中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeInformation, Computer and Network SecurityProducts and Solutions

IDS: Intrusion Detection System

Intrusion Detection Systems (IDS) allow detecting inappropriate, incorrect, or anomalous activity in computer networks. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.

Host-based IDS is typically a piece of software being loaded on the to be monitored system. The IDS software uses log files and/or the system's auditing agents as sources of data. Host-based IDS involves not only looking at the communications traffic in and out of a single computer, but also checking the integrity of your system files and watching for suspicious processes. To get complete coverage at the monitored site with host-based IDS, the host based IDS need to be loaded on every computer.

There are two primary classes of host-based intrusion detection software: host wrappers/personal firewalls and agent-based software. Either approach is much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based IDS, and both are relatively effective for detecting attacks from the outside. Host wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine. This function can also include dial-in attempts or other non-network related communication ports.

A network-based IDS monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments can't be monitored.

Network-based IDS involves looking at the packets on the network as they pass by some sensor. The sensor can only see the packets that happen to be carried on the network segment its attached to. Packets are considered to be of interest if they match a signature. Three primary types of signatures are:

  • String signatures: look for a text string that indicates a possible attack. To refine the string signature to reduce the number of false positives, it may be necessary to use a compound string signature.
  • Port signatures: look for connection attempts to well-known, frequently attacked ports. Examples of these ports include telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP port 111), and IMAP (TCP port 143).
  • Header signatures: look monitor for dangerous or illogical combinations in packet headers. The most famous example is Winnuke, where a packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band pointer is set. This resulted in the "blue screen of death" for Windows systems.

Both network-based and host-based IDS have pros and cons. Very often, a combination of both technologies is used in the network for complete protection. Figuring out where to use each type and how to integrate the data is a real and growing concern.

Intrusion Detection System

IDS: Intrusion Detection System

Related Terms: Firewall

‹ FirewallupIPS: Intrusion Protection (Prevention) System ›