Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and generate alerts when such activity is found. It is a software application that run on organizations’ hardware or as a network security solution, which scans a network or a system for any malicious activities or policy violations.
Classification of IDS:
1. Network Intrusion Detection System (NIDS):
These are set up at a planned point within the network to analyze traffic from all connected devices on the network. It monitors all subnet communication and compares it to a database of known threats. An alarm can be issued to the administrator whenever an attack has been detected or strange activity has been identified. An example of NIDS is installing it on the subnet where firewalls are placed to determine whether someone is attempting to crack the firewall.
2. Host Intrusion Detection System (HIDS):
These run-on independent hosts or devices on the network. A HIDS monitors the device’s incoming and outgoing packets, alerting the administrator if suspicious or malicious behavior is detected. It compares the current snapshot to the previous snapshot of existing system files. An alert is given to the administrator if the analytical system files have been modified or removed. An example of HIDS usage can be seen on mission-critical machines, which are not expected to change their layout.
3. Protocol-based Intrusion Detection System (PIDS):
It is a system or agent that is always present at the server’s front end, regulating and interpreting the protocol between the user/device and the server. It is attempting to protect the web server by checking the HTTPS protocol stream on a regular basis and accepting the related HTTP protocol. As HTTPS is un-encrypted until it reaches the web presentation layer, this system would have to stay in this interface in order to use HTTPS.
4. Application Protocol-based Intrusion Detection System (APIDS):
It is a system or agent that generally resides within a group of servers. It detects intrusions by monitoring and analyzing application-specific protocols. This would, for example, track the SQL protocol as the middleware transacts with the database in the web server.
5. Hybrid Intrusion Detection System:
It is created by combining two or more intrusion detection system techniques. In this system, the host agent or system data is combined with network information to get a complete view of the network system. While comparing to the other intrusion detection systems, the hybrid intrusion detection system finds to be more effective. Prelude is an example of Hybrid IDS.
Detection Method of IDS:
Signature-based Method:
It identifies attacks based on certain patterns in network traffic, such as the number of bytes, the number of 1s, and the number of 0s. It also identifies malware based on the previously known malicious instruction sequence. The detected patterns in the IDS are known as signatures.
This method can easily detect attacks whose pattern (signature) already exists in the system, but detecting new malware attacks are more difficult as their pattern (signature) is unknown.
Anomaly-based Method:
It identifies unknown malware attacks as new malware rises rapidly. This method uses machine learning to construct a trustworthy activity model, and anything that comes in is compared to that model, and it is considered suspicious if it is not found in the model. In comparison to signature-based IDS, machine learning-based IDS has a superior generalized property since these models can be trained according to the applications and hardware setups.
Hybrid Detection Method:
This method uses both Signature and Anomaly-based intrusion detection methods together. However, the main reason behind the development of a hybrid detection system is to identify more potential attacks with fewer errors.