Intrusion Detection System (IDS) and Its Detailed Working Function – SOC/SIEM

Detection Methods

An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.

An attack is an attempt to compromise confidentiality, integrity, or availability. The two primary methods of detection are signature-based and anomaly-based. Any type of IDS (HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.

The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.

Host Based intrusion detection system (HIDS)

A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.

It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.

The role of a host Intrusion Detection System is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:

• OSSEC – Open Source Host-based Intrusion Detection System
• Tripwire
• AIDE – Advanced Intrusion Detection Environment
• Prelude Hybrid IDS

The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC).Many host-based IDSs have expanded to monitor application activity on the system.

As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.

It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.

Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is primarily used to monitor network traffic reaching the workstation.However,a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.

For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.

Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can actually crash the server.

Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.

IDSs and IPSs can detect a SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.

Network Based Intrusion Detection System (NIDS)

A network-based intrusion detection system (NIDS) monitors activity on the network. An administrator installs NIDSs sensors on network devices such as routers and firewalls.

These sensors gather information and report to a central monitoring server hosting a NIDS console.A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic.

Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.

Important tools for NIDS

Examples of Network IDS:

SNORT

The decision on where you want to place the sensors depends on what you want to measure. For example, the sensor on the Internet side of the firewall will see all the traffic.

However, the sensor on the internal side of the firewall will only see traffic that passes through the firewall. In other words, the firewall will filter some attacks, and the internal sensor won’t see them.

If you want to see all attacks on your network, put a sensor on the Internet side. If you only want to see what gets through, put sensors internally only. If you want to see both, put sensors in both places.

Signature-Based Detection

Signature-based IDSs (also called definition-based) use a database of known vulnerabilities or known attack patterns. For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack.

The attack tool then floods the target system with synchronize (SYN) packets, but never completes the three-way Transmission Control Protocol (TCP) handshake with the final acknowledge (ACK) packet. If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash.

If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash.However, this is a known attack with a specific pattern of successive SYN packets from one IP to another IP.

The Intrusion Detection System can detect these patterns when the signature database includes the attack definitions. The process is very similar to what antivirus software uses to detect malware. You need to update both Intrusion Detection System signatures and antivirus definitions from the vendor on a regular basis to protect against current threats.

Anomaly-Based Detection

Anomaly-based (also called heuristic-based or behavior-based) detection first identifies normal operation or normal behavior. It does this by creating a performance baseline under normal operating conditions.

The IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the Intrusion Detection System detects abnormal activity (outside normal boundaries as identified the baseline), it gives an alert indicating a potential attack.

Anomaly-based detection is similar to how heuristic-based antivirus software works. Although the internal methods are different, both examine activity and make decisions that are outside the scope of a signature or definition database.

This can be effective at discovering zero-day exploits. A zero-day vulnerability is usually defined as one that is unknown to the vendor. However, in some usage, administrators define a zero-

However, in some usage, administrators define a zero-day exploit as one where the vendor has not released a patch.

In other words, the vendor may know about the vulnerability but has not written, tested, and released a patch to close the vulnerability yet.In both cases, the vulnerability exists and systems are unprotected. If attackers discover the vulnerabilities, they try to exploit them. However, the attack has the potential to create abnormal traffic allowing an anomaly-based system to detect it.

Any time administrators make any significant changes to a system or network that cause the normal behavior to change, they should recreate the baseline. Otherwise, the IDS will constantly alert on what is now normal behavior.

Physical Intrusion Detection System

Physical intrusion detection is the act of identifying threats to physical systems. Physical intrusion detection is most often seen as physical controls put in place to ensure CIA. In many cases physical intrusion detection systems act as prevention systems as well. Examples of Physical intrusion detections are:

• Security Guards
• Security Cameras
• Access Control Systems (Card, Biometric)
• Firewalls
• Man Traps
• Motion Sensors

Wireless Detection

A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyze network traffic. However, it will also analyze wireless-specific traffic, including scanning for external users trying to connect to access points (AP), rogue APs, users outside the physical area of the company, and WLAN IDSs built into APs.

