CompTIA Certifications

CompTIA Network+ 2009 Domain 5: Network Tools

Intrusion Detection Software

Intrusion detection software is used to detect whether or not someone has gained unauthorized access to the network. It is often an automated solution, providing alerts when an intrusion is detected and frequently providing an automated way to shutdown intruders (see Intrusion Prevention Software). Intrusion detection software could run on a server or on a networking device. Today, it is often included in a security appliance which serves several security functions on your network.

Intrusion Detection Software (IDS) record observed events, notify security administrators, and produce reports.

There is terminology associated with IDS, including (source,

  • Alert/Alarm: A signal suggesting that a system has been or is being attacked.
  • True Positive: A legitimate attack which triggers an IDS to produce an alarm.
  • False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.
  • False Negative: A failure of an IDS to detect an actual attack.
  • True Negative: When no attack has taken place and no alarm is raised.
  • Noise: Data or interference that can trigger a false positive.
  • Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
  • Site policy awareness: The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.
  • Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
  • Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
  • Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities.
  • Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users.
  • Misfeasor: They are commonly internal users and can be of two types:
    1. An authorized user with limited permissions.
    2. A user with full permissions and who misuses their powers.
  • Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.

More from

Types of intrusion detection systems

For the purpose of dealing with IT, there are two main types of IDS:

Network intrusion detection system (NIDS)
It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors captures all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.

Intrusion detection systems can also be system-specific using custom tools and honeypots. In the case of physical building security, IDS is defined as an alarm system designed to detect unauthorized entry.

For the purpose of protecting perimeters of critical infrastructures and high risk assets, there is a primary type of IDS:

Perimeter Intrusion Detection System (PIDS)
Detects and pinpoints the location of intrusion attempts on perimeter fences of critical infrastructures. Using either electronics or more advanced fibre optic cable technology fitted to the perimeter fence, the PIDS detects disturbances on the fence, and this signal is monitored and if an intrusion is detected and deemed by the system as an intrusion attempt, an alarm is triggered.
VM based Intrusion Detection System (VMIDS)
It detects the intrusion using virtual machine monitoring. By using this we can deploy the Intrusion Detection System with Virtual Machine Monitoring. It is the most recent one its still under progressing. No need of separate intrusion detection system by using this we can monitor the overall activities.

Passive/Reactive Systems

In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. The term IDPS is commonly used where this can happen automatically or at the command of an operator; systems that both “detect” (alert) and/or “prevent.”

Comparison with a Firewall

Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall.

Statistical Anomaly and Signature Based

All Intrusion Detection Systems use one of two detection techniques:

Statistical anomaly-based IDS
A statistical anomaly-based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters, an alarm will be triggered.
Signature-based IDS
Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.

IDS Limitations

Noise can severely limit an Intrusion detection systems effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
Too few attacks
It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real attacks are often so far below the false-alarm rate that they are often missed and ignored.
Signature updates
Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to new strategies.

On the Network+ Exam

The Network+ exam focuses on the practical application of what you use network tools for. In the case of intrusion detection systems, you should understand what you will use an IDS for, why an IDS is important on a network, and the differences between an IDS and Intrusion Prevention System.