Valuable property needs to be protected from the prospect of theft and
destruction. Some homes are equipped with alarm systems that can deter
burglars, notify authorities when a break-in has occurred, and even warn
owners when their home is on fire. Such measures are necessary to ensure
the integrity of homes and the safety of homeowners.
The same assurance of integrity and safety should also be applied to
computer systems and data. The Internet has facilitated the flow of
information, from personal to financial. At the same time, it has fostered
just as many dangers. Malicious users and crackers seek vulnerable targets
such as unpatched systems, systems infected with trojans, and networks
running insecure services. Alarms are needed to notify administrators and
security team members that a breach has taken place so that they can
respond in real-time to the threat. Intrusion detection
systems have been designed as such a warning system.
9.1. Defining Intrusion Detection Systems
An intrusion detection system (IDS) is an active process or device
that analyzes system and network activity for unauthorized entry and/or
malicious activity. The way that an IDS detects anomalies can vary widely;
however, the ultimate aim of any IDS is to catch perpetrators in the act
before they do real damage to your resources.
IDSes protect a system from attack, misuse, and compromise. It can
also monitor network activity, audit network and system configurations for
vulnerabilities, analyze data integrity, and more. Depending on the
detection methods you choose to deploy, there are several direct and
incidental benefits to using an IDS.
9.1.1. IDS Types
Understanding what an IDS is and the functions it provides is key
in determining what type would be appropriate to include in your
computer security policy. This section discusses the concepts behind
IDSes, the functionalities of each type of IDS, and the emergence of
hybrid IDSes that employ several detection techniques and tools in one
package.
Some IDSes are knowledge-based, which
preemptively alert security administrators before an intrusion occurs
using a database of common attacks. Alternatively, there are
behavioral IDSes that track all resource usage
for anomalies, which is usually a positive sign of malicious activity.
Some IDSes are standalone services that work in the background and
passively listen for activity, logging any suspicious packets from the
outside. Others combine standard system tools, modified
configurations, and verbose logging, with administrator intuition and
experience to create a powerful intrusion detection kit. Evaluating
the many intrusion detection techniques can assist in finding one that
is right for your organization.
