IDS - what is it? Intrusion Detection System (IDS) how does it work?

IDS - What is it? How does this system work? Intrusion detection systems are software or hardware for detecting attacks and malicious actions. They help networks and computer systems to give them a proper rebuff. To achieve this goal, IDS collects information from multiple system or network sources. Then the IDS system analyzes it for the presence of attacks. This article will try to answer the question: "IDS - what is it and what is it for?"

Why Intrusion Detection Systems (IDS)

Information systems and networks are constantly exposed to cyber-attacks. Firewalls and antiviruses to repel all these attacks are clearly not enough, because they are only able to protect the "front door" of computer systems and networks. Different teenagers, imagining themselves hackers, continuously scour the Internet in search of cracks in security systems.

Thanks to the World Wide Web, they have a lot of completely free malicious software - all kinds of spammers, blinders and similar harmful programs. The services of professional burglars are used by competing companies to neutralize each other. So systems that detect intrusion detection systems are an absolute necessity. Not surprisingly, they are becoming more widely used day by day.

IDS elements

IDS elements include:

• A detector subsystem, the purpose of which is the accumulation of network or computer system events;
• An analysis subsystem that detects cyber attacks and dubious activity;
• Storage for the accumulation of information about events, as well as the results of the analysis of cyber-attacks and unauthorized actions;
• A management console with which you can set IDS parameters, monitor the status of the network (or computer system), have access to information about detected by the attack analysis subsystem and illegal actions.

By the way, many may ask: "How is IDS translated?" Translation from English sounds like "a system that catches on hot uninvited guests."

The main tasks that are solved by intrusion detection systems

The intrusion detection system has two main tasks: analysis of sources of information and an adequate response based on the results of this analysis. To perform these tasks, the IDS system performs the following actions:

• Monitors and analyzes user activity;
• It audits the configuration of the system and its weaknesses;
• Checks the integrity of the most important system files, as well as data files;
• Conducts a statistical analysis of the states of the system, based on comparison with those that occurred during already known attacks;
• Audits the operating system.

What can the intrusion detection system provide and what is beyond its power

With its help you can achieve the following:

• Improve the integrity of the network infrastructure;
• Track the activity of the user from the moment of its entry into the system and until the time of harming it or the production of any unauthorized actions;
• Identify and notify about changing or deleting data;
• Automate Internet monitoring tasks in order to search for the latest attacks;
• Identify errors in the system configuration;
• Detect the beginning of the attack and notify about it.

The IDS system can not do this:

• To fill in flaws in network protocols;
• Play a compensatory role in case of weak identification and authentication mechanisms in the networks or computer systems that it monitors;
• It should also be noted that the IDS does not always cope with the problems associated with packet-level attacks.

IPS (intrusion prevention system) - continued IDS

IPS stands for "preventing intrusion into the system." These are extended, more functional varieties of IDS. IPS IDS systems are reactive (as opposed to conventional). This means that they can not only detect, record and notify of an attack, but also perform protective functions. These functions include resetting connections and blocking incoming traffic packets. Another distinguishing feature of IPS is that they work online and can automatically block attacks.

IDS subspecies by way of monitoring

NIDS (i.e., IDSs that monitor the entire network) analyze the traffic of the entire subnet and are centrally managed. The correct location of several NIDS can be achieved by monitoring a fairly large network size.

They work in an illegible mode (that is, they check all incoming packets, and do not do it selectively), comparing subnet traffic with known attacks from their library. When an attack is identified or an unauthorized activity is detected, an alarm is sent to the administrator. However, it should be mentioned that in a large network with large traffic, NIDS sometimes fail to check all information packets. Therefore, there is a possibility that during the "rush hour" they will not be able to recognize the attack.

NIDS (network-based IDS) are those systems that are easy to integrate into new network topologies, since they have no particular effect on their functioning, being passive. They only record, record and notify, in contrast to the reactive type of IPS systems discussed above. However, it should also be said about network-based IDS that these are systems that can not analyze information that has been encrypted. This is a significant drawback, because due to the ever-increasing introduction of virtual private networks (VPNs), encrypted information is increasingly being used by cybercriminals for attacks.

Also, NIDS can not determine what happened as a result of the attack, whether it harmed or not. All that is in their power is to fix its beginning. Therefore, the administrator is forced to independently recheck each case of an attack to make sure that the attackers have achieved their goal. Another significant problem is that NIDS can hardly detect attacks using fragmented packets. They are especially dangerous, since they can disrupt the normal operation of NIDS. What this can mean for the entire network or computer system, you do not need to explain.

HIDS (host intrusion detection system)

HIDS (IDS, host monitoring) serves only a specific computer. This, of course, provides much higher efficiency. HIDS analyzes two types of information: system logs and audit results of the operating system. They take a snapshot of the system files and compare it to an earlier snapshot. If critical files for the system have been changed or deleted, then an alarm is sent to the administrator.

An essential advantage of HIDS is the ability to perform its work in a situation where network traffic can be encrypted. This is possible due to the fact that host-based sources of information can be created before data is encrypted, or after they are decrypted on the destination host.

The disadvantages of this system include the possibility of its blocking or even prohibiting by certain types of DoS attacks. The problem here is that the sensors and some HIDS analysis tools are on the host that is attacked, that is, they are also being attacked. The fact that HIDS uses the resources of hosts whose work they monitor is also difficult to call a plus, as this naturally reduces their performance.

IDS IDEs for methods of detecting attacks

The method of anomalies, the method of signature analysis and the method of policies - such subtypes by methods of detecting attacks have the IDS system.

Signature analysis method

In this case, the data packets are checked for attack signatures. The signature of the attack is the correspondence of the event to one of the samples describing the known attack. This method is quite effective, because when you use it, messages about false attacks are quite rare.

Method of anomalies

With its help, illegal actions are detected on the network and on hosts. Based on the history of the normal operation of the host and network, special profiles are created with data about it. Then special detectors come into play that analyze the events. Using various algorithms, they analyze these events, comparing them with the "norm" in the profiles. The absence of the need to accumulate a huge number of attack signatures is a definite plus of this method. However, a considerable number of false signals about attacks with atypical, but quite legitimate events in the network - this is its undoubted negative.

Policy Method

Another method of detecting attacks is the policy method. The essence of it - in the creation of network security rules, in which, for example, the principle of networking between each other and the protocols used can be specified. This method is promising, but the difficulty lies in the rather complicated process of creating a policy base.

ID Systems will provide reliable protection for your networks and computer systems

ID Systems Group of companies is one of the market leaders in the field of creating security systems for computer networks. It will provide you with reliable protection against cyber-villains. With ID Systems protection systems, you can not worry about the important data for you. Thanks to this you will be able to enjoy life more, because you will have less anxiety in your soul.

ID Systems - employee feedback

A fine team, and most importantly, of course, is the right attitude of the company's management to its employees. All (even the fledgling newcomers) have the opportunity for professional growth. True, for this, of course, you need to prove yourself, and then everything will turn out.

The team has a healthy atmosphere. Beginners will always be taught everything and everything will be shown. No unhealthy competition is not felt. Employees who work in the company for many years, are happy to share all the technical subtleties. They are benevolent, even without a shadow of condescension answer the most stupid questions of inexperienced workers. In general, from work in ID Systems some pleasant emotions.

The attitude of management is pleasantly pleasing. Also pleases that here, obviously, they are able to work with cadres, because the team is really highly professional. The opinion of the employees is almost unambiguous: they feel at home at home.