Department of CSE-H

COURSE NAME: NETWORK & INFRASTRUCTURE

SECURITY
COURSE CODE:22CS2234F/22CSB3202

Topic:
NAME OF THE TOPIC:INTRUSION DETECTION SYSTEM3

Session - 28

CREATED BY K. VICTOR BABU

 AIM OF THE SESSION

To familiarize students with the basic concept of Intrusion detection system

INSTRUCTIONAL OBJECTIVES

This Session is designed to:

1. Describe the Intrusion detection system

LEARNING OUTCOMES

At the end of this session, you should be able to know the Intrusion detection system

CREATED BY K. VICTOR BABU

 Introduction to IDS

 Intrusion Detection Systems do exactly as the name suggests, they detect possible intrusions.

 An Intrusion Detection System (IDS) is a Hardware or software products that gather and analyze
information from various areas within a computer or a network for the purpose of finding, and
providing real-time or near-real-time warning of, attempts to access system resources in an
unauthorized manner

 An IDS is a passive monitoring device that detects potential threats and generates alerts and will
not take any corrective action.

 The alerts raised by the IDS has to be attended by the user.

 IDSs can be connected in line with the network traffic. However, it is recommended to connect IDS
through span or tap.

 IDS will be connected behind (after) firewall in the network

CREATED BY K. VICTOR BABU

 Firewall, IDS and IPS deployment

The figure shows the deployment of the IDS, IPS and firewall for better understanding :

CREATED BY K. VICTOR BABU

 Types of IDS
1. Network-Based IDS - Monitors all traffic on the network
2. Host-Based- IDS - Monitors all traffic on the Host
3. Protocol-based Intrusion Detection System (PIDS):
 IDS system or agent that would consistently reside at the front end of a server,
controlling and interpreting the protocol between a user/device and the server. It is
trying to secure the web server by regularly monitoring the HTTPS protocol stream and
accepting the related HTTP protocol.
4. Application Protocol-based Intrusion Detection System (APIDS):
 is a system or agent that generally resides within a group of servers. It identifies the
intrusions by monitoring and interpreting the communication on application-specific
protocols. For example, this would monitor the SQL protocol explicitly to the middleware
as it transacts with the database in the web server.
5. Based on the operations/ detection, IDS is classified as
 Heuristics /Statistics
 Signatures
 Hybrid intrusion detection system a combination of the above two

CREATED BY K. VICTOR BABU

 Composition of an IDS

• Components of an IDS

CREATED BY K. VICTOR BABU

 Composition of an IDS

 Traffic collector (or sensor / Agent ):

 On host-based IDS, this could be log files, audit logs, or traffic coming to or leaving a
specific system.
 On a network-based IDS, this is typically a mechanism for copying traffic off the network
link-basically functioning as a sniffer.
 Analysis engine:
 This component examines the collected network traffic and compares it to known
patterns of suspicious or malicious activity stored in the signature database.
 Signature / behaviour database:
 The signature behaviour database is a collection of patterns and definitions of known
suspicious or malicious activity.
 User interface and reporting:
 is the interfaces with the human element, providing alerts when appropriate and giving
the user a means to interact with and operate the IDS.
CREATED BY K. VICTOR BABU
 Anomaly Based vs. Signature Based IDS
• Signature Based
• Attack Signature database is maintained
• Compare traffic to the database
• If match is found, alert is sent
• Requires constant updates
• Will detect or unknown threats only

• Anomaly / heuristic-based Based

• Detection is based on rules and algorithms to identify patterns of behavior
• Keeps track of patterns of traffic and information to obtain baseline
• If deviation in network behavior is detected, IDS will assume an attack
• Higher risk of false positive
• Will not identify Zero day attacks

• Therefore Heuristic-based detection is often used in conjunction with signature-based

detection to provide a more comprehensive approach to threat detection

CREATED BY K. VICTOR BABU

 Network-Based vs. Host-Based IDS

• Network-Based
• Monitors all traffic on the network
• Useful for monitoring non critical systems.

• Host-Based
• IDS customized to a specific server
• Being closer to host allows for greater chance of detection
• Prevents threats such as Trojans and backdoors from being installed form
within the network

CREATED BY K. VICTOR BABU

 Comparison of IDS and IPS

• Passive

• When an attack is detected an alarm or alter will be triggered

• No further action is performed by the IDS

• Reactive

• Collector will send an alert

• Send instruction to firewall and router to block activity from occurring on the network

• Response should be managed and assessed, regardless of system being used.

