The intrusion detection and intrusion prevention systems at a glance

The best way to protect a single computer or a network is to detect and block attacks before they can cause any damage. To do this, many rely on intrusion detection systems (IDS) or the more versatile intrusion prevention systems (IPS). This guide explains what these similar security components are and exactly how they work.

An intrusion detection system (IDS) is used to detect attacks on computer systems or networks early on. The necessary IDS software can be installed either on the system that you want to monitor or on a separate device. Many providers sell relatively inexpensive pre-configured IDS software. Intrusion detection systems monitor and analyze all network activity in order to detect unusual traffic and inform the user of any unusual activity. This gives you the opportunity to react to the intruder’s access attempts and prevent the attack. There is a difference between host-based and network-based attack detection methods.

Host-based intrusion detection systems

The first host-based IDSs were used as early on as the 80s in order to protect centralized computer structures. The detection system was simply installed on the central computer over which various connected terminals ran. It monitored data traffic on this host by scanning log files, core data, and other system data. As terminals developed into separate independent workstations with their own computing power, the host-based technology then needed to be adapted. In order to check the individual, now independently functioning systems, special modules (also called monitoring agents) were installed on them. These filtered the data traffic or the relevant audit data and forwarded the results to the central server, which in turn was responsible for detecting the attack. Due to the conceptual design, these are also known as distributed intrusion detection systems.

Network-based intrusion detection systems

The increased networking of local networks online meant that IDS technology had to be further developed. On the one hand, the host-based approach wasn’t suitable for the internet’s flexible and complex data flow. On the other hand, attacks no longer required physical proximity to the target system, but could be executed instead from remote clients across the network. Since unauthorized access from the internet inevitably takes place via the TCP/IP or UDP protocol, the network-based systems no longer check the audit data, but rather the IP packet, which is why they are closely linked to the firewall being used. However, this also provided a central monitoring unit, which wasn’t restricted to protecting just a single system, but was rather able to survey the entire network’s data traffic.

Today’s intrusion detection systems usually combine both approaches thereby ensuring an even higher attack detection rate. These hybrid systems are characterized by a central management system, which is provided with the appropriate information by both network-based and host-based software. Three elementary components are involved in the detection process:

Data monitoring

The data monitor has the task of collecting and pre-filtering all the relevant data that’s needed to expose intruders. This consists of the audit data that has already been mentioned such as the computer system’s log files, security applications, as well as system information such as CPU load, the number of active network connections, and the number of repeated log-in attempts. In addition, the data monitor in the hybrid intrusion detection system also uses information about the TCP/IP connections such as the source and destination addresses, and other properties of the data packets sent and received by the network-based IDS sensor.

Analysis

The data monitor sends the collected and pre-filtered data to the so-called analyzer. The latter has to process and analyze the information it receives in real time – otherwise attacks wouldn’t be able to be prevented. The analysis process consequently places relatively high demands on the underlying hardware (CPU and memory). Especially in large company networks the appropriate scaling of this IDS component is one of the most complicated and important tasks, ensuring the functionality of the intrusion detection system. An analyzer can use two different methods to evaluate the data:

• When it comes to misuse detection, the analyzer attempts to detect known attack patterns (signatures) in the data obtained. These are stored in a separate database, which is regularly updated. For each signature, the database entries also provide information on the severity of the attack. While known attack patterns can be unambiguously recognized and analyzed in this way, an access pattern that’s not stored in the signature database remains hidden from this tracking method.

• Anomaly detection is based on a different principle: this analysis method assumes that unauthorized access causes abnormal system behavior und differs from the pre-defined standard values. For example, the analyzer can be configured to alert the user if the CPU load or the page access rate exceeds a certain value (static approach). Alternatively, the analyzer can also incorporate the sequence of events into the analysis (logical approach). Anomaly detection means that new and unknown attacks can be detected, but sometimes the active detection mode can be too sensitive and alert the user to attacks even when they aren’t caused by an intruder.

Results report

For the last step, the intrusion detection system informs the network administrator if an attack or suspicious system behavior has been detected. Depending on how dangerous this can potentially be, dictates the way in which the user is informed. The defense system can:

• Send an e-mail explaining the nature of the attack

• Trigger a local alert such as a pop-up window in the security console

• Send an alert message to a mobile device

If an anomaly is detected, the degree of danger is calculated depending on much the anomaly deviates from the normal respective value. This is different to the misuse detection method, which obtains a classification recommendation from the signature database.

