Intrusion Detection System

Intrusion Detection System
1. Introduction
Intrusion detection is the act of detecting unwanted traffic on a network or a device. An Intrusion Detection System(IDS henceforth) can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control. [2] Intrusion Detection System (IDS) is a device that attempts to detect intrusion into a computer or network by observation or audit. An Intrusion Prevention System (IPS) goes one step further and not only detects attacks but attempts to prevent them as well. The goal of intrusion detection is to monitor network assets to detect anomalous behavior and misuse. This concept has been around for nearly twenty years but only recently has it seen a dramatic rise in popularity and incorporation into the overall information security infrastructure. Commercial development of intrusion detection technologies began in the early 1990s. Haystack Labs was the first commercial vendor of IDS tools, with its Stalker line of host-based products. Currently, market statistics show that IDS is amidst the top selling security vendor technologies and should continue to rise. [6]
MSRIT
2. Intrusion Detection Overview

2.1 Technologies
Several types of IDS technologies exist due to the variance of network configurations. Each type has advantages and disadvantage in detection, configuration, and cost. Specific categories will be discussed in detail in Section 3, Technologies. 2.1.1 Network-Based A Network Intrusion Detection System (NIDS) is one common type of IDS that analyzes network traffic at all layers of the Open Systems Interconnection (OSI) model and makes decisions about the purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to deploy on a network and can often view traffic from many systems at once. 2.1.2 Wireless A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyze network traffic. However, it will also analyze wireless-specific traffic, including scanning for external users trying to connect to access points (AP), users outside the physical area of the company, and WLAN IDSs built into APs. As networks increasingly support wireless technologies at various points of a topology, WLAN IDS will play larger roles in security. 2.1.3 Network Behavior Anomaly Detection Network behavior anomaly detection (NBAD) views traffic on network segments to determine if anomalies exist in the amount or type of traffic. Segments that usually see very little traffic or segments that see only a particular type of traffic may transform the amount or type of traffic if an unwanted event occurs. NBAD requires several sensors to create a good snapshot of a network and requires benchmarking and baselining to determine the nominal amount of a segments traffic. 2.1.4 Host-Based Host-based intrusion detection systems (HIDS) analyze network traffic and system-specific settings such as software calls, local security policy, local log audits, and more. A HIDS must be installed on each machine and requires configuration specific to that operating system and software.
MSRIT
2.2 Detection Types

2.2.1 Signature-Based Detection An IDS can use signature-based detection, relying on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy to configure. However, an attacker can slightly modify an attack to render it undetectable by a signature based IDS. Still, signature-based detection, although limited in its detection capability, can be very accurate. 2.2.2 Anomaly-Based Detection An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormal is called anomaly-based detection. This method is useful for detecting unwanted traffic that is not specifically known. For instance, an anomaly-based IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous. 2.2.3 Stateful Protocol Inspection Stateful protocol inspection is similar to anomaly based detection, but it can also analyze traffic at the network and transport layer and vender-specific traffic at the application layer, which anomaly-based detection cannot do. [2]
2.3 False Positives and Negatives

It is impossible for an IDS to be perfect, primarily because network traffic is so complicated. The erroneous results in an IDS are divided into two types: false positives and false negatives. False positives occur when the IDS erroneously detects a problem with benign traffic. False negatives occur when unwanted traffic is undetected by the IDS. Both create problems for security administrators and may require that the system be calibrated. A greater number of false positives are generally more acceptable but can burden a security administrator with cumbersome amounts of data to sift through. However, because it is undetected, false negatives do not afford a security administrator an opportunity to review the data. [6]
MSRIT
2.4 System Components

IDSs are generally made up of the following main types of components: Sensors: These are deployed in a network or on a device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized, and then forwarded to one or more analyzers. Analyzers: Analyzers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. Output from the analyzers should include evidence supporting the intrusion report. The analyzers may also provide recommendations and guidance on mitigation steps. User interface: The user interface of the IDS provides the end user a view and way to interact with the system. Through the interface the user can control and configure the system. Many user interfaces can generate reports as well. Honeypot: In a fully deployed IDS, some administrators may choose to install a honeypot, essentially a system component set up as bait or decoy for intruders. Honeypots can be used as early warning systems of an attack, decoys from critical systems, and data collection sources for attack analyses. Many IDS vendors maintain honeypots for research purposes, and to develop new intrusion signatures. Note that a honeypot should only be deployed when the organization has the resources to maintain it. A honeypot left unmanaged may become a significant liability because attackers may use a compromised honeypot to attack other systems. [2]
MSRIT
3. Network Intrusion Detection System