CREATED BY K. VICTOR BABU

 Challenges of IDS

False Negatives
• When an IDS fails to detect an attack
• False negatives occur when the False Positives
pattern of traffic is not identified in • Described as a false alarm.
the signature database, such as new • When an IDS mistakenly reports
attack patterns. certain “normal” network activity as
• False negatives are deceptive because malicious.
you usually have no way of knowing if • Administrators have to fine tune the
and when they occurred. signatures or heuristics in order to
prevent this type of problem.
• You are most likely to identify false
negatives when an attack is successful
and wasn’t detected by the IDS.

CREATED BY K. VICTOR BABU

 Why are IDS important?

• The ability to know when an intruder or attacker is engaged in reconnaissance or other malicious

activity can mean the difference between being compromised and not being compromised.

• An IDS can alert the administrator of a successful compromise, allowing them the opportunity to

implement mitigating actions before further damage is caused

• As Corporations and other Institutions are being legally compelled to disclose data breaches and

compromises to their affected customers, this can have profound effects upon a compromised

company, in the way of bad press, loss of customer trust, and the effects on their stock.

CREATED BY K. VICTOR BABU

 How does it fit into your security plan?

• As a network security expert you should know you cannot just rely on one or a few tools to secure your
network. You need to have a defense in depth mindset and layer your network defenses.
• Through the use of inside and outside firewalls, DMZs, Routers and Switches, an IDS is a great addition
to your security plan.
• You can use them to identify vulnerabilities and weaknesses in your perimeter protection devices, such
as: firewalls, switches and routers. The firewall rules and router access control lists can be verified
regularly for compliance.
• You can use IPSec to enforce security policies, such as: unauthorized Internet access, downloads of
executable files, use of file sharing programs like Kazza, or Instant Messenger use.
• Logs from an IDS can become an important part of computer forensics and incident handling efforts.

CREATED BY K. VICTOR BABU

 Advantages & Disadvantages of IDS

Advantages
• Can detect external hackers, as well as, internal network-based attacks
• Scales easily to provide protection for the entire network
• Offers centralized management for correlation of distributed attacks
• Provides defense in depth
• Gives administrators the ability to quantify attacks
• Provides an additional layer of protection the events generated can be a feed to SIEM in SoC
Disadvantages
• skilled staff dedicated to interpreting the data
• Requires a complex incident response process
• Cannot monitor traffic at higher network traffic rates
• Generates an enormous amount of data to be analyzed
• Cannot deal with encrypted network traffic

CREATED BY K. VICTOR BABU

 SELF-ASSESSMENT QUESTIONS

1. What are the different ways to intrude?

(a) …Buffer overflows

(b) …Unexpected combinations and unhandled input

(c) …Race conditions

(d) …All of the mentioned

2. …. What are the different ways to classify an IDS?

(a) …Zone based

(b) …Host & Network based
(c) …Network & Zone based
(d) … Level based

CREATED BY K. VICTOR BABU

 TERMINAL QUESTIONS

1. Describe the intrusion detection system?

2. List out pros and cons of IDS

3. Explain Network-Based vs. Host-Based IDS

4. Explain Passive vs. Reactive

CREATED BY K. VICTOR BABU

 REFERENCES FOR FURTHER LEARNING OF THE SESSION

Reference Books:
1. Cryptography and Network Security Principles and Practice, by William Stallings, Pearson, 7th
edition, 2017.
2. Cryptography And Network Security by Behrouz A. Forouzan, Debdeep Mukhopadhyay,
TataMcGraw Hill Education Private Limited, Fourth edition 2015
3. William Stallings, “Network Security Essentials”, Pearson Education, 7th Edition, 2017.
Sites and Web links:
1. https://www.coursera.org/specializations/computer-network-security
2. https://www.coursera.org/learn/identifying-security-vulnerabilities

CREATED BY K. VICTOR BABU

 THANK YOU

Team – NETWORK & INFRASTRUCTURE SECURITY

COURSE CODE:21CS3042RA

CREATED BY K. VICTOR BABU