INTRUSION DETECTION AND

PREVENTION SYSTEM
VARUN GUPTA

Abstract—An intrusion detection system (IDS) is software from the wire. This is the critical difference between
and/or hardware based system that monitors network IDS and IPS and it has implications for how both can
traffic and monitors for suspicious activity and alerts the be used. Because IPS sensors require traffic to flow
system or network administrator. In some cases the IDS through
may also respond to anomalous or malicious traffic by them, they can only be deployed at network choke
taking action such as blocking the user or source IP points while IDS sensors can provide much broader
address from accessing the network. network coverage.

II.MATERIALS AND METHODOLOGIES

I. INTRODUCTION

I
Intrusion Detection System An intrusion
ntrusion Prevention Systems (IPS), also detection system (IDS) is a device or software
known as Intrusion Detection and Prevention application that monitors network and/or system
Systems (IDPS), are network security activities for malicious activities or policy violations
appliances that monitor network and/or system and produces reports to a Management Station.
activities for malicious activity. The main functions Intrusion prevention is the process of performing
of ‘’’intrusion prevention systems’’’ are to identify intrusion detection and attempting to stop detected
possible incidents. Intrusion detection and prevention
malicious activity, log information about said
systems (IDPS) are primarily focused on identifying
activity, attempt to block/stop activity, and report possible incidents, logging information about them,
activity attempting to stop them, and reporting them to
security administrators. In addition, organizations use
IDPSs for other purposes, such as identifying
Intrusion Detection and Intrusion Prevention problems with security policies, documenting
Systems, IDS and IPS respectively, are mature existing threats, and deterring individuals from
network level defenses deployed in thousands of violating security policies. IDPSs have become a
computer networks worldwide. The basic difference necessary addition to the security infrastructure of
between the two technologies lies in how they nearly every organization
provide protection for network environments.
Intrusion Detection Systems, IDS, analyze network Typical locations for an intrusion detection
traffic and generate alerts when malicious activity is system is as shown in the following figure –
discovered. They are generally able to reset TCP
connections by issuing specially crafted packets after
an attack begins and some are even able to interface
with firewall systems to re-write firewall rulesets
onthe- fly. The limitation of Intrusion Detection
Systems is that they cannot preempt network attacks
because IDS sensors are based on packet sniffing
technologies that only watch network traffic as it
passes by. Intrusion Prevention Systems, IPS,
perform the same analysis as Intrusion Detection
Systems but, because they are inserted in-line,
between other network components, they can
preempt malicious activity. In contrast to IDS
sensors, network traffic flows through an IPS sensor
not past it so the IPS sensor can pull or drop traffic
 Sensor - The machine on which an intrusion
Following are the types of intrusion detection detection system is running is also called the sensor
systems :- in the literature because it is used to “sense” the
network.
Host-Based Intrusion Detection System (HIDS) :-
Host-based intrusion detection systems or HIDS Snort :- Snort is a very flexible network intrusion
are installed as agents on a host. These intrusion detection system that has a large set of pre-
detection systems can look into system and configured rules. Snort also allows you to write your
application log files to detect any intruder activity. own rule set. There are several mailing lists on the
internet where people share new snort rules that can
Network-Based Intrusion Detection System (NIDS) :- counter the latest attacks.
These IDSs detect attacks by capturing and analyzing
network packets. Listening on a network segment or Snort is a modern security application that can
switch, one network-based IDS can monitor the perform the following three functions :
network traffic affecting multiple hosts that are
connected to the network segment, thereby protecting * It can serve as a packet sniffer.
those hosts. Network-based IDSs often consist of a * It can work as a packet logger.
set of single-purpose sensors or hosts placed at * It can work as a Network-Based Intrusion
various points in a network. These units monitor Detection System (NIDS).
network traffic, performing local analysis of that
traffic and reporting attacks to a central management Intrusion Prevention Systems Intrusion prevention
console. systems are considered extensions of intrusion
detection systems because they both monitor network
Some important topics comes under intrusion traffic and/or system activities for malicious activity.
detection are as follows :- The main differences are, unlike intrusion detection
systems, intrusion prevention systems are placed in-
Signatures - Signature is the pattern that you look line and are able to actively prevent/block intrusions
for inside a data packet. A signature is used to detect that are detected. More specifically, IPS can take
one or multiple types of attacks. For example, the such actions as sending an alarm, dropping the
presence of “scripts/iisadmin” in a packet going to malicious packets, resetting the connection and/or
your web server may indicate an intruder activity. blocking the traffic from the offending IP address. An
Signatures may be present in different parts of a data IPS can also correct CRC, unfragment packet
packet depending upon the nature of the attack. streams, prevent TCP sequencing issues, and clean up
unwanted transport and network layer options.
Alerts - Alerts are any sort of user notification of an
intruder activity. When an IDS detects an intruder, it Common Detection Methodologies IDPS
has to inform security administrator about this using technologies use many methodologies to detect
alerts. Alerts may be in the form of pop-up windows, incidents. Sections 2.3.1 through 2.3.3 discuss the
logging to a console, sending e-mail and so on. Alerts primary classes of detection methodologies:
are also stored in log files or databases where they signature-based, anomaly-based, and stateful protocol
can be viewed later on by security experts. analysis, respectively. Most IDPS technologies use
multiple detection methodologies, either separately or
Logs - The log messages are usually saved in file.Log integrated, to provide more broad and accurate
messages can be saved either in text or binary format. detection.

