WHAT IS INTRUSION DETECTION?
Intrusion detection is defined as the problem of identifying individuals who are using a computer system without authorization and those who have legitimate access to the system but are abusing their privilege, in this paper the term intrusion to mean both external and internal intrusions. The intruders are classified in categories, one should know the solution to detect and stop intrusion effectively. Intrusion Detection is available in two major Categories. Host Based (HIDS) -Operate on a host to detect malicious activity using Signatures and anomaly detection setting at host. Network Based (NIDS)- operate on network data flow to detect malicious activity normally by pattern matching and signature based detection, where as some integrating anomaly and inference engine to reduce the false positive.
WHICH ONE SUITS TO YOU ?
Both Network and Host Base Intrusion Detection tools have strengths and weaknesses. It is likely you will need to use a combination of each, to achieve resounding benefits, intrusion Detection technologies are similar to virus scanning, as both works on updateable attack profiles, comparing activity against attack pattern in a database. To be thorough, organizations should consider not only using both types of intrusions Detection tools, but also multiple brands of intrusion Detection tools. This will provide the organization a broad protective and detective capability, providing overlap and ensuring a best possible view of security monitoring. Begining Solutions E-Services is a vendor independent security company, which believes at ‘ best of breeds’ approach while, suggesting intrusion detection system for its corporate clients. Our qualified IDS engineers, who are certified from leading vendors are always configuring the IDS for achieving defense in depth capabilities.
MANAGED INTRUSION DETECTION AND PROTECTION
There are many types of intrusions, generally intrusion means ‘to enter someone’s privacy ‘ without permission. Intrusion in computing means entering in computer systems and network purposely, bypassing authentication or authorization. Intrusions are not always from external exploits. It could be internal, where a user might steal a password and prove his identity to the computer system. Such a “masquerade” and the detection of such intruders who are legitimate users of the system but abuse their privileges; people who use pre-packed exploit script (often found on the Internet) to attack the system through a network.
SIGNATURE BASED DETECTION SYSTEMS
In this technique, well-defined patterns of attacks that exploit weaknesses in the system normally perform detection. The attack patterns are usually referred to as the “signature “ of an intrusion. It is called “policy detection” where default permit and default “ deny “ are preset. The limitations in this method that detection systems promise to detect known attacks and violations only codified into security policies in a timely and coefficient manner. Problems include a difficulty in detecting previously unknown intrusions. If a database containing intrusion signatures is employed it must be updated frequently. It is operating as similar to anti-virus software, where, any new virus needs new vaccine (signature).
ANOMALY DETECTION
The strategy of declaring everything that is unusual for the subject (computer, user, etc) suspect and worthy of further investigation. The detection is performed by looking for anomalous behavior by the user and of the computer system. Anomaly detection assumes that intrusive activity is a subset of anomalous activity. Therefore, by detecting the latter it is possible to detect the former. Anomaly detection promises to detect abuses of legitimate privileges that cannot easily be codified into security policy, and to detect attacks that are “ novel “ to the intrusion detection system. Problems include a tendency to take up data processing resources and the possibility of an attacker teaching the system that his illegitimate activities are nothing out of the ordinary. Most commercially available anomaly detection software uses Statistical Packet Anomaly Detection Engine (SPADE), in which the system is tremendously improved in state-full packet analysis technique and re-assembling method.