Intrusion_Detection_Systems

Intrusion Detection Systems With the rapid growth of the IT world, along with technological advances of computer software and hardware, the rise of new viruses and hacking techniques are inevitable. Big corporations, small businesses, and personal computers are hacked and made obsolete on a regular basis, by malicious software, Trojans, viruses, worms, etc. It is because of this that Intrusion Detection System (IDS) was introduced to the IT world. Basically, the IDS is a system that identifies attempts to hack into a system network, or attempts to break into the computer to misuse it. An IDS is commonly used to detect various types of malicious activities that can jeopardize the security and productivity of a computer or computer network. Attacks can come in the form of, network attacks against vulnerable services, unauthorized logins, access to sensitive files, and the more common attacks such as Trojans, worms, viruses etc. These attacks can really negatively impact a corporation and or small business to a severe extent, hence why most upscale companies make full use of intrusion detection systems. It is important to understand that an IDS is made up of several components. Sensors which generate security events, a console to monitor events, alerts, and control the sensors. Another component of an IDS is its central engine that records events logged by the sensors in a database and uses a system of rules imposed by the administrator to generate alerts from security events received. There are various types of intrusion detection systems, and several ways to categorize them. Their category usually depends on location of the sensors and methodology used in the engine to generate alerts. In many, more simplistic IDS, all components are combined into a single device. Whereas in more complex intrusion detection systems, the components are separate and are designated their own hardware. They work in combination with one another having a situation that calls for it. There several different types of intrusion detection systems, each serving a specific function. There are three main types of systems in which IDS can be applied; network, host, and applications based IDS. In a network based IDS (NIDS), the sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. In Protocol Intrusion Detection Systems (PIDS) and Application Protocol Intrusion Detection Systems (APIDS) both monitor the transport and protocols for illegal and or inappropriate traffic. In a host based IDS, the sensor more often consists of a software agent, which monitors all activity of the host on which it is installed. In addition, there are hybrid IDS which combines two or more approaches mentioned earlier. Host agent data is combined with network information to form a view of the network. There are two versions of IDS, a passive system and a reactive system. In a passive system, the intrusion detection system sensor detects a possible security breach or any other malicious activity, logs the information and signals an alert on the console and or owner. In a reactive intrusion detection system, also know as Intrusion Prevention System (IPS), the IPS responds to suspicious activity by reprogramming the firewall to block network traffic from the suspected source. This can happen either automatically or by configuration made by the user. Though they both relate to network security, an intrusion detection system differs from a firewall in that firewalls do not protect the computer from the inside, rather, they just protect the computer from malicious activities that may breach the computer from the outside. Firewalls also do not signal an attack from the inside of the network. The IDS evaluates any suspected intrusion once it has taken place and then signals an alarm. All Intrusion Detection Systems use one of two detection methods: statistical anomaly based and/or signature based. A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic exceeds the baseline parameters an alarm will be triggered. In a signature based IDS, network traffic is examined and analyzed for preconfigured attack patterns commonly known as signatures. Most attacks today have distinct signatures. In order to keep attacks at bay a collection of these signatures must constantly be updated to keep threats from emerging. As with any computer software and/or hardware, it has its limitations. Noise can severely hinder the intrusion detection systems effectiveness. Bad packets produced from software bugs, as well as local packets that escaped can cause a significantly high false alarm rate. Too few attacks can also severely limit the IDS effectiveness. It is not uncommon for the number of actual attacks to be much below the false alarm rate. So much so, that real attacks are often mistaken for false alarms and are often missed and ignored. Most attacks are targeted at specific versions of software that are usually outdated. Constantly changing the library of signatures is important to keep threats from getting into your system. Outdated signature databases may leave the IDS vulnerable to new attack strategies. Just as some have discovered ways to prevent viruses, Trojans, worms, hackers etc, some have found loopholes in the system of which they can evade the intrusion detection system. Intrusion detection techniques bypass detection by creating different states on the IDS and on the targeted computer. The hacker accomplishes this by manipulating either the attack itself or the network traffic that contains the attack. Intrusion detection systems can come in either software or hardware. Software such as Snort and Specter can be installed on a PC to monitor requests from other parts of the network or outside traffic. IDS can also be used with other network devices. Placing a decoy in the demilitarized zone (DMZ) or network borders deters hackers from breaking into the system. The hacker will take the time to attempt to trip the decoy and in such, it gives the other IDS programs enough data to analyze and give the user or administrator an alert that their system is being attempted to be breached. New viruses, worms, Trojans and other malicious software are being written everyday, ready to corrupt, misuse or destroy data files among other network files of companies, small networks, even the government’s network system. Such attacks can jeopardize a lot, such as valuable information, important documents, money transactions etc. Intrusion detection systems are a great thing to have in order to protect valuable information from the eyes of ill hearted hackers. Also a great layer of protection to have for small and big business corporations.