3.1 An Overview of Open Systems Interconnection and Transmission Control Protocol Model
A NIDS is placed on a network to analyze traffic in search of unwanted or malicious events. Network traffic is built on various layers; each layer delivers data from one point to another. The OSI model and transmission control protocol (TCP)/IP model show how each layer stacks up. Within the TCP/IP model, the lowest link layer controls how data flows on the wire, such as controlling voltages and the physical addresses of hardware, like mandatory access control (MAC) addresses. The Internet layer controls address routing and contains the IP stack. The transport layer controls data flow and checks data integrity. It includes the TCP and user datagram protocol (UDP). Lastly, the most complicated but most familiar level is the application layer, which contains the traffic used by programs. Application layer traffic includes the Web (hypertext transfer protocol [HTTP]), file transfer protocol (FTP), email, etc. Most NIDSs detect unwanted traffic at each layer, but concentrate mostly on the application layer.
Fig: 1. OSI and TCP/IP models
MSRIT
3.2 Component Types

Two main component types comprise a NIDS: appliance and software only. A NIDS appliance is a piece of dedicated hardware: its only function is to be an IDS. The operating system (OS), software, and the network interface cards (NIC) are included in the appliance. The second component type, software only, contains all the IDS software and sometimes the OS; however, the user provides the hardware. Softwareonly NIDSs are often less expensive than appliance-based NIDS because they do not provide the hardware; however, more configuration is required, and hardware compatibility issues may arise. With an IDS, the system component is vital to efficiency. Often a NIDS is not comprised of one device but of several physically separated components. Even in a less complicated NIDS, all components may be present but may be contained in one device. The NIDS is usually made of components identified, but more specifically, the physical components usually include the sensor, management sever, database server, and console: Sensor: The sensor or agent is the NIDS component that sees network traffic and can make decisions regarding whether the traffic is malicious. Multiple sensors are usually placed at specific points around a network, and the location of the sensors is important. Connections to the network could be at firewalls, switches, routers, or other places at which the network divides. Management server: As the analyzer, a management server is a central location for all sensors to send their results. Management servers often connect to sensors via a management network; for security reasons, they often separate from the remainder of the network. The management server will make decisions based on what the sensor reports. It can also correlate information from several sensors and make decisions based on specific traffic in different locations on the network. Database server: Database servers are the storage components of the NIDS. From these servers, events from sensors and correlated data from management servers can be logged. Databases are used because of their large storage space and performance qualities. Console: As the user interface of the NIDS, the console is the portion of the NIDS at which the administrator can log into and configure the NIDS or to monitor its status. The console can be installed as either a local program on the administrators computer or a secure Web application portal. Traffic between the components must be secure and should travel between each component unchanged and unviewed. Intercepted traffic could allow a hacker to change the way in which a network views an intrusion.
MSRIT
3.3 NIDS Sensor Placement

