The growing networking of local area networks with the Internet has necessitated further development of the IDS technique. First, the host-based approach was not suitable for the flexible and complex data flows of the Internet. Second, the attacks no longer needed to be physically close to the target system , but could be executed by very distant clients spread over the network. Since unauthorized access from the Web is mandatory via TCP / IP or UDP (User Datagram Protocol) , network-based systems no longer check audit data but IP packets, which is why they were closely related to the firewall used. However, they represented a central monitoring unit which was not limited to the protection of a single system but could therefore monitor all of the data traffic on the network.
The functioning of modern attack detection systems.
Current intrusion detection systems generally combine both approaches to ensure an even higher attack detection rate. This hybrid system is characterized by a centralized management system, fed with the corresponding information by network-based software and host-based software. Three basic components are involved in the detection process:
Data monitoring
The data monitor has the task of collecting and filtering beforehand all the relevant and necessary data to unmask intruders. This is the audit data already mentioned such as log files of computer systems and security applications as well as system information such as the CPU load, the number of active network connections or the number of repeated connection attempts. In addition, the data monitor of the hybrid intrusion detection system also processes information related to TCP / IP connections , such as the source and destination address, as well as other contents of the sent and stored data packets. received by the network-based IDS sensor.
The analysis
The data monitor sends the collected and pre-filtered data to the analyzer. The latter must process and evaluate the information obtained in real time, otherwise the break-in attempts could not be thwarted. The analysis process therefore places relatively high demands on the underlying hardware (CPU and memory in particular). This is particularly the case in large corporate networks, where scaling up this IDS component is one of the most complex tasks, but also the most important in order to guarantee the functionality of the attack detection system. An analyzer can use two different methods to evaluate the data:
In the event of “ Misuse Detection ”, the analyzer tries to recognize known attack patterns, called signatures, in the data received. These are stored in a separate database (a signature library), which is then regularly updated. For each signature, entries in the database also provide information on the severity of the attack. However, an access scheme that is not stored in the signature library remains hidden from this detection method.
The “ Anomaly Detection ” is based on another principle: this analysis method assumes that unauthorized access causes abnormal behavior of the system and deviates from the standard values defined previously. For example, the analyzer can be configured to trigger an alert if the CPU load or the page access rate exceeds a certain value (static approach). It can also include in its evaluation the chronological sequence of events (logical approach). Although the detection of anomalies can detect new and unknown attacks, this detection method activates can also generate alerts in some cases of unusual system states that are not caused by a hacker or attack.
More info:
ids security