Intrusion detection systems can detect attacks that are hidden from an ordinary firewall using an array of versatile technology. They analyze data packets up to the highest layer  the OSI model and also monitor the individual executed applications in a precise, targeted manner. Systems with anomaly detection are also able to discover novel and flexible attack patterns thanks to their approach, which then increases the network’s security. However, you shouldn’t make the mistake of seeing an IDS as a firewall replacement because only a combination of both security components ensures adequate protection.

However, since intrusion detection systems are active components of a network, they themselves are potential attack targets, especially when the intruder knows they exist. Because of its vulnerability to DoS attacks (i.e. targeted overloading), it can frequently turn off the IDS software within a very short time. In addition, the attacker can also take advantage of the automatic notification function of the attack detection systems and then start DoS attacks from the IDS. Anomaly detection can provide a large weak area if there are any incorrect configurations. If the settings are very sensitive, the number of alert messages is relatively high even when there aren’t any unauthorized access attempts.

In any case, you need to weigh up the cost and effort. How much you will use this security system, since you not only need the IDS software, but also the appropriate hardware environment? And even though there are powerful open source solutions like the network-based Snort, the host-based Samhain, and  the hybrid Suricata, you still need the correct installation, setup, and maintenance.

Intrusion prevention systems (IPS), as the name suggests, go one step further than intrusion detection systems: once they have identified a potential attack, they not only notify the administrator, but immediately initiate appropriate countermeasures. In this way, they avoid the excessively long time between detecting and getting rid of an intruder, which can be the case with IDS programs. With respect to the analytical methods being used, however, there is in principle no difference between the two network protection mechanisms. Today’s IPS, like a IDS, relies on host-based and network-based sensors in order to register and analyze system data and network packets.

An intrusion prevention system should, as a rule, be configured very specifically in order to prevent any ordinary user action from being classed as dangerous and being blocked due to anomaly detection. By being individually configured, it means you can implement both intrusion prevention systems as well as intrusion detection systems with many programs. In principle, you can choose between active blocking and pure monitoring, such as the aforementioned open source applications, Snort and Suricata. Therefore, a system combining both approaches, or the use of two separate systems is possible. For the latter variant, filtering and blocking can, therefore, be split between different hardware environments.

The range of IPS software that are used can vary greatly, just like this example of the two free programs, DenyHosts and Snort, shows.

Using the DenyHosts tool written in Python, you can set up a host-based intrusion prevention system for your SSH/SSHD connection that recognises brute force attacks and prevents them from happening. For this purpose, the open source application verifies the entries in the authentication log for any new, failed SSH log-in attempts. If the number of failed attempts from a single IP address exceeds the number you’ve previously defined, DenyHosts blocks this IP and adds it to a black list. This prevents the attacker from attempting to log in again from this address.

The only usage requirements are a Linux operating system as well as the script language, Python including the module ipaddr, which is included in most distributions by default. You can find the latest versions of the IPS tool in the official DenyHost GitHub repository. A possible alternative is the very similar security application, Fail2ban.

Programmer Martin Roesch published the security tool, Snort, as early on as 1998, but it was originally only in a Unix version. Since 2013, Cisco Systems has been responsible for the further development of the GPL license, as well as the program (which is now cross-platform). The US company offers a variety of commercial subscription models for the free tool, which provides individuals and businesses with faster policy updates and additional user support. Snort provides the necessary features to create powerful network-based intrusion prevention systems. However, you can also configure the software so that it only monitors the respective components and therefore serves as the basis for an intrusion detection system.

Snort checks the network traffic in real-time and uses the misuse detection engine, BASE, for the analysis. It compares the incoming and outgoing data packets with signature entries, which are named in Snort rules. Cisco Systems regularly supplement this set of rules with newly discovered attack patterns, whereby the paying customers receive updates faster – within the framework of the aforementioned subscription models. However, you can also define your own rules to improve the tracking capabilities of your Snort system. For more information on Snort’s free or commercial use, you can visit the Snort website.