a real operating system which allows the attacker to execute commands. The chances of collecting large amounts of information on the attacker is very high as all actions are logged and monitored.[7]
Many researchers and organisations use research honeypots which gathers information on the attacker and what tools they used to execute the attack. They are deployed mainly for research purposes to learn how to provide improved protection against attackers.
Another advancement of Network Intrusion Detection is machine learning. Machine learning provides computers with the capability of learning and improving from events without being programmed explicitly. The main aim of machine learning is to allow computers to learn without human intervention and intervene accordingly.
Unsupervised learning algorithms are used when information provided for training is neither marked nor classified. The task given to the machine is to group unsorted information according to patterns, similarities and differences without any training data given prior.
Unsupervised learning algorithms can determine the typical pattern of the network and can report any anomalies without a labelled data set. One drawback of the algorithm is that it is prone to false positive alarms but can still detect new types of intrusions.
By switching to a supervised learning algorithm, the network can be taught the difference between a normal packet and an attack packet.[8] The supervised model can deal with attacks and recognise variations of the attack.
Implementation of NID within a SME
With threats developing every day, businesses need to adapt to the changing landscape of network security.
For example, a business should focus on developing a strong security policy. This helps to define how employees use IT resources and defining acceptable use and standards for company email. If a business creates a set of clear security policies and makes the organization aware of these policies, these policies will create the foundation of a secure network.[9]
Another suggestion provided in the report by SANS is to design a secure network with the implementation of a firewall, packet filtering on the router and using a DMZ network for servers requiring access to the internet. Testing of this implementation must be done by someone other than the individual or organization that has configured the firewall and perimeter security.
Developing a computer incident plan is key as it will help to understand how to respond to a security incident. The plan will help to identify resources involved and recovering and resolving the incident. If a business is reliant on the internet during day to day operations, a company will have to disable their resources, reset them and rebuild the systems for use again which will resolve the issue.
Using personal firewalls on laptops is another suggestion for businesses to take into consideration. For example, laptop computers may be used in the office and in other times, may be connected to foreign networks which may have prominent security issues.
For example, the Blaster worm virus which spread from August 11th, 2003 gained access to many company networks after a laptop was infected with the worm from a foreign network and then the user subsequently connecting to the corporate LAN. The worm eventually spread itself across the entire company network.[10]
From the report, SANS identified that personal laptops should have personal firewalls enabled to address any prominent security issues. They also highlighted that laptops that contain sensitive data, encryption and authentication will reduce the possibility of data being exposed if the device is lost.
Conclusion
From my findings, I believe that NIDS are essential in protecting a company’s network from external and internal threats.
If a company chose not to implement a NID within the business, the subsequent impact would be the company would cease to exist if an attack damaged customer records or valuable data.
With the implementation of a NID within a company, the business can mitigate the impacts of an attack by using a honeypot to capture information about an attacker and what tools they used to execute the attack. This allows businesses to prepare themselves against attacks and secure any assets that could damage the company’s ability to operate.
By enforcing a security and a fair use policy within the company, employees are aware of the standards they must abide by when employed by the business. This also allows the company to scrutinize employees that do not follow the practices and take legal action if necessary.
A business can hire managed security service providers who can assist in implementing the appropriate security measures for the business. It is important that businesses check whether the company has qualified staff and proven experience of their work as the main threat of most attacks on small to medium businesses lies within the company.
Bibliography
Pratt, M. K. (2017, November 28). CSO Online. CSO Online. Retrieved from https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
8 Best HIDS Tools - Host-Based Intrusion Detection System. (2019, October 7). Retrieved November 27, 2019, from https://www.dnsstuff.com/host-based-intrusion-detection-systems
Carter, E. (2002, February 15). Cisco Press. Retrieved December 16, 2019, from http://www.ciscopress.com/articles/article.asp?p=25334
García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1-2), 18–28. Retrieved from https://pdfs.semanticscholar.org/59e7/42875c39d1e09cfe1be7501a4048efe343de.pdf
Spitzner, L. (2003). Honeypots: tracking hackers. Retrieved from http://www.it-docs.net/ddata/792.pdf
Sachan, A., & Panchagavi, R. (2016, June 2). Honeypots: Sweet and Sour of Network Security. Retrieved December 16, 2019, from https://bvucoepune.edu.in/wp-content/uploads/2018/BVUCOEP-DATA/Research_Publications/2015_16/71.pdf.
Cuelogic Technologies. (2019, May 13). Evaluation of Machine Learning Algorithms for Intrusion Detection System. Retrieved December 16, 2019, from https://medium.com/cuelogic-technologies/evaluation-of-machine-learning-algorithms-for-intrusion-detection-system-6854645f9211.
SANS Institute. (2004). Network Security- A Guide for Small and Mid-sized Businesses. Network Security- A Guide for Small and Mid-sized Businesses. Retrieved from https://www.sans.org/reading-room/whitepapers/basics/network-security-guide-small-mid-sized-businesses-1539
[1] Pratt, M. K. (2017, November 28). CSO Online. CSO Online. Retrieved from https://www.csoonline.com/article/2124604/what-is-siem-software-how-it-works-and-how-to-choose-the-right-tool.html
[2] 8 Best HIDS Tools - Host-Based Intrusion Detection System. (2019, October 7). Retrieved November 27, 2019, from https://www.dnsstuff.com/host-based-intrusion-detection-systems
[3] 8 Best HIDS Tools - Host-Based Intrusion Detection System. (2019, October 7). Retrieved November 27, 2019, from https://www.dnsstuff.com/host-based-intrusion-detection-systems
[4] Carter, E. (2002, February 15). Cisco Press. Retrieved December 16, 2019, from http://www.ciscopress.com/articles/article.asp?p=25334
[5] García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1-2), 18–28. Retrieved from https://pdfs.semanticscholar.org/59e7/42875c39d1e09cfe1be7501a4048efe343de.pdf
[6] Spitzner, L. (2003). Honeypots: tracking hackers. Retrieved from http://www.it-docs.net/ddata/792.pdf
[7] Sachan, A., & Panchagavi, R. (2016, June 2). Honeypots: Sweet and Sour of Network Security. Retrieved December 16, 2019, from https://bvucoepune.edu.in/wp-content/uploads/2018/BVUCOEP-DATA/Research_Publications/2015_16/71.pdf.
[8] Cuelogic Technologies. (2019, May 13). Evaluation of Machine Learning Algorithms for Intrusion Detection System. Retrieved December 16, 2019, from https://medium.com/cuelogic-technologies/evaluation-of-machine-learning-algorithms-for-intrusion-detection-system-6854645f9211.
[9] SANS Institute. (2004). Network Security- A Guide for Small and Mid-sized Businesses. Network Security- A Guide for Small and Mid-sized Businesses. Retrieved from https://www.sans.org/reading-room/whitepapers/basics/network-security-guide-small-mid-sized-businesses-1539
[10] SANS Institute. (2004). Network Security- A Guide for Small and Mid-sized Businesses. Network Security- A Guide for Small and Mid-sized Businesses. Retrieved from https://www.sans.org/reading-room/whitepapers/basics/network-security-guide-small-mid-sized-businesses-1539
Cite This Work
To export a reference to this article please select a referencing stye below:
Related Services
View allDMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: