|
"Early detection of an intrusion
is the key ."
|
|
|
|
Basically,
intrusion detection systems do exactly as the name implies:
they detect possible intrusions. More specifically, IDS tools aim to
detect computer attacks and/or computer misuse and alert the proper
individuals upon detection.
An IDS provides much of the same
functionality as a burglar alarm installed in a house. That is, both
the IDS and the burglar alarm use various methods to detect when an
intruder/burglar is present, and both subsequently issue some type of
warning or alert.
Common implementations of IDS analyze the system or network activity
for particular patterns or signatures that may indicate an attack. The
main assumption of IDS functionality is that the intrusive behavior is,
to a certain extent, different than the behavior of normal system or
network activity. Identifying these differences in the behaviors is the
nontrivial part.
There
are many approaches that are used to implement IDS. An in-depth look at
these approaches will be presented in later sections. However, the
majority of IDS systems contain the following 3 components:
- Information Source
- Analysis Engine
- Response/Alert
All IDS need an information source in which to monitor for intrusive
behavior. The information source can include: network traffic
(packets), host resource (CPU, I/O operations, and log files), user
activity and file activity, etc. The information can be provided in
real-time or in a delayed manner.
The Analysis Engine is the “brains” behind IDS.
This is the
actual functionality that is used to identify the intrusive behavior.
As mentioned previously, there are many ways in which IDS analyze
intrusive behavior. The majority of IDS implementations differ in the
method of intrusion analysis.
Once an intrusive behavior is identified, IDS need to be able to
respond to the attack and alert the appropriate individuals of the
occurrence. Response activities can include: applying firewall rules to
drop traffic from a particular source IP, host port blocking, logging
off a user, disabling an account, security software activation, system
shutdown, etc.
Alerting measures are used to bring the attack to the attention of the
proper individuals supporting the environment. For example, an IDS
alert can include an active measure, which may be sending an email or
text page to the system administrator, or it could simply write a
detailed log of the event, which is a passive
measure.
|
|
|
|
