Valuable property needs to be protected from the prospect of theft and
destruction. Modern homes are equipped with alarm systems that can deter
burglars, notify authorities when a break-in has occurred, and even warn
owners when their home is on fire. Such measures are necessary to assure
the integrity of homes and the safety of homeowners.
The same assurance of integrity and safety should also be applied to
computer systems and data. The Internet has facilitated the flow of
information, from the personal to the financial. At the same time, it has
fostered just as many dangers. Malicious users and crackers seek
vulnerable targets such as unpatched systems, systems infected with
trojans, and networks running insecure services. Alarms are needed to
notify administrators and security team members that an breach has taken
place so that they can respond in real-time to the
threat. Intrusion detection systems have been
designed as such a warning system.
Defining Intrusion Detection Systems
An intrusion detection system (IDS) is an active process or device
that analyzes system and network activity for unauthorized entry and/or
malicious activity. The way that the IDS detects anomalies can vary
widely; however, the aims are the same — catch perpetrators in the
act before they do real damage to your resources.
IDSes protect a system from attack, misuse, and compromise. It can also
monitor network activity, audit network and and system configuration for
vulnerabilities, analyze data integrity, and more. Depending on the
detection methods you choose to deploy, there are several direct and
incidental benefits to using an IDS.
IDS Types
Understanding what an IDS is and the functions it provides is key in
determining what type would be appropriate to include in your computer
security policy. This section will discuss the concepts behind IDSes,
the functionalities of each type of IDS, and the emergence of hybrid
IDSes that employ several detection techniques and tools in one package.
Some IDSes are knowledge-based, which
preemptively alert security administrators before an intrusion occurs
using a database of common attacks. Alternatively, there are
behavioral IDSes that track all resource usage
for anomalies, which is usually a positive sign of malicious activity.
Some IDSes are standalone services that work in the background and
passively listen for activity, logging any suspicious packets from the
outside. Others mix standard system tools, modified configurations, and
verbose logging with administrator intuition and experience to create a
powerful intrusion detection kit. Evaluating the many intrusion
detection techniques can assist in finding one that is right for your
organization.
