16 February 2011

IDS [Intrusion Detection Systems]

Synonyms: Intrusion detection, IPS [Intrusion Prevention Systems]
Intrusion detection is designed to prevent an attack on a computer system by analyzing traffic into, and through, a network.

Originally, intrusion detection was restricted to information gathering: the IT administrator was required to assess the data and take any remedial action required to secure the system. These days, IDS applications often provide an automated response to attacks based on a set of pre-defined rules. This is referred to as IPS [Intrusion Prevention Systems] and may be seen as a development of behavioral analysis.

IDS (and IPS) fall into two categories. ‘Host-based’ systems are designed to protect individual computers and typically employ behavioral analysis to detect malicious code. They do this by monitoring all calls made to the system and matching them against policies based on ‘normal’ behavior. Such policies can be quite granular, since behavior may be applied to specific applications. In this way, activity such as opening ports on the system, port scanning, attempts to escalate privileges on the system and injection of code into running processes can be blocked as ‘abnormal’ behavior. Some systems supplement behavioral analysis using signatures of known hostile code.

‘Network-based’ systems are deployed inline to protect each network segment. They filter packets for malicious code, looking for ‘abnormal’ bandwidth usage or for non-standard traffic (such as malformed packets). Network-based systems are particularly useful for detecting DoS attacks, or the traffic generated by network worms.

post based on: 

No comments: