It is a device that monitors the network, and try to understand if something stranfe is happening, and in case of prevention system can try to do something about the intrusion; they produce responses to suspicious activity, for example by modifying firewall rules or blocking switches port. It can be used in combination to SIEM to perform end-point security.
There can be different types of IDS, we are considering IDS, they try to do deep packet inspection, exploring the payload that is moving inside the networ; for example: strange binary sequences, viruses, and similar. Commonly the IDS/IPS is placed after the firewall. Of course different IDS can be placed in different subnetworks, configured in different ways.
IDS is usually out of band, so it is a passive element (can't block the traffic), the IPS, on the other hand is in line (so it is a hop) and can detect and react based on traffic.
The quality of a IDS depends on it's accuracy of classification, so a confusion matrix is used. So we have to distinguish between true positive and false positive. The ideal IDS has no false positives, and no false negative; always takes the right decision.
Other functionalities of IDPS are:
- Recording info related to observed events;
- Alerts;
The activities done by a IDPS can be divided in different steps:
block diagram image
The feature extraction consist in extracting features from the raw network data, the features of an intrusion are not easy to individue. In general IDPS monitor any events deemed to be security concern. Some example are:
- Network Recoinnaissance
- Patter of specific commands: it is an openfield of research
- Content Type with different fields of application protocols
- Network packets between protected servers and the outside world
- Privilege Escalation
- Attacks by legitimate user/insiders
- Malware. It is hard to hande mutation of malwares.
- DoS attack
The Host-Based IDS monitors events in a single host to detect suspicious activities. It is usually deployed on critical hosts offering public services. They can give better visibility of what is happening on a single device; some software like Tripwire continually monitor configuration files to notice software changes. Network-based IDS performs analysis of network and applciation protocol activity of different hosts. They are placed behind a firewall; it can protect many hosts and detect global patterns, they operate in promiscous mode; it uses a database of previus attack. Usually IDS are out of bands. In addition to the main device, extra monitoring devices can be placed inside the network: distributed IDS. Wireless IDS try to see Network protocol activity on the radio field; it tries to detect fakes radio antenna or jamming.
Flow-BAsed IDS tries to summarize exchange of data between two hosts, to understand what is the normal behavior, and compare it with abnormal situations without the need of performing deep packet inspection.
There are two IDS approaches, the Behavior-based and the Signature-based. The former compute a model of the normal behavior data communication and compares it with the current data communication; the latter compare the traffic to a database of attack signatures. The first approach is not really precise, because the definition of normal behavior is not very precise; on the other side the signature based approach has a reduced number of false positive, but it very common to have false negative (if an attack is not in the database).
Usually in modern IDPS combines the two approaches.
Anomaly detection requires some form of learning, training usually based on data mining and observation, there is a tradeoff between number of features and training time. Features can fall into three classes:
- Intrinsic
- Traffic
- Content
Of course many more features can be considered, it is important to know which and were consider some kind of features.
IDS detetion capability, decode packets: applciation and protocol headers to look at high-layer activity. Signature extraction is usually perfomed by using Honeypots.
Can be a distributed system:
- central monitor system;
- network probes;
- database or storage