Because a sensor is the portion of the NIDS that views network traffic, its placement is important for detecting proper traffic. Figure 2 offers an example of how to place a NIDS sensor and other components. There are several ways to connect a NIDS sensor to the network: Inline: An inline NIDS sensor is placed between two network devices, such as a router and a firewall. This means that all traffic between the two devices must travel through the sensor, guaranteeing that the sensor can analyze the traffic. An inline sensor of an IDS can be used to disallow traffic through the sensor that has been deemed malicious. Inline sensors are often placed between the secure side of the firewall and the remainder of the internal network so that it has less traffic to analyze. Passive: A passive sensor analyzes traffic that has been copied from the network versus traffic that passes through it. The copied traffic can come from numerous places. Spanning port: Switches often allow all traffic on the switch to be copied to one port, called a spanning port. During times of low network load, this is an easy way to view all traffic on a switch; however, as the load increases, the switch may not be able to copy all traffic. Also, if the switch deems the traffic malformed, it may not copy the traffic at all; the malformed traffic that may be the type the NIDS sensor must analyze. Network tap: A network tap copies traffic at the physical layer. Network taps are commonly used in fiber-optic cables in which the network tap is inline and copies the signal without lowering the amount of light to an unusable level. Because network taps connect directly to the media, problems with a network tap can disable an entire connection.
Fig: 2. NIDS Placement
MSRIT
Intrusion Detection System 3.4 Types of Events A NIDS can detect many types of events, from benign to malicious. Reconnaissance events alone are not dangerous, but can lead to dangerous attacks. Reconnaissance events can originate at the TCP layer, such as a port scan. Running services have open ports to allow legitimate connections. During a port scan, an attacker tries to open connections on every port of a server to determine which services are running. Reconnaissance attacks also include opening connections of known applications, such as Web servers, to gather information about the servers OS and version. NIDS can also detect attacks at the network, transport, or application layers. These attacks include malicious code that could be used for denial of service (DoS) attacks and for theft of information. Lastly, NIDS can be used to detected less dangerous but nonetheless unwanted traffic, such as unexpected services (i.e., backdoors) and policy violations. [6] [2]
MSRIT
4. Wireless
Because wireless technologies have become so popular, and with the nature of wireless communication blurring the borders between networks, special consideration is required. A wireless IDS is similar to an NIDS because the same types of network-based attacks can occur on wireless networks. However, because WLANs have other functionality and vulnerabilities, a WLAN IDS must monitor for network- based attacks as well as wireless specific attacks. For WLANs, Wireless sensors may be standalone devices that are used to monitor all wireless traffic but without forwarding the traffic. Sensors may also be built into wireless APs to monitor traffic as it connects to the wired network. [1] The location of a WLAN sensor is important because its physical location affects what a sensor can monitor. A sensor should be able to monitor traffic from devices that can connect to the wireless network. This could involve having several sensors that extend past the normal field of operations. WLAN devices operate on one channel at a time, but can choose from several. Consequently, a WLAN sensor can listen on only one channel at a time. Sensors can listen to either one channel or to several channels by changing them periodically, as one would change channels on a television. Several sensors may be used for listening to several channels at once.
Fig: 3. WLAN IDS placement
MSRIT
4.1 Components
A wireless IDS contains several components, such as sensors, management logging databases, and consoles, as does a NIDS. Wireless IDSs are unique in that they can be run centralized or decentralized. In centralized systems, the data is correlated at a central location and decisions and actions are made based on that data. In decentralized systems, decisions are made at the sensor.
4.2 Types of Events

WLAN IDS sensors can monitor several types of events, such as those monitored on wired networks, and wireless specific events. WLAN sensors can detect anomalies such as unauthorized WLANs and wireless devices, poorly secured WLAN devices, unusual usage patterns, wireless scanners war driving tools, DoS attacks. The limited scope of these events means that WLAN IDS results are usually more accurate than wired IDS results.
MSRIT
10
5. Network Behavior Anomaly Detection

NBAD is an IDS technology in which the shape or statistics of traffic, not individual packets, determines if the traffic is malicious. NBAD sensors are placed around a network in key places, such as at switches, at demilitarized zones (DMZ), and at locations at which traffic splits to different segments. Sensors then report on what type and amount of traffic is passing through. By viewing the shape of the traffic, an NBAD can detect DoS attacks, scanning across the network, worms, unexpected application services, and policy violations. NIDS and NBAD systems share some of the same components, such as sensors and management consoles; however, unlike NIDS, NBAD systems usually do not have database servers. NBAD systems work best at determining when traffic deviates from the baseline. This is particularly useful for detecting DoS attacks and worms. As with other IDSs, NBADs can be used to prevent malicious traffic by stopping the traffic from passing through. If a network segment has been determined to be experiencing a DoS attack, the segment can be shut down or rerouted. NBADs do have a limitation in that the traffic causing the alert could also be the traffic that prevents a defensive mechanism. A DoS attack could prevent the NBAD system from reconfiguring a firewall or router, and the attack could then continue. [3]
MSRIT
11
6. Host-Based Intrusion Detection System

HIDS comprises sensors that are located on servers or workstations to prevent attacks on a specific machine. A HIDS can see more than just network traffic and can make decisions based on local settings, settings specific to an OS, and log data. Like other IDS configurations, HIDS have various device types. The sensor, or agent, is located on or near a host, such as a server, workstation, or application service. The event data is sent to logging services to record the events and possibly correlate them with other events. HIDS agents can be placed on numerous host types. HIDS sensors can monitor servers, client hosts, and application servers. A server is typically a computer dedicated to running services in which clients connect to, send, or receive data, such as Web, email, or FTP servers. A client host is the workstation, such as a desktop or laptop, in which a user can connect to other machines. An application service is software that runs on a server, such as a Web service or database application. Because each host operates a different OS or service, the types of attacks that will affect the machines are specific to these machines. Because the HIDS sensor monitors the machine, not solely the network traffic, the agent must be placed on the host as a piece of software. Logically, it is placed in a similar manner to that of a NIDS sensor, between the asset and outside network. However, instead of being a network device, the HIDS sensor is a software layer through which the traffic must pass to get to the service. This layer is called a shim.
F Fig: 4. HIDS block diagram
MSRIT
12
6.1 Types of Events