As networks increasingly support wireless technologies at various points of a topology, WLAN IDS will play larger roles in security. Many previous NIDS tools will include enhancements to support wireless traffic analysis. Some forms of IDPS are more mature than others because they have been in use much longer. Network-based IDPS and some forms of host-based IDPS have been commercially available for over ten years.

Network behavior analysis software is a somewhat newer form of IDPS that evolved in part from products created primarily to detect DDoS attacks, and in part from products developed to monitor traffic flows on internal networks.

Wireless technologies are a relatively new type of IDPS, developed in response to the popularity of wireless local area networks (WLAN) and the growing threats against WLANs and WLAN clients.

False Positives Vs False Negatives

IDSs are susceptible to both false positives and false negatives. A false positive is an alert or alarm on an event that is non-threatening, benign, or harmless.

A false negative is when an attacker is actively attacking the network, but the system does not detect it. Neither is desirable, but it’s impossible to eliminate both. Most IDSs trigger an alert or alarm when an event exceeds a threshold. Consider the classic SYN flood attack, where the attacker withholds the third part of the TCP handshake. A host will send a SYN packet and a server will respond with a SYN/ACK packet.

Most IDSs trigger an alert or alarm when an event exceeds a threshold. Consider the classic SYN flood attack, where the attacker withholds the third part of the TCP handshake. A host will send a SYN packet and a server will respond with a SYN/ACK packet.

However, instead of completing the handshake with an ACK packet, the attacking host never sends the ACK, but continues to send more SYN packets. This leaves the server with open connections that can ultimately disrupt services.

If a system receives one SYN packet without the accompanying ACK packet, is it an attack? Probably not. This can happen during normal operations.

If a system receives over 1,000 SYN packets from a single IP address in less than 60 seconds, without the accompanying ACK packet, is it an attack? Absolutely.

With this in mind, administrators set the threshold to a number between 1 and 1,000 to indicate an attack. If administrators set it too low, they will have too many false positives and a high workload as they spend their time chasing ghosts. If they set the threshold too high, actual attacks will get

If they set the threshold too high, actual attacks will get through without administrators knowing about them.Most administrators want to know if their system is under attack. That’s the primary purpose of the IDS.

However, an IDS that constantly cries “Wolf!” will be ignored when the real wolf attacks.

It’s important to set the threshold low enough to reduce the number of false positives, but high enough to alert on any actual attacks.There is no perfect number for the threshold. Administrators adjust thresholds in different

Reporting

IDSs report on events of interest based on their settings. All events aren’t attacks or actual issues, but instead, they provide a report indicating an event might be an alert or an alarm. Administrators investigate to determine if it is valid.

Some systems consider an alarm and an alert as the same thing. Other systems use an alert for a potentially serious issue, and an alarm as a relatively minor issue. The goal in these latter systems is to encourage administrators to give a higher precedence to alarms than alerts.

The actual reporting mechanism varies from system to system and in different organizations. For example, one IDS might write the event into a log as an alarm or alert, and then send an email to an administrator account.

In a large network operations center (NOC), the IDS might send an alert to a monitor easily viewable by all personnel in the NOC.

Intrusion Detection System Responses

An IDS will respond after detecting an attack, and the response can be either passive or active.A passive response primarily consists of logging and notifying personnel, whereas an active response also changes the environment to block the attack:

Passive IDS.

A passive IDS logs the attack and may also raise an alert to notify someone. Most IDSs are passive by default. The notification can come in many forms, including an email, a text message, a pop-up window, or a notification on a central monitor.

Active IDS.

An active IDS logs and notifies personnel just as a passive IDS does, but it can also change the environment to thwart or block the attack. For example, it can modify access control lists (ACLs) on firewalls to block offending traffic, close processes on a system that were caused by the attack, or divert the attack to a safe environment, such as a honeypot or honeynet.

Sensor Placement for a Network IDS