Skip to content

WA3. Intrusion Detection Systems

Statement

In some ways, Intrusion Detection Systems are similar to Firewalls. Read What Is an Intrusion Detection System?, and answer the following questions on the types of IDS used for network protection:

  • Describe each of the four IDS types.
  • Explain how each of the IDS types operates. What is the best-suited operational environment in terms of both network and business?
  • In the concluding part of your assignment compare the types of IDS against each other. Explain why all these IDS exist with their Pros and Cons.

Solution

Introduction

An Intrusion Detection System (IDS) is a security tool (hardware or software) that is usually put behind a firewall to detect malicious activity that has passed the firewall and entered the network (or the host). IDSs are used to detect suspicious activity and flag it with a special log entry or alert to the administrators or security team (Velimirovic, 2021).

IDSs are not used to prevent or respond to attacks, but rather to flag them. If the IDS is armed with some functionality to respond to attacks, like automatically blocking the source IP address or automatically locking some part of the system; it is called an Intrusion Prevention System (IPS) (Velimirovic, 2021).

  • There are four types of IDS (Velimirovic, 2021)

    • Network-based intrusion detection system (NIDS)
    • Host-based intrusion detection system (HIDS)
    • Signature-based intrusion detection system (SIDS)
    • Anomaly-based intrusion detection system (AIDS)

Network-based intrusion detection system (NIDS)

NIDS is -usually- placed network, just behind the network firewall; thus, it operates by monitoring all inbound/outbound traffic to all hosts in the network.

It is best suited for large networks with many hosts, as a common strategy is to divide that network into smaller subnets and place an NIDS at the boundary of each subnet to protect it.

Advantages of NIDS include its ability to monitor many hosts at once covering large networks.

Disadvantages of NIDS include its cost, and it may form a bottleneck in high-traffic networks, but this issue is usually solved by having the NIDS passively listen and makes copies of the traffic rather traffic waiting for the NIDS to process it.

Host-based intrusion detection system (HIDS)

HIDS is placed at the boundary of a single host; it operates by taking snapshots of the system state (including files, process, network connections, etc.) and comparing them to previous snapshots to detect any malicious activity.

It is best suited for single high-value hosts, like main servers, or database servers. Or for hosts with high-profile users.

Advantages of HIDS include its ability to provide deeper visibility; thus, covering more attack types. It is better at detecting anomalies with encrypted traffic, and it is better at detecting attacks that are not network-based, like attacks that are launched from the host itself.

Disadvantages of HIDS include its cost, as it covers only a single host, and is more susceptible to attacks that are launched on the HIDS itself.

Signature-based intrusion detection system (SIDS)

SIDS is placed within the network and operates by comparing the traffic to a database of known attack signatures. If a match is found, the traffic is flagged as malicious.

It is best suited for Securing legacy systems in large organizations, as they are more susceptible to known attacks.

Advantages of SIDS include its ability to detect known and low-effort attacks, and its efficiency in monitoring inbound traffic.

Disadvantages of SIDS include its inability to detect unknown and new attacks, and it must keep its database of signatures up-to-date.

Anomaly-based intrusion detection system (AIDS)

AIDS is placed within the network and operates by monitoring the traffic and comparing it to a baseline of normal traffic. If the traffic deviates from the baseline, it is flagged as malicious. It may use machine learning to learn the baseline and any changes to it.

It is best suited for large organizations with flexible business models as traffic patterns may change frequently, but we still need to flag any malicious activity.

Advantages of AIDS include its ability to detect unknown and new attacks, and its reliance on machine learning and AI.

Disadvantages of AIDS include its complexity, heavy resource usage, and false positives.

Comparison

As we saw each model has its advantages, disadvantages, and mechanism. When it is time to choose which model to use, we should consider a hybrid model as the best solution where it combines as many models to get the best advantages and cover each other’s disadvantages (Loshin, 2019). The following table shows a comparison between the four models:

Model Mechanism Best Suited For Advantages Disadvantages
NIDS Monitor Packets Large Networks Large Networks, Many Hosts Cost, Bottleneck for performance
HIDS Monitor System State Single High-value Host Deeper Visibility Cost, Susceptible to attacks
SIDS Compare Packet signature to a database Legacy Systems Detects Known Attacks Cannot detect new attacks
AIDS Detect traffic changes from usual traffic Flexible Business Detects New Attacks, Uses AI and machine learnings Complexity, Resource Usage

Conclusion

To conclude, IDSs are used to detect malicious activity as soon as enters the network; however, it does not prevent or respond to attacks. It suffers from issues like false positives or false negatives; thus, it is not enough on its own but it should be a single part of a larger security system that includes more components that form a strong defense strategy.

References