The intrusion or the attacks to the computer systems or computer network can be detected using intrusion detection system (IDS). These systems keep monitoring the network/system for malicious activities or policy violations. As soon as the system notices some malicious activity, it either tries to stop it itself or perform other activities that are set into the system to stop intrusion. Some of the ways that IDS can employ to stop malicious activities itself by reconfiguring routers and firewalls to reject future traffic from the same address or by crafting packets on the network to reset the connection. Alternatively the system immediately reports malicious activities to the system administrator, create logs, and create reports.
There can be two types of IDS:
- Host based: These systems collects and analyze data that originates from a computer that hosts a service such as Web Service, DHCP service or DNS service.
- Network based: These systems collects and analyze data that originates from a network. Such as data packets that travel over a network.
In a good intrusion detection system both types of IDS work in conjunction with each other to protect a network. With time, the new attacks and unknown attacks keep coming up and it is not possible to keep up with them because there are so many of them. Although you cannot protect your system/network against every possible type of attack, you can protect your system from most of the threats using the intrusion detection system.
The IDS systems detect intrusions by number of ways. Some of these ways are:
- Anomaly detection: The IDS detects statistical anomalies in the system by setting the baseline for system activities such as CPU utilization, disk activity, user logins, and file activity. As soon as there is a deviation from this baseline, the system triggers an alert.
- Signature Recognition: IDS examines traffic looking for well known patterns of attack. For example, the system may check all the packets that try to access vulnerable CGI script pattern “/cgi-bin/phf on a web-server.
- Bandwidth usage: IDS keeps examining the bandwidth usage of the system. An unexpected increase in bandwidth usage can raise a suspicious event.
Some of the common and known attacks are:
- Denial of Service Attacks: In this type of attack, the attacker overloads the server with messages and the server stops responding to the messages from the genuine requesters. The attacker in this kind of attack may attack a router, firewall or a proxy server and makes it unusable.
- Ping of death: In this type of attack the hacker sends an IP fragment to a computer, which is more data than the maximum IP packet size. This causes buffer overruns in the system and the system crashes.
- IP half scan. In this type of attack the hacker repeatedly attempts to connect to a destination computer and sends no corresponding ACK packets. With this type of attack an attacker tries to determine exactly which ports are open for connections, without the destination being aware of the probing.
- Land attack: In this type of attack the hacker sends a TCP SYN packet with a spoofed source IP address and port number that matches that of the destination IP address and port. If the attack is successful, some TCP implementations can go into a loop and cause the computer to fail.
- Port scan: In this type of attack the hacker makes an attempt to count the services running on a computer by scanning each port for a response. If the attack is successful the hacker can find active ports and exploit a known vulnerability of that service.
The intrusion detection systems are mostly built-in firewalls. However, if it is not there in the firewall then you need both firewall and the IDS to protect your system. The firewall needs to be configured properly to enable the IDS, if IDS exists in the firewall you are using on your system.
Social engineering is a kind of attack in which instead of directly tempering with the software, the attacker tries to exploit the human behavior of people who can divulge important confidential information. The attacker gains confidence of the important officials and manipulates them into performing actions that compromises the network’s security. For example, a person using social engineering may try to gain confidence of a co-employee who is authorized to access the network and try to get him to reveal information. Another example can be a person calling the authorized officer with some kind of urgent problem and push them to divulge secret information and the passwords of the company.