Information Security Technical Report (2005) 10, 134e139

Intrusion Detection Systems and Intrusion

Prevention Systems
Andreas Fuchsberger

Information Security Group, Royal Holloway, University of London, Egham, Surrey TW20 0EX,
United Kingdom

Introduction This fact finds further explanation, if we look at

another research conducted by Carnegie Mellon
The tremendous increase in cyber attacks linked University examining the relation and development
with the dependence of modern organisation on of attack sophistication vs. Intruder technical
the reliability and functionality of their IT struc- knowledge.
ture has led to a change in mindset. As ‘‘IT The chart in Fig. 1 illustrates the trend, indicat-
downtime’’ is rising, the priorities are shifting. ing that as the intrusion tools become powerful,
As recent surveys show, cyber attacks e espe- the attackers require less knowledge themselves.
cially targeted to the networks e are real, and no An alarming observation is that as simple attacks
longer an unlikely incident that only occur to few are becoming less effective, multiple attacks are
exposed networks of organisations in the limelight. being combined to achieve their objectives.
In the struggle to both maintain and implement Manual operations such as password guessing or
any given IT security policy, professional IT security exploitation of known vulnerabilities have become
management is no longer able to ignore these issues, automated with sweepers, sniffers, packet spoof-
as attacks on networks become not only more ing and automated probes being used, as they are
frequent but also more devastating; in many organ- made available to the growing hacking community.
isations commercial success is directly related to It is no longer necessary to be an IT expert. A visit
the safe and reliable operation of their networks. to a site like astalavista.com, diabolo 666 or equiv-
Furthermore, the annual FBI/CSI survey shows alent chat rooms will offer an abundance of highly
that even though virus based attacks are most fre- sophisticated, prefabricated hacking tools ready
quent, attacks based on unauthorized access, as for deployment, including easy to understand in-
well as Denial of Service attacks both from internal structions and ‘‘tweaks’’ in order to optimize
as well as external sources, are increasing impact.
drastically. In order to respond to this increasing threat the
Quite clearly Internet connection originated IT security industry provides a range of tools known
attacks are becoming a major concern, as attacks as vulnerability assessment tools as well as In-
via internal systems and remote dial-ins are trusion Detection Systems (IDS) and in its latest
decreasing. development; Intrusion Prevention Systems (IPS).
Vulnerability assessments and intrusion preven-
tion/intrusion detection are just one aspect of IT
E-mail address: a.fuchsberger@rhul.ac.uk security management. However, due to recent

1363-4127/$ - see front matter ª 2005 Published by Elsevier Ltd.

doi:10.1016/j.istr.2005.08.001
Intrusion detection and prevention systems 135

Auto
Coordinated
Cross site scripting Tool Strength
“stealth” / advanced
High scanning techniques
packet spoofing denial of service Staged

sniffers distributed

Intruder sweepers www attack tools

Knowledge automated probes/scans

GUI
back doors
disabling audits network mgmt. diagnostics
hijacking sessions
burglaries
Attack
exploiting known vulnerabilities
Sophistication password cracking
self-replicating code
password guessing Intruder Knowledge
Low
1980 1985 1990 1995 2000

Figure 1 Attack sophistication vs. Intruder technical knowledge (Allen et al., 2000).

developments with the continuing spread of net- 2003, 70% of all attacks originated there in com-
work connectivity, IT security management is parison to 31% from internal systems.
faced with yet another challenge, requiring a struc- In consequence the emerging IT security in-
tured approach for an adequate response. dustry introduced network based intrusion detec-
tion, which in essence follows the same principal
of pattern matching as host based intrusion de-
Intrusion Detection Systems (IDS) tection, not by reading log files of a given host, but
by monitoring network traffic, searching for attack
History and development patterns in the TCP/IP packet stream.
Until this point, intrusion detection had been
Before the development of modern IDS, intrusion a post factum analysis of log files, allowing forensic
detection consisted of a manual search for analysis relatively long after the actual event with
anomalies. possible adjustments to the infrastructure.
In order to do so, log files were examined for Due to the availability of adequate processing
events that should or should not occur in regular speed it now became possible not only to look for
operation of computer and network. To perform attack patterns after the event had occurred, but
this task manually it is not only strenuous and also to monitor in ‘‘realtime’’ and trigger alerts if
possibly inaccurate, but also very time and man- intrusions were detected.
power intensive. Therefore, it soon became nec- Due to market demand, the IT security industry
essary to develop automated log file readers, now started to develop former prototype software
searching for logged events indicating irregulari- into actual Intrusion Detection Systems, consisting
ties or even an intrusion by unauthorized person- of user friendly interfaces, methods to update
nel. However, not every irregularity constituted an attack patterns, various methods of alerts and
actual attack or intrusion, thus the whole process even some automatically triggered reactions or
required more thorough investigation. actual prevention methods, able to stop attacks in
With further research it became possible to progress.
derive ‘‘attack patterns’’ from these irregularities, Due to the financial losses from computer
thus the first automated, pattern matching log file downtime, loss of image, or even confidential
readers were developed. It is necessary to point data being affected, in recent years the demand
out that this early ID Software (not Systems) was for not only being alerted in the event of an
mostly individually developed, programmed and attack, but also to prevent the attack altogether
not widely spread, as only very few organisations has become an absolute necessity. Especially with
were in need for this kind of technology before the the introduction of Denial of Service (DoS) and
dawn of the Internet age (Allen et al., 2000). Distributed Denial of Service (DDoS) attacks, the
Again from the annual FBI/CSI survey, it can be market demands have grown stronger for Intrusion
easily seen that the source for attacks clearly Prevention Systems (IPS) rather than mere intru-
shifted from internal sources to the Internet; in sion detection.
136 A. Fuchsberger

These Intrusion Prevention Systems are presently Other issues relevant to behaviour-based IDS are
the technological edge of the IDS technology and that they are difficult to implement, may be more
are found both as stand alone products as well as resource-hungry than knowledge-based IDS and
part of modern firewall systems. may require frequent fine-tuning by administrator.
Another observation here is that the current Today there seems to be lots of research, however
trend of the IT security industry to move from there are no known commercial products in use
software solutions to appliance based solutions has today.
resulted in a shift of emphasis for example in the
firewall industry, which in some instances is pro- Knowledge-based IDS
viding IDS and IPS as part of their solutions. Most commercial IDS look for attack signatures:
A 2002 Gartner Group IT security study claims specific patterns of network traffic or activity in
that any firewall solution not incorporating at least log files that indicate suspicious behaviour are
network based IDS would disappear from the known as knowledge-based or misuse detection
market. This shift of emphasis from single function IDS.
solutions to multipurpose devices is not only a re- Example signatures might include:
action to market demands in terms of cost of
ownership, but also a sufficient proof that IDS/IPS  a number of recent failed login attempts on
solutions have become a key factor in the IT a sensitive host;
security world.  a certain pattern of bits in an IP packet, indi-
cating a buffer overflow attack;
Methods of intrusion detection  certain types of TCP SYN packets, indicating an
SYN flood DoS attack.
In order to discuss IDS properly it is necessary to
distinguish between the different IDS. When an IDS looks for attack signatures in
network traffic, it is called a network-based IDS
Behaviour-based IDS (NIDS). When an IDS looks for attack signatures in
Statistical Anomaly Detection (or behaviour-based log files of hosts, it is called a host-based IDS
detection) is a methodology where statistical (HIDS). Naturally, the most effective Intrusion
techniques are used to detect penetrations and Detection System will make use of both kinds of
attacks these begin by establishing base-line sta- information.
tistical behaviour: what is normal for this system?
They then gather new statistical data and measure Host based IDS
the deviation from the base-line. If a threshold is Derived from mere log file analysers modern host
exceeded, issue an alarm. based Intrusion Detection Systems are designed as
Examples of what a behaviour-based IDS might host based applications running in the background
detect: of presumed critical, sensitive hosts, such as Mail
Servers, DNS Servers, web servers, database serv-
 the number of failed login attempts at a sensi- ers, etc. Especially in e-commerce environments,
tive host over a period; where sensitive data are stored or availability is
 a burst of failed attempts to login: an attack critical, host based IDS are found predominantly.
may be under way; or maybe the admin just The components are the actual host based IDS
forgot his password? application and an IDS management station, where
the application is administered from as well as
This raises the issue of false positives (an attack alerts are sent to for further action.
is flagged when one was not taking place e a false Host based IDS serves the purpose to detect
alarm) and false negatives (an attack was missed attack patterns that can only or easier to be found
because it fell within the bounds of normal behav- on a host level basis.
iour). Normal behaviour may overlap with forbid-
den behaviour. Legitimate users may deviate from Network based IDS
the base-line, causing false positives (e.g. user goes A network-based IDS monitors network traffic on
on holiday, or works late in the office, or forgets packet level. The components are the network
password, or starts to use new application). based IDS software, running on a dedicated host,
If the base-line is adjusted dynamically and connected to the network traffic with a network
automatically, a patient attacker may be able to interface, and again an IDS management station,
gradually shift the base-line over time so that his where the software is administered and alerts are
attack does not generate an alarm. sent to.
Intrusion detection and prevention systems 137

In order not to become a target for attack itself network IDS allowing for instant access control
it has become standard to ‘‘conceal’’ the system, policy modifications.
by setting the network interface into ‘‘stealth’’ As nearly all modern firewalls follow the princi-
mode as well as ‘‘promiscuous’’ mode, the in- pal of stateful inspection, from analysing the state
terface itself has no IP address, the IDS probe of the applied protocol it is a relatively small step
cannot be addressed by other hosts, but merely to analyse for attack signatures on the same level.
copies all passing traffic into its RAM memory. The technologies are so close that in a 2004
Here the packets are examined both according study the Gartner Group claimed that by 2005 only
to header and payload searching for attack signa- integrated firewalls with IDS (i.e. IPS) will survive.
tures, stored in the IDS Attack signature database, With the arrival of DDoS attacks such as the
which is the vital part of any IDS software. recent ‘‘W32.Blaster.Worm’’ the market trend is
If a match is found, the alert is send to the clearly focussing on IPS rather than IDS.
management station via SNMP trap or similar for Predominantly an IPS is not only found on
further action. Due to the delivery method of the security appliances, such as certain firewalls, but
alert, some IDS allow for integration with network also on stand alone appliances delivered. The idea
and security management consoles, such as Tivoli, to implement IPS here is driven by commercial as
HP OpenView, NetIQ. well as technical aspects. To-date IPS have had the
Some IDS even allow an automated response to most success with ‘‘flood’’ (i.e. DoS) type attacks.
a recognised attack, such as a connection reset For example, in the case of the IPS Appliance
to the source IP or even the automatic reconfigura- ‘‘Attack Mitigator’’ by Toplayer which was derived
tion of the firewall, e.g. by blocking the affected from a former layer 7 switch, it is planned to
port. extend the IPS functionality to also incorporate IDS
using the open source Snort IDS, in order to extend
the comparatively small amount of attacks that
Intrusion Prevention Systems (IPS) can be prevented to ‘‘at least’’ see the attacks
that cannot be prevented.
To many IDS users great dismay, seeing an attack With the progress of technical sophistication in
as it occurs is one thing, stopping it is another. the hacker methods, especially modern DoS or
If one might assume that the highest priority of DDoS attacks, attack signatures are not easily
any IT security activity in this area is to prevent an detected. Generically one may assume that an
attack and possible related disaster, IDS often attack signature is derived from a stream of
deliver little to meet this demand. packets with a malicious content in both the
Until recently the most IDS could do was to send packet header and the packet payload.
a reset package to possibly terminate the ongoing Modern flood attacks such as ‘‘trin00’’ and
attack session, or possibly reconfigure a firewall by ‘‘Stacheldraht’’ in essence direct perfectly legal
simply closing the appropriate port of the affected http packets to the target. Only the indication of
service. These measures of course were at least the IP source address and the sheer amount of http
partially unsatisfactory e.g. if the attack was not request gave an indication that the whole progress
using a session oriented protocol such as UDP. is an attack.
The term Intrusion Prevention Systems (IPS) is
relatively new, often pushed by the marketing Definition of an IPS
departments to move the IDS manufactures away
from the negative image of Intrusion Detection An IPS can be defined as an in-line product that
Systems. They are essentially a combination of focuses on identifying and blocking malicious
access control (firewall/router) and Intrusion De- network activity in real time. In general, there
tection Systems, this alliance coming naturally as are two categories:
both technologies often use shared technologies.
Nearly all modern commercial firewalls use  rate-based products; and
‘‘stateful’’ inspection and commercial IDS use  content-based (also referred to as signature-
signature recognition. Both technologies need to and anomaly-based).
‘‘look deep into the packet’’ before making an
access decision in the case of a firewall or raise an The devices often look like firewalls and often
alarm in the case of an IDS. To make this possible have some basic firewall functionality. But fire-
in an efficient manner, sufficient processing power walls block all traffic except that for which they
is necessary, which has become more easily avail- have a reason to pass, whereas IPS pass all traffic
able in recent years. An IPS works like an in-line except that for which they have a reason to block.
138 A. Fuchsberger

