Intrusion Detection System

A hardware device designed to monitor and protect computer networks from suspicious, malicious, and prohibited network activity.

IDS' can be configured to adhere to a security policy created by an organization by the network admin. IDS use signature patterns derived from the policy to detect various types of malicious activity within a traffic stream.

Anomaly-BasedDetection DetectionMethods

ForThere anomaly-basedare two main types of detection, thesignature-based IDSand heuristic-based. 

Signature-based detection (also called pattern matching, dictionary matching, or misuse-detection) looks for patterns in network traffic and compares them to a dataset of known attack patterns. It's similar to how viruses have specific fingerprints that antivirus programs search for to detect their presence. It relies on a repository of reported viruses and searches for anything that matches a known attack vector.

Heuristic-based detection is configuredbased withon monitoring normal activity. It requires a baselinebit formore setup, as it observes the network traffic.operating Anythingas normal, then keeps track of that baseline. It alerts the network administrator when network activity falls outside of the known baseline, using clipping levels or thresholds that baselineare defined during setup. Using heuristic-based detection allows the system to respond to unknown attack methods, something that signature-based detection cannot do.

Signature-based detection is closelyknown monitoredfor andmore generatesfalse alerts.negatives, However,while thisheuristic-based methoddetection is highlyknown unreliablefor since it generates a lot ofmore false positives.

Configuration

IDSs need to be configured with a packet sniffer to read frames from a mirrored port or TAP, where the aim is to detect malicious traffic that has gotten past the firewalls, providing defense in depth.

Trend Analysis (Raw Lesson Content)

Trend analysis is a critical aspect of managing intrusion detection systems (IDS) and intrusion prevention systems (IPS) as it aids in understanding an environment over time, helping to identify patterns, anomalies, and potential threats. Security analysts can identify patterns and trends that indicate ongoing or growing threats by tracking events and alerts. For example, an increase in alerts related to a specific attack may suggest that a network is being targeted for attack or that a vulnerability is being actively exploited. Trending can also help in tuning IDS/IPS systems. Over time, security analysts can identify false positives or unnecessary alerts that appear frequently. These alerts can be tuned down so analysts can focus on more important alerts.

Trending data can contribute to operational security strategies by identifying common threats and frequently targeted systems. This approach highlights areas of weakness that need attention, either through changes in security policy or investment in additional security tools and training.