Friday, September 18, 2015

What is IDS or Intrusion Detection System and how does it work ?



An Intrusion Detection System or IDS is a software application that monitors network or system activities and produces reports to management at proper time. IDS monitors both inbound and outbound activities for possible intrusions.







Different types of Intrusion Detection Systems



IDS can be of two types:

  • Network Intrusion Detection Systems
  • Host Intrusion Detection Systems

What are Network Intrusion Detection Systems ?


Network Intrusion Detection Systems or NIDS are placed at certain points within the network, so that it can monitor all the traffic to and from all the devices of the network. It maintains a library of known attacks and continuously analyses the passing inbound and outbound traffic. If any traffic matches with that of the library of the known attacks, or any abnormal behavior is sensed, an alert is sent to the administrator. Sometimes, NIDS is placed in the subnet near the firewall, to detect if anyone is trying to break the firewall. NIDS can also compare signatures of similar packets and detect harmful packets matching any recorded signatures.


What are Host Intrusion Detection Systems ?


Unlike NIDS, Host Intrusion Detection Systems or HIDS monitors individual hosts or devices in the network. It inspects all the inbound and outbound packets from the device and alerts the administrator on suspicious activities. It takes snapshot of system files at certain intervals and match them to see if any critical file was modified or deleted. And alerts the administrator when required.



How is IDS different from Firewall ?


A firewall monitors all outbound traffic to a network and detects possible attacks. It cannot detect any malicious activities originated within the network. But, IDS on the other hand, monitors both the inbound and outbound traffic of the network to detect intrusions. In can even detect malicious activities if generated from the system.



How does IDS detect intrusions ?


An IDS can detect intrusions by monitoring network traffic and compare it against established baseline. The baseline comprises of bandwidth, protocols, ports and devices used in the network. It alerts the administrator if at any time any traffic is detected which is significantly different from the baseline.

IDS can also monitor the signatures of all inbound and outbound network traffic and compare them against a database of signatures of malicious threats. If a new threat remains undetected, the database of signatures is updated, so that the threat can be detected in future.



Limitations of IDS


There are couple of limitation of IDS. Just to name the few:


  • IDS' effectiveness can be limited by noise, like software bugs, corrupt DNS data, and create false alarms.
  • An outdated database of signatures can make the IDS significantly vulnerable.
  • In the time lag between detection of new undetected threats and updating the database of threats, the IDS is vulnerable of the new threat.
  • If an intruder breaks the authentication mechanism, the IDS cannot detect that attack.
  • Encrypted packets are not processed by IDS, so can remain undetected and pose threat.

No comments:

Post a Comment