Rate-based IPS as simply dropping bad packets to dropping future

packets from the same attacker, and advanced
Rate-based Intrusion Prevention Systems block reporting and alerting strategies.
traffic based on network load, for example, too As content-based IPS offer IDS-like technology
many packets, or too many connects, or too many for identifying threats and blocking them, they can
errors. In the presence of too much of anything, be used deep inside the network to complement
a rate-based IPS kicks in and blocks, throttles or firewalls and provide security policy enforcement
otherwise mediates the traffic. Most useful rate- as they often require less manual maintenance and
based IPS include a combination of powerful fine-tuning to perform a useful function than their
configuration options with range of response tech- rate-based cousin.
nologies. For example, limit queries to the DNS
server to 1000 per second and/or offer other simple
rules covering bandwidth and connection limiting. Future developments
A rate-based Intrusion Prevention System can
set a threshold of maximum amount of traffic to be Recently, the IT security market is experiencing
directed at a given port or service. If the threshold a definite trend towards appliance solutions where
is exceeded, the IPS will block all further traffic of firewall vendors as well as IDS vendors attempt to
the source IP only, still allowing other users integrate various IT security solutions into one,
(source IPs) to use that service. usually proprietary appliance, running on proprie-
tary or specifically hardened OS appliances.
Disadvantages of rate-based IPS The advantage is a lower cost of ownership as
The biggest problem with deploying rate-based IPS the vendor offers a dedicated support with hard-
products is deciding what constitutes an overload. ware replacement on the next business day. Aside
For any rate-based IPS to work properly, the net- from that proprietary hard and software is less
work owner needs to know not only what ‘‘normal’’ likely to be hacked in comparison to common
traffic levels are (on a host-by-host and port-by-port software such as Unix and Microsoft derivates.
basis) but also other network details, such as how This approach is interesting to the small and
many connections their web servers can handle. medium enterprise market, where the total IT
However, most commercial products do not yet budget may be equal to the cost of one high-end
provide any help in establishing this base-line firewall application.
behaviour, but require the services of a ‘‘trained’’ Some of these one appliance solutions attempt
product specific systems engineer who often spend to deliver URL filtering, stateful inspection fire-
hours on site setting-up the IPS. Because rate-based walling, VPN gateway, content filtering (virus) as
IPS require frequent tuning and adjustment, they well as IDS and IPS functionalities.
will be most useful in very high-volume Web, In recent years IT security management tools
application and mail server environments. have arrived on the horizon with the intention to
display the truly important, security relevant in-
Content-based products formation gathered from all relevant sources
throughout the network on a single central console.
Content-base Intrusion Prevention Systems block In essence, the architecture consists of a central
traffic based on attack signatures and protocol console that receives alerts from various log
anomalies; they are the natural evolution of the parsing agents distributed throughout the net-
Intrusion Detection Systems and firewalls. They work. The intriguing approach of these tools is
block the following: that aside from the classical pattern matching
conducted by various IDS, relevant log file data
 Worms e (e.g. Blaster and MyDoom) that match from routers and OS are parsed and examined for
a signature can be blocked. information the user may specifically look for.
 Packets that do not comply with TCP/IP RFCs Thus, it resembles a type of customizable host
can be dropped. based IDS with the ability to create customized
 Suspicious behaviour such as port scanning trig- patterns that are not ‘‘off the rack’’ but instead
gers the IPS to block future traffic from a single represent the individual situation and concerns of
host. the network.
Regardless of these deficiencies the vendors of
The best content-based IPS offer a range of these management tools have recognised a growing
techniques for identifying malicious content and need for consolidating IT security relevant infor-
many options for how to handle the attacks, such mation, vendor-independently, as a latent need.
Intrusion detection and prevention systems 139

