Intrusion Detection

Contributor(s): KirstenS, Wichers, Jkurucar, kingthorin


The line between Intrusion Detection and Intrusion Prevention Systems (IDS and IPS respectively) has become increasingly blurred. However, these two controls are distinguished primarily by how they respond to detected attacks. While an Intrusion Detection System passively monitors for attacks and provides notification services, an Intrusion Prevention System actively stops the threat. For example, a Network Intrusion Detection System (NIDS) will monitor network traffic and alert security personnel upon discovery of an attack. A Network Intrusion Prevention System (NIPS) functions more like a stateful firewall and will automatically drop packets upon discovery of an attack.

There are two primary reasons why many organizations favor the use of IDSs over IPSs. The first is that, in the event of a false positive (normal activity mistakenly identified as an attack), an IPS will actively stop the normal activity which is likely to negatively impact business functions. An IDS, on the other hand, will only notify on the false positive and will not impact business functions while the security professional verifies the validity of the alert. The second reason is that IPSs can become a serious bottleneck. While IPSs must be placed in-line in order to actively stop attacks, and IDS may be placed on a mirrored port, thus preventing a potential bottle neck.

Intrusion detection is an important countermeasure for most applications, especially client-server applications like web applications and web services. Many newer technologies are beginning to include integrated services such as a single device that incorporates a firewall, IDS, and limited IPS functionality. Logging is an important aspect of intrusion detection, but is best viewed as a way to record intrusion-related activity, not to determine what is an intrusion in the first place. The vast majority of applications do not detect attacks, but instead try their best to fulfill the attackers’ requests.

Lack of intrusion detection allows an attacker to attempt attacks until a successful one is identified. Intrusion detection allows the attack to be identified long before a successful attack is likely. It is not very difficult for a web application to identify some attack traffic. A simple rule-of-thumb is that if the traffic could not have reasonably been generated by a legitimate user of the application, it is almost certainly an attack. Once alerted by the IDS and the attacks are identified, then the security professional can respond appropriately. Typically, this means logging off the user, invalidating their account, potentially recording information for the authorities, or patching the root cause vulnerability.

There are three types of requests that an application might receive:

  • Almost certainly an attack
  • Not sure whether it an attack or not
  • Almost certainly legitimate input

The question for application developers is how to deal with these three categories. The safest rule is to assume that everything except legitimate traffic is an attack. However, this will probably create a lot of false alarms for users. So perhaps it is best to accept the requests that you are not sure about and log some extra information so that you can investigate it later. This is a policy decision that you should make during the requirements phase of the lifecycle.

In terms of the accuracy of an IDS, there are four possible states for each activity observed. A true positive state is when the IDS identifies an activity as an attack and the activity is actually an attack. A true positive is a successful identification of an attack. A true negative state is similar. This is when the IDS identifies an activity as acceptable behavior and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior. Neither of these states are harmful as the IDS is performing as expected. A false positive state is when the IDS identifies an activity as an attack but the activity is acceptable behavior. A false positive is a false alarm. A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS fails to catch an attack. This is the most dangerous state since the security professional has no idea that an attack took place. False positives, on the other hand, are an inconvenience at best and can cause significant issues. However, with the right amount of overhead, false positives can be successfully adjudicated; false negatives cannot.

There are different types of Intrusion Detection systems based on different approaches. The two main divisions exist between signature based IDSs and behavioral IDSs. There are multiple subcategories depending on the specific implementation. Signature based IDSs, like Snort, function like anti-virus software. They have known attack lists against which they check new activity for attacks. If the new activity matches a known attack signature, the system will generate an alert. Behavioral based IDSs work differently. They learn, through a number of methods (the most popular of which is statistical analysis), what constitutes normal behavior. Once the system has a profile of normal behavior, it aims to detect abnormal behavior, which generates alerts. Currently, signature based systems are more common since they are more reliable (less false negatives), provide less false positives, and allow for easier false positive resolution. Behavioral based IDSs tend to be less accurate (more false negatives), produce an extremely large number of false positives, and false positives are more difficult to adjudicate. That being said, it is possible for a behavioral IDS to identify novel attacks like zero day exploits, given that the novel attack varies from normal behavior. A signature based IDS cannot ever identify novel attacks like zero day exploits since it identifies attacks based on known attack signatures.

In addition, there are different types of Intrusion Detection systems based on the goal of the system. While the market on the following types of IDSs is become more and more fractured, the primary types by goal are Network based IDSs (NIDS) and Host based IDSs (HIDS). There are some extensions of this dichotomy to include distributed IDSs and comprehensive host based security systems. However, the main distinction is the goal and placement of the IDS. A NIDS monitors network traffic, usually on a mirrored port or in-line and can be placed in a variety of locations on the network. NIDS work by inspecting network traffic and can be signature based or behavioral based. HIDS monitors system logs, application logs, and other activities on a host system such as a server or user workstation. HIDS work primarily by monitory system logs and behavior and can be signature based (include rule sets that enforce tailored security policies) or behavioral based. Most organizations use both types of IDSs. They use HIDSs to secure critical host systems and NIDSs to secure their network(s).

Best practices for the placements of NIDS is a future topic.