Intrusion Detection System

A hardware device designed to monitor and protect computer networks from suspicious, malicious, and prohibited network activity.

IDS' can be configured to adhere to a security policy created by an organization by the network admin. IDS use signature patterns derived from the policy to detect various types of malicious activity within a traffic stream.

Detection Methods

There are two main types of detection, signature-based and heuristic-based. 

Signature-based detection (also called pattern matching, dictionary matching, or misuse-detection) looks for patterns in network traffic and compares them to a dataset of known attack patterns. It's similar to how viruses have specific fingerprints that antivirus programs search for to detect their presence. It relies on a repository of reported viruses and searches for anything that matches a known attack vector.

Heuristic-based detection is based on monitoring normal activity. It requires a bit more setup, as it observes the network operating as normal, then keeps track of that baseline. It alerts the network administrator when network activity falls outside of the known baseline, using clipping levels or thresholds that are defined during setup. Using heuristic-based detection allows the system to respond to unknown attack methods, something that signature-based detection cannot do.

Signature-based detection is known for more false negatives, while heuristic-based detection is known for more false positives.

Configuration

IDSs need to be configured with a packet sniffer to read frames from a mirrored port or TAP, where the aim is to detect malicious traffic that has gotten past the firewalls, providing defense in depth.

Trend Analysis (Raw Lesson Content)

Trend analysis is a critical aspect of managing intrusion detection systems (IDS) and intrusion prevention systems (IPS) as it aids in understanding an environment over time, helping to identify patterns, anomalies, and potential threats. Security analysts can identify patterns and trends that indicate ongoing or growing threats by tracking events and alerts. For example, an increase in alerts related to a specific attack may suggest that a network is being targeted for attack or that a vulnerability is being actively exploited. Trending can also help in tuning IDS/IPS systems. Over time, security analysts can identify false positives or unnecessary alerts that appear frequently. These alerts can be tuned down so analysts can focus on more important alerts.

Trending data can contribute to operational security strategies by identifying common threats and frequently targeted systems. This approach highlights areas of weakness that need attention, either through changes in security policy or investment in additional security tools and training.