A host-based IDS, such as a NIDS sensor, can monitor a system for network-based attacks and can also detect host-specific events. These host-specific events include code analysis, such as malicious code executes and buffer overflows; file system monitoring, including integrity and access; log analysis, during which host logs are reviewed; and lastly, network configuration monitor, during which the configuration of network settings (e.g., wireless, VPN, and modem configurations) are reviewed for changes or improper settings. [5]
MSRIT
13
7. IDS Management
7.1 Maintenance
IDS maintenance is required for all IDS technologies. Because threats and prevention technologies are always changing, patches, signatures, and configurations must be updated to ensure that the latest malicious traffic is being detected and prevented. Usually a graphical user interface (GUI), application, or secure Web-based interface performs maintenance from a console. From the console, administrators can monitor IDS components to ensure they are operational, verify they are working properly, and perform vulnerability assessments (VA) and updates.
7.2 Tuning
To be effective, an IDS must be tuned accurately. Tuning requires changing settings to be in compliance with the security policies and goals of the IDS administrator. Scanning techniques, thresholds, and focus can be tuned to ensure that an IDS is identifying relevant data without overloading the administrator with warnings or too many false positives. Tuning is time-consuming, but it must be performed to ensure an efficient IDS configuration. Note that tuning is specific to the IDS product.
7.3 Detection Accuracy

