IDS - what is it? Intrusion Detection System (IDS) how does it work?
IDS-what it is? How does this system work? Intrusion detection systems are software or hardware for detecting attacks and malicious actions. They help networks and computer systems to give them a proper rebuff. To achieve this goal, IDS collects information from multiple system or network sources. Then the IDS system analyzes it for the presence of attacks. This article will try to answer the question: "IDS - what is it and what is it for?"
Why Intrusion Detection Systems (IDS)
Information systems and networks constantlyare subjected to cyber-attacks. Firewalls and antiviruses to repel all these attacks are clearly not enough, because they are only able to protect the "front door" of computer systems and networks. Different teenagers, imagining themselves as hackers, continuously scour the Internet in search of security slots.
Thanks to the World Wide Web at their disposala lot of completely free malicious software - all kinds of spammers, blinders and similar harmful programs. The services of professional burglars are used by competing companies to neutralize each other. So systems that detect intrusion detection systems are an absolute necessity. Not surprisingly, they are becoming more widely used every day.
IDS elements include:
- a detector subsystem, the purpose of which is the accumulation of events of a network or computer system;
- an analysis subsystem that detects cyber attacks and questionable activity;
- storage for the accumulation of information about events, as well as the results of analysis of cyber-attacks and unauthorized actions;
- control console, with which you canset IDS parameters, monitor the state of the network (or computer system), have access to information about the attack analysis subsystem and illegal actions detected by the subsystem.
By the way, many may ask: "How is IDS translated?" Translation from English sounds like "a system that catches on hot uninvited guests."
The main tasks that are solved by intrusion detection systems
The intrusion detection system has two maintasks: analysis of sources of information and an adequate response based on the results of this analysis. To perform these tasks, the IDS system performs the following actions:
- monitors and analyzes user activity;
- audits the configuration of the system and its weaknesses;
- checks the integrity of the most important system files, as well as data files;
- conducts a statistical analysis of the states of the system, based on comparison with those that occurred during already known attacks;
- audits the operating system.
What can the intrusion detection system provide and what is beyond its power
With its help you can achieve the following:
- improve the integrity of the network infrastructure;
- track the activity of the user from the moment of its entry into the system and until the moment of causing harm to it or the production of any unauthorized actions;
- Identify and notify about changing or deleting data;
- automate Internet monitoring tasks in order to search for the latest attacks;
- identify errors in the configuration of the system;
- Detect the beginning of the attack and notify about it.
The IDS system can not do this:
- Fix the shortcomings in network protocols;
- play a compensatory role in case of weak identification and authentication mechanisms in the networks or computer systems that it monitors;
- It should also be noted that the IDS does not always cope with the problems associated with packet-level attacks.
IPS (intrusion prevention system) - continued IDS
IPS stands for "preventionintrusion into the system. "These are the expanded, more functional varieties of IDS.The IPS IDS systems are reactive (unlike the usual one), which means that they can not only detect, record and alert the attack, but also perform protective functions. reset connections and block incoming traffic packets Another distinctive feature of IPS is that they work online and can automatically block attacks.
IDS subspecies by way of monitoring
NIDS (i.e. IDSs that monitor the entire network(network)) analyze the traffic of the entire subnet and are centrally managed. The correct location of several NIDS can be achieved by monitoring a fairly large network size.
They work in an illegible mode (that is,check all incoming packets, and do not do it selectively) by comparing subnet traffic with known attacks from your library. When an attack is identified or an unauthorized activity is detected, an alarm is sent to the administrator. However, it should be mentioned that in a large network with large traffic, NIDS sometimes fail to check all information packets. Therefore, there is a possibility that during the "rush hour" they will not be able to recognize the attack.
NIDS (network-based IDS) are those systems,which can easily be built into new network topologies, since they have no particular effect on their functioning, being passive. They only record, record and notify, in contrast to the reactive type of IPS systems discussed above. However, it should also be said about network-based IDS that these are systems that can not analyze information that has been encrypted. This is a significant drawback, because due to the ever-increasing introduction of virtual private networks (VPNs), encrypted information is increasingly being used by cybercriminals for attacks.
Also, NIDS can not determine what happened inThe result of the attack, she caused harm or not. All that is in their power is to fix its beginning. Therefore, the administrator is forced to independently recheck each case of an attack to make sure that the attackers have achieved their goal. Another significant problem is that NIDS can hardly detect attacks using fragmented packets. They are especially dangerous, since they can disrupt the normal operation of NIDS. What this can mean for the whole network or computer system, it is not necessary to explain.
HIDS (host intrusion detection system)
HIDS (IDS, host monitor) serveonly a specific computer. This, naturally, provides much higher efficiency. HIDS analyzes two types of information: system logs and audit results of the operating system. They take a snapshot of the system files and compare it to an earlier snapshot. If critical files for the system have been changed or deleted, then an alarm is sent to the administrator.
A significant advantage of HIDS isthe ability to perform their work in a situation where network traffic is encrypted. This is possible due to the fact that host-based sources of information can be created before data can be encrypted, or after they are decrypted at the destination host.
The disadvantages of this system can be attributedthe possibility of blocking it or even prohibiting it by certain types of DoS attacks. The problem here is that the sensors and some HIDS analysis tools are on the host that is attacked, that is, they are also being attacked. The fact that HIDS is using the resources of hosts whose work they are monitoring is also difficult to call a plus, as this, naturally, reduces their performance.
IDS IDEs for methods of detecting attacks
The method of anomalies, the method of signature analysis and the method of policies - such subtypes on the methods of detecting attacks have the IDS system.
Signature analysis method
In this case, the data packets are checked forpresence of attack signatures. The signature of the attack is the correspondence of the event to one of the samples describing the known attack. This method is quite effective, because when you use it, messages about false attacks are quite rare.
Method of anomalies
With his help, unlawfulactions in the network and on hosts. Based on the history of normal operation of the host and network, special profiles are created with data about it. Then special detectors come into play that analyze the events. Using various algorithms, they analyze these events, comparing them with the "norm" in the profiles. Absence of the need to accumulate a huge number of attack signatures is a definite plus of this method. However, a considerable number of false signals about attacks with atypical, but quite legitimate events in the network - this is his undoubted negative.
Another method of detecting attacks is the methodpolitician. The essence of it - in the creation of rules for network security, in which, for example, the principle of networking between each other and the protocols used can be specified. This method is promising, but the difficulty lies in the rather complicated process of creating a policy base.
ID Systems will provide reliable protection for your networks and computer systems
Group of companies ID Systems to dateis one of the market leaders in the field of creating security systems for computer networks. It will provide you with reliable protection against cyber-villains. With ID Systems security systems, you can not worry about the important data for you. Thanks to this you will be able to enjoy life more, because you will have less anxiety in your soul.
ID Systems - employee feedback
A wonderful team, and most important of all, of course, isthe correct attitude of the company management to its employees. All (even the fledgling newcomers) have the opportunity for professional growth. True, for this, of course, you need to prove yourself, and then everything will turn out.
In the team a healthy atmosphere.Beginners will always be taught everything and everything will be shown. No unhealthy competition is not felt. Employees who have worked in the company for many years, are happy to share all the technical subtleties. They are benevolent, even without a shadow of condescension answer the most stupid questions of inexperienced workers. In general, from work in ID Systems some pleasant emotions.
The attitude of management pleasantly pleases.Also pleases that here, obviously, they are able to work with cadres, because the team is really highly professional. The opinion of the employees is almost unambiguous: they feel at home at home.