Post

NetworkSec - Advanced SecDevices - IDSs

Posted Updated
By Grace L
1 min read

[toc]

Intrusion detection system (IDS)

IDS basic

  • software / hardware system
  • detect signs of malicious activity on network or individual computer.

IDS is designed to detect:

  • threats:
    • Masquerader 化装跳舞者: falsely using the identity/credentials of a legitimate user to gain access to computer system/network.
    • Misfeasor违法行为者: legitimate user who performs actions he is not authorized to do
    • Clandestine 暗中地 user: user who tries to block/cover up his actions by deleting audit/system logs.
  • automated attacks and threats:
    • port scans: information gathering, intended to determine which ports on a host are open for TCP connections
    • Denial-of-service attacks: network attacks meant to overwhelm a host and shut out legitimate accesses
    • Malware attacks: replicating malicious software attacks, like Trojan horses, computer worms, viruses, etc.
    • ARP spoofing: redirect IP traffic in a local-area network
    • DNS cache poisoning: a pharming attack, changing a host’s DNS cache to create a falsified domain-name/IP-address association.

IDS components

  • The functions of an IDS
    • IDS sensors:
      • collect real-time data about the functioning of network components and computers
    • IDS manager:
      • receives reports from sensors.
      • compiles data from the IDS sensors to determine if an intrusion has occurred.
      • This determination is usually based on a set of site policies & rules and statistical conditions that define probable intrusions.
      • If detects an intrusion, it sounds an alarm to system administrators  pic

Network-Based and Host-Based Solutions

Network & Host IDS/IPS

NIDS – Network Intrusion Detection System

  • Using a network tap, span port, or hub collects packets on the network
  • Attempts to identify unauthorized, illicit, and anomalous behavior based on network traffic
  • Methods:
    • signature file comparisons,
    • anomaly detection,
    • stateful protocol analysis
  • Using the captured data, the IDS system processes and flags any suspicious traffic

HIDS – Host Intrusion Detection System

  • Generally involves an agent installed on each system, monitoring and alerting on local OS and application activity
  • Attempts to identify unauthorized, illicit, and anomalous behavior on a specific device/OS
  • The installed agent uses a combination of signatures, rules, and heuristics to identify unauthorized activity

.

15NetworkSec, AdvancedDev
NetworkSec
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.