The accuracy of an IDS depends on the way in which it detects, such as by the rule set. Signature-based detection detects only simple and well-known attacks, whereas anomaly-based detection can detect more types of attacks, but has a higher number of false positives. Tuning is required to minimize the number of false positives and to make the data more useful. [2]
MSRIT
14
8. IDS Challenges
It is important to remember that an IDS is only one of many tools in the security professionals arsenal against attacks and intrusions. As with any tool, all IDS have their own limitations and challenges. Much depends on how they are deployed and used, but in general, IDS should be integrated with other tools to comprehensively protect a system. Even more importantly security should be planned and managed. Personnel must be trained to have healthy security habits and to be wary of social engineering. IDS technologies continue to evolve. As limitations are realized, new detection tools are being developed. Host Based Security Systems (HBSS) are also rising in popularity.
8.1 Attacks
8.1.1 Tools Used in Attacks As the world becomes more connected to the cyber world, attackers and hackers are becoming increasingly sophisticated, especially in the use of automated tools to penetrate systems. At the same time, cybercriminals are becoming more organized and can engineer highly coordinated and intricate attacks. The following are general types of tools that attackers utilize: Scanning Tools: These tools allow attacks to survey and analyze system characteristics. These tools can determine the OS used by network devices, and then identify vulnerabilities and potential network ports to use for an attack. Some tools can also perform slowly timed surveys of a target system in order to not trigger an IDS. Remote Management Tools: Remote management tools are used often by systems administrators to manage a network by managing and controlling systems devices from a remote location. However, the same tools can be used by attackers to similarly take control of target devices, sometimes covertly. Additionally, attackers have been creating various types of malware to carry out attacks. Malware can include Trojan horses, Root kits, Backdoors, spyware, keystroke loggers, and botnets.
MSRIT
15
Intrusion Detection System 8.1.2 Social Engineering Despite the existence of sophisticated technical tools, social engineering remains one of the most effective methods of attacks to infiltrate systems. The most carefully secured system in the world using the latest technologies can be broken when employees are tricked into revealing passwords and other sensitive information. Besides physically securing systems, security professionals must ensure that staff and personnel are trained to recognize social engineering techniques such as phishing attacks. Personnel should also develop safe habits such as locking computer screens when idle, being careful when discarding notes that have sensitive information, and heeding warnings given by browsers when perusing Web sites. However, the problem is exacerbated when organizations using different networks must share potentially sensitive information. Trust between the organizations not to reveal one anothers data can become a large issue. 8.2 Challenges in IDS 8.2.1 IDS Scalability in Large Networks Many networks are large and can even contain a heterogeneous collection of thousands of devices. Sub-components in a large network may communicate using different technologies and protocols. One challenge for IDS devices deployed over a large network is for IDS components to be able to communicate across sub-networks, sometimes through firewalls and gateways. On different parts of the network, network devices may use different data formats and different protocols for communication. The IDS must be able to recognize the different formats. The matter is further complicated if there are different trust relationships being enforced within parts of the network. Finally, the IDS devices must be able to communicate across barriers between parts of the network. However, opening up lines of communication can create more vulnerability in network boundaries that attackers can exploit. Another challenge in a large network is for the IDS to be able to effectively monitor traffic. NIDS components are scattered throughout a network, but if not placed strategically, many attacks can altogether bypass NIDS sensors by traversing alternate paths in a network. Moreover, although many IDS products in the market are updated to recognize attack signature of single attacks, they may fail to recognize attacks that use many attack sources.
MSRIT
16
Intrusion Detection System 8.2.2 Vulnerabilities in Operating Systems Many common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of he attack, many times if an operating is compromised, it can be difficult for an IDS to recognize that the operating system is no longer legitimate. Moving forward, operating systems must be designed to better support security policies pertaining to authentication, access control, and encryption. 8.2.3 Limits in Network Intrusion Detection Systems NIDS analyze traffic traversing network segments at the network layer. At that level, attacks can be observed when it may be difficult if only observing at an application level. However, there may be traffic passing within the network that may not be fully visible to the NIDS. This happens especially when secure encrypted tunnels and VPNs are deployed. Unless it knows how to decrypt and re-encrypt data, such traffic remains fully opaque to the NIDS. Secure sockets layer (SSL) traffic over hypertext transfer protocol secure (HTTPS) connections can be used by attackers to mask intrusions. Another limitation to NIDS manifests as bandwidth rates increase in a network. Especially when the amount of traffic also increases, it becomes a challenge for NIDS to be able to keep up with the rate of traffic and analyze data quickly and sufficiently. Finally, in a large network with many paths of communication, intrusions can bypass NIDS sensors. 8.2.4 Signature-Based Detection A common strategy for IDS in detecting intrusions is to memorize signatures of known attacks. The inherent weakness in relying on signatures is that the signature patterns must be known first. New attacks are often unrecognizable by popular IDS. Signatures can be masked as well. The ongoing race between new attacks and detection systems has been a challenge. 8.2.5 Challenges with Wireless Technologies Wireless technologies are becoming increasingly ubiquitous in modern networks; however, this new technology comes with its own set of challenges. Wireless networks are inherently open and viewable by all network scanners. There are no physical barriers between data sent through the air. As such, it is relatively easy to intercept data packets in a wireless network.
MSRIT
17
Intrusion Detection System One of the challenges with wireless is that the new technology comes with its own set of protocols for communication that break the traditional OSI layer model. IDS must learn new communication patterns. Also, as open as wireless communication is, devices on such networks rely on established trust relationships between identified systems; however, if one system is already compromised before rejoining a network, it may be difficult for the IDS to detect intrusive activity from a trusted source. 8.2.6 Over-Reliance on IDS IDS themselves may be used improperly within an organization. In general, an IDS is an important tool for security administrators to detect intrusions and attacks on a system. It is even more important for administrators to properly secure the system in the first place. When administrators focus too much on relying on IDS to catch intrusions, they can overly focus on symptoms of networks vulnerabilities rather than fixing the root causes of the security issue. Over-reliance on IDS can become a problem especially when commercial IDS vendors overhype features in the race to sell products on the market. Sometimes IDS capabilities claims are over exaggerated and should be tested with skepticism. Administrators should thoroughly check IDS output and use competent judgment when analyzing reports. It is important to recognize that the IDS is only one tool in an administrators arsenal in properly securing a network. Using an integrated approach to security, administrators should come up with an overall plan, properly lock down systems, and leverage multiple types of tools such as firewalls, vulnerabilities scanners, and more. [6]
MSRIT
18
9. IDS Tools
9.1 eEye Retina
9.1.1 Abstract Retina Network Security Scanner provides vulnerability management and identifies known and zero day vulnerabilities, plus provides security risk assessment, enabling security best practices, policy enforcement, and regulatory audits. 9.1.2 Features Network Security Scanner: Enables prioritized policy management, patch management, and vulnerability management Network Vulnerability Assessment: Identifies network security vulnerabilities, missing application updates, and zero day threats Network Discovery and Policy Assessment: Discovers all devices, operating systems, applications, patch levels, and policy configurations Vulnerability Management: Enables prioritized policy management, patch management, and vulnerability assessment Fast and Accurate Scans: Accurately scans a Class C network of devices, operating systems and applications in ~15 minutes. Policy Compliance: Identifies and simplifies corporate and regulatory requirements. [5]
MSRIT
19
9.2 McAfee IntruShield Network IPS Appliances

