Intrusion Detection

Attacks on nations' and/or organisations' computer systems in the last twenty years have been very alarming despite the level of funds dedicated to information security. These confirm the reason for the campaign for layered systems of information security of which IDS is an important part.

What is an Intrusion Detection System (IDS)?

It is a combination of programs and/or hardware put in place for the early detection of security problems.

It is a key technique in the early detection of security problems. It is a type of security management system for computers and networks.

“IDS” as used in Information Security, is to detect any unauthorised access to the network. It therefore shows that the phrase “Intrusion Detection” seems to be a misleading description of the intended action. This is because an intrusion into a system connotes a successful attack. May be, the word “attack” would have been the right description because the intention is to detect the attack before any serious damage is done. A successful attack constitute an intrusion into the system.

Why an IDS?

It is a part of the component of the Defence-in-Depth approach to security management. This is needed because firewalls alone cannot provide complete protection against intrusion.

Experience has shown that to rely on a single defensive line or technique is not ideal. Implementing multiple layers of protection as part of an overall security architecture makes penetration by external intruders more difficult.

Options available in securing your networks

I) The easiest rule is to deny all services or packets, bringing the organisation’s network traffic to a grinding halt. However, this is not in line with the reasons for e-commerce. It must also be emphasised that no network is 100 percent secure and a computer is fully secure only when not connected.

II) The other option is to tighten the controls and deploy firewalls and intrusion detection systems for online monitoring.

Types of Intrusion Detection Systems

Intrusion Detection Systems can be described either by

a) the type of data and analysis methods or the types of approaches to intrusion detection that have been incorporated into their design or

b) the location of the intrusion either on the host computer or the network.

1. Anomaly Detection Systems

Anomaly Detection Systems are basically designed to detect anomalous behaviour i.e an unusual behaviour. This could be because of the time of the day or the type of usage that the system is normally used for. Any deviation from this is reported to a designated person or point as an abnormal behaviour for appropriate action(s) to be taken.

2. Misuse Detection Systems

The main focus of misuse detection systems is to look for the symptoms of misuse by authorised users. These could be in the form of unauthorised log-on or bad log-on attempts to the systems. This is achieved by establishing a good log-on which is referred to as the signature which subsequent log-on is compared with. Any deviation from the established log-on is flagged as an abnormal behaviour or a misuse of the system.

3. Target Monitoring Systems

Unlike the previous two methods, this approach attempts to monitor the target systems so that any modification done to it is reported. This applies to critical systems or programs which are by design are not to be tampered with. Any modification may signal an attempt to alter the program contrary to the original design hence urgent attention of the right personnel is required..

4. Host-based Intrusion Detection System (IDS)

A Host-Based IDS, as the name suggest, is located on the host system. It operates on the protected host system and use local system and log files to detect any intrusive activity. It has capacity to monitor specific applications for anomalies and can detect specific host system activity that would be impossible to monitor using any other non-host-based intrusion system.

5. Network-based IDS

Network-based IDS, as the name suggests monitors and evaluate the data packets on a network segment to identify network anomalies and/or intrusive network activity.

There are some factors to be considered if a good IDS is to be acquired or the good money would just be wasted, these are see evaluating an intrusion detection system