Intrusion Detection System

An intrusion detection system is a tool (software or hardware)

that is use to identify security threats that target a host or network system.

 See Figure 1 for a better understanding of the performance of intrusion detection systems.
Figure 1 clearly shows that an intrusion detection system is not connected to the network linearly to avoid waiting or delaying network traffic, but rather to one of the switch ports to receive a copy of network traffic for analysis.

 In addition, if the intrusion detection system is disabled or its connection to the network is disconnected, it will not adversely affect the network performance.

However,

since it only receives one copy of the traffic and its deployment

and implementation model is not linear

(that is, network traffic does not pass through the intrusion detection system),

it only issues a warning intrusion detection system after a threat has been identified,

and For this reason, it cannot prevent a network attack from occurring.

 The same problem reduces the need to apply a reactive tool to threats such as the intrusion prevention system.

Intrusion Prevention System

An IPS intrusion prevention system is a device that is install

on a host or network system to detect and block security threats. As Figure 2 shows, an intrusion prevention system based on the topology on which the network is designed is linearly integrated into a network.

Deploying directly to the network ensures that all network traffic passes through the IPS device

and that any malicious code or potential attack

that may pose a serious threat to the network is detected by the intrusion prevention system.

 If the intrusion detection system detects a potential threat,

the sensors will generate an alert and prevent malicious / data traffic from entering or leaving the network.

The important thing to keep in mind is that an intrusion prevention system

should be located behind the firewall and not in front of the firewall and in front of the Internet gateway.

 If an intrusion prevention system is placed against the Internet, which is called an unreliable area, it may generate numerous alerts.

Some of these warnings may be false positives or even unwanted traffic. As you can see in the topology of Figure 2, the intrusion prevention system is deployed linearly to monitor and prevent potential attacks.

This, of course,

has costs, including delays or waiting times, reduced network performance,

and traffic congestion due to the failure of the intrusion prevention system.

Types of intrusion detection and intrusion prevention systems

The above systems are using in both host-base and network-base formats. A HIDS (Host-based Intrusion Detection System) or HIPS (Host-based Intrusion Prevention System) system is installed directly on a client machine such as a Windows 10-powered computer.

However, if either of these two systems is install on a local machine, HIDS / HIPS will only be able to display incoming or outgoing traffic to / from the local machine.

In such a case, if a network threat occurs,

HIDS / HIPS cannot detect and filter malicious traffic unless traffic enters the local machine.

 Software is installed on a part of the network in a network-based intrusion detection or network-based intrusion prevention system. The advantage of using such a system is that it can detect traffic and has the potential to detect and stop threats across the network.

Detect malicious traffic

Now that we are somewhat familiar with how intrusion detection and prevention systems work,

it’s time to investigate how these two systems work in detecting malicious traffic from healthy traffic. IDS / IPS systems use the following solutions to detect malicious traffic from healthy traffic.

Signature-based solution:

It uses a special pattern to compare network traffic with specific parameters to ensure that network traffic is not malicious.

The above method uses an antivirus program installed on a system to fight viruses and other malware.

 Note, however, that if it is running on a viral system and does not have the signature antivirus program inside its database, the systems based on this method will fail to detect the threat and will not generate any alerts.

 It is true that signature-based authentication is easy to implement, but it is not able to detect any out-of-signature threats in the IDS / IPS database. Therefore, signature-based detection is not effective in protecting systems from new threats.
In Policy-Based Solution: IDS / IPS systems are configured to identify threats based on enterprise IT security policies.

For example,

an organization’s policy is define as Telnet traffic should be restrict. Since Telnet uses port 23 and TCP protocol, the defined rule must be defined according to the type of traffic in order to issue a proper alert system and block the matched traffic correctly.

In the Unusual Behavioral Solution:

The IDS / IPS system draws a baseline for traffic that is to cross a system or network. The system then uses this initial line to evaluate the optimal conditions with conditions where suspicious traffic is entering or leaving the network.

 In such a situation an anomaly indicates a network intrusion. For example, suppose 100 TCP-SYN packets are logging on to the Internet and they are going to be delivered to one server, but there is a problem.

The sender of the TCP-SYN packets must send a response with a TCP-ACK packet, but it does not, so a SYN flood attack is highly likely. In this situation, the intrusion prevention system prevents packets from entering the network.

It is necessary to explain,

in order to establish a baseline that shows the normal state and regular traffic of the network,

methods such as neural networks and machine learning algorithms are use,

since it is intend to find and define specific patterns and rules for normal behaviors in a network.

Behaviors and behaviors that conform to these patterns, are consider normal behaviors,

and behaviors that are out of the norm and their standard deviation exceeds

the predict amount of statistics are assume to be abnormal.

 For example, suppose a network employee is logged in or out of network two or four times a day for a predicted employee, but this employee does this twenty times a day, which is considered an unusual behavior.

 Overall, we have to acknowledge that it is not easy to identify normal behaviors from abnormal behaviors, and systems that use such a method produce false positive alarms with high error rates, which makes network professionals quite restricted to To use such an approach.

Trust-based approach: In the trust-based approach,

the IPS system links the results of threats to credible sources such as Cisco Talos.

Interaction of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both important and fundamental requirements of networks. IDS and IPS compare the data packets of a network with their database, which includes the signature of cyberattacks, and consider any packet that matches their database information as a threat.

The main difference between the two systems is that the IDS is a surveillance system,

while the IPS is a control system.

Intrusion detection systems are for surveillance and diagnostics tools and are not intending to do so base on their approach, while IPS base on the contents of a packet prevents it from transmitting malicious traffic into a network.

In this context,

IPS performance is very similar to how a firewall works based on an IP address blocking traffic. Intrusion Detection Systems To detect signs that hackers are using a well-known cyber threat to steal information or penetrate the network, they monitor and analyze the network traffic.

Intrusion detection systems compare current network activity with threat-related information within their databases to find risky behaviors such as security breaches, malware or port scanners.

But proper intrusion prevention systems lie between a firewall

and the world outside the organization’s communications networks

so that they can generate an alert when a security threat is detect.

 Most vendors of IDS / IPS products have been able to market more advanced intrusion prevention systems that come with firewalls and can deliver both systems in the form of integrated management technology (UTM). Some systems offer the performance of both IDS and IPS technologies in a single set.

Differences between IDS and IPS

Both technologies read intrusion prevention and intrusion detection systems and compare the contents of packages with known threats registered within databases. But as noted, IDS is only a diagnostic and monitoring tool and does not perform itself, but IPS is a control system that accepts or rejects packets based on rules.

The IDS requires a complementary or specialized system to check the results and take the next steps. But the purpose of deploying intrusion prevention systems is to trap dangerous packages so that they fail to reach the specified goal.

 The intrusion prevention system is by far more passive than an intrusion detection system and it is imperative that the database of the system is updated with new threat information.

Final word

Security teams face growing threats,

such as data breach and malware entry into an organization’s communications infrastructure,

while organizations are limit in their ability to deal with cyber threats.

 In such circumstances, IDS / IPS systems are developed with the help of organizations and teams, automating some processes related to identifying and removing security threats,

protecting sensitive information that may or may not be unintentionally removed from an organization’s network,

ensuring that policies are properly implement.

Organize and counter future threats based on recently repelled threats, significantly improving the security of a network