9.2.1 Abstract The IntruShield IDS system is composed of a family of stand-alone sensor appliances and IntruShield ISM system. The seven sensor appliances are the IntruShield 1200, IntruShield 1400, IntruShield 2600, IntruShield 2700, IntruShield 3000, IntruShield 4000, and IntruShield 4010. All other components of the product are software only components that run on a Windows workstation. The ISM system is an IPS management solution for managing IntruShield sensor appliance deployments for large and distributed enterprise networks. The ISM operates with an MYSQL database to persist configuration information and alert data. 9.2.2 Features Security Audit: The IntruShield Intrusion Prevention system generates audit records related to the administration/management of the TOE and traffic logs for IDS information. Identification and Authentication: The IntruShield Intrusion Prevention system requires users to provide unique identification (user IDs) and authentication data (passwords) before any access to the TOE is granted. Security Management: The IntruShield Intrusion Prevention system provides a Web-based (using HTTPS) management interface for all administration, including the IDS rule set, user accounts and roles, and audit functions.
MSRIT
20
9.3 Motorola AirDefense Enterprise

9.3.1 Abstract Motorola AirDefense Enterprise uses collaborative intelligence with secure sensors that work in tandem with a hardened purpose-built server appliance to monitor all 802.11 (a/b/g/n) wireless traffic in real time. Motorola AirDefense Mobile is a complementary solution to the AirDefense Enterprise monitoring platform, giving enterprises an AirDefense-powered mobile product to perform a real-time snapshot of all WLAN infrastructure and activity (802.11 a/b/g/n). This tool provides wireless device inventory, threat index analysis, location tracking, advanced rogue management and automated protection. 9.3.2 Features Motorola AirDefense provides a real-time snapshot of all 802.11 a/b/g/n wireless infrastructure, including: Real-time device discovery and connection analysis, Advanced rogue management with threat indicators for rogue devices, Real-time threat detection and alarm expert help, Advanced location tracking including triangulation positioning, Automated protection with termination capabilities, Live view for traffic analysis, Wireless network usage statistics and health analysis, Capture file playback for off-site analysis and reporting, Advanced diagnostics tools for troubleshooting, Reporting capabilities. [2]
MSRIT
21
10. Conclusion
Intrusion detection and prevention systems are important parts of a wellrounded security infrastructure. IDSs are used in conjunction with other technologies (e.g., firewalls and routers), are part of procedures (e.g., log reviews), and help enforce policies. Each of the IDS technologiesNIDS, LAN IDS, NBAD, and HIDSare used together, correlating data from each device and making decisions based on what each type of IDS can monitor. Although IDSs should be used as part of defense in depth (DiD), they should not be used alone. Other techniques, procedures, and policies should be used to protect the network. IDSs have made significant improvements in the past decade, but some concerns still plague our security administrators. These problems will continue to be addressed as IDS technologies improve. Government funding and corporate interest helped to develop their concept into a tangible technology that eventually found its way into the mainstream of network security. Intrusion detection has indeed come a long way, becoming a necessary means of monitoring, detecting, and responding to security threats. From theory to practice, and finally to commercially viable tools, IDS technology has gone through countless changes. Nonetheless, the use of intrusion detection as a means of deterring misuse has ultimately become commonplace. Moreover, IDS has become essential. Regardless of how intrusion detection technology evolves, one thing is for sure - it is now an important and integral component of information security.
MSRIT
22
11. References
1) http://en.wikipedia.org/wiki/Wireless_access_point [15/3/2012] 2) http://iac.dtic.mil/iatac/download/intrusion_detection.pdf [5/3/2012] 3) http://en.wikipedia.org/wiki/Network_Behavior_Anomaly_Detection [20/3/2012] 4) http://www.cs.georgetown.edu/~denning/infosec/ids-model.rtf [20/3/2012] 5) http://www.iss.net/securing_e-business/security_products/intrusion _detection/index.php [18/3/2012] 6) http://www.gslis.utexas.edu/~netsec/ids.html [19/3/2012]
MSRIT
23

Intrusion Detection System

Uploaded by

Copyright:

Available Formats

Intrusion Detection System

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Intrusion Detection System

Uploaded by

Copyright:

Available Formats

Intrusion Detection System