Considering the vast amount of IT security issues ‘‘deperimeterisation’’ it is becoming more difficult
ranging from classic firewall, over content filter- to apply security access controls. Intrusion De-
ing, virus detection, VPN gateways, vulnerability tection Systems can be used to alarm for attacks
assessment, and authentication issues to IDS, the within a network but provide little or no mecha-
amount of supposed security relevant information nism for actively acting on an attack in progress.
is enormous. Intrusion Prevent Systems provide a mechanism for
Assuming the further development of combined acting on attacks underway by combing IDS and
attacks such as ‘‘W32.Blaster.Worm’’, which even- firewall technology.
tually become orchestrated, the need for cooper- Only if all IT security components are profes-
ation between vendors, manifesting itself in sionally maintained, frequently revaluated, man-
common API allowing for centralized management ageable and flexible to be adapted to future
and correlation will become vital. changing needs, one may assume to be on the
right path, as IT security still is, and probably
always will be, a route to follow rather than
Summary a destination to be reached.
Hacking attacks, be that from the inside of a given
network by a disgruntled employee or by a hacker References
via an Internet connection, are facts of the IT
world. The same applies to DoS and especially Allen J, Christie A, Fithen W, McHugh J, Pickel J, Stoner E.
DDoS attacks, in the latest state even combining State of the practice of intrusion detection technologies,
Carnegie Mellon University Technical Report CMU/SEI-99-
delivery methods from other known cyber attacks TR-028; 2000.
such as a worm. CSI/FBI annual computer crime and security survey. Computer
The trend manifested in various surveys indi- Security Institute, !http://www.gocsi.comO.
cates that these attacks are more likely to in-
crease rather than to diminish. Andreas Fuchsberger is a lecturer in the Information Security
IDS/IPS are not intended to substitute or com- Group (ISG) at Royal Holloway, University of London, where
pensate for the lack of suitable IT security man- he lectures in the areas of computer and network security as
well as for the new academic year a new course on software
agement structure, or can they compensate for security. He has over 18 years of experience in teaching and
flawed integration of other IT security necessities running training classes in IT security architecture, design
such as faulty key management, or a lack of user and programming. He has published articles on programming
awareness to IT security issues. and network security, intrusion detection/prevention and
vulnerability analysis. He rejoined the ISG in 2003 after working
Intrusion Detection Systems can be seen as an
for a number of IT security product manufactures in Europe and
additional second line of defence complementing the US. Andreas holds MBCS CITP and CISSP credentials. He is
traditional perimeter security controls for defend- a Chartered Engineer (CEng) of the Engineering Council UK
ing a network from attack. With the increased and a registered European Engineer (Eur.Ing).