False Alarms - False alarms are alerts generated due Signature-Based Detection A signature is a
to an indication that is not an intruder activity. For pattern that corresponds to a known threat.
example, misconfigured internal hosts may Signature-based detection is the process of
sometimes broadcast messages that trigger a rule comparing signatures against observed events to
resulting in generation of a false alert. Some routers, identify possible incidents. Examples of signatures
like Linksys home routers, generate lots of UPnP are as follows:
related alerts. To avoid false alarms, you have to  A telnet attempt with a username of “root”,
modify and tune different default rules. In some cases which is a violation of an organization’s security
you may need to disable some of the rules to avoid policy
false alarms.
  An e-mail with a subject of “Free pictures!” processor usage for a host in a given period of time.
and an attachment filename of “freepics.exe”, which The major benefit of anomaly-based detection
are characteristics of a known form of malware methods is that they can be very effective at detecting
 An operating system log entry with a status previously unknown threats. For example, suppose
code value of 645, which indicates that the host’s that a computer becomes infected with a new type of
auditing has been disabled. malware. The malware could consume the
computer’s processing resources, send large numbers
Signature-based detection is very effective at of e-mails, initiate large numbers of network
detecting known threats but largely ineffective at connections, and perform other behavior that would
detecting previously unknown threats, threats be significantly different from the established profiles
disguised by the use of evasion techniques, and many for the computer. An initial profile is generated over
variants of known threats. For example, if an attacker a period of time (typically days, sometimes weeks)
modified the malware in the previous example to use sometimes called a training period. Profiles for
a filename of “freepics2.exe”, a signature looking for anomaly-based detection can either be static or
“freepics.exe” would not match it. Signature-based dynamic. Once generated, a static profile is
detection is the simplest detection method because it unchanged unless the IDPS is specifically directed to
just compares the current unit of activity, such as a generate a new profile. A dynamic profile is adjusted
packet or a log entry, to a list of signatures using constantly as additional events are observed. Because
string comparison operations. Signature-based systems and networks change over time, the
detection technologies have little understanding of corresponding measures of normal behavior also
many network or application protocols and cannot change; a static profile will eventually become
track and understand the state of complex inaccurate, so it needs to be regenerated periodically.
communications. For example, they cannot pair a Dynamic profiles do not have this problem, but they
request with the corresponding response, such as are susceptible to evasion attempts from attackers.
knowing that a request to a Web server for a For example, an attacker can perform small amounts
particular page generated a response status code of of malicious activity occasionally, then slowly
403, meaning that the server refused to fill the increase the frequency and quantity of activity. If the
request. They also lack the ability to remember rate of change is sufficiently slow, the IDPS might
previous requests when processing the current think the malicious activity is normal behavior and
request. This limitation prevents signature-based include it in its profile. Malicious activity might also
detection methods from detecting attacks that be observed by an IDPS while it builds its initial
comprise multiple events if none of the events profiles. Inadvertently including malicious activity as
contains a clear indication of an attack. part of a profile is a common problem with anomaly-
based IDPS products. (In some cases, administrators
Anomaly-based detection Anomaly-based can modify the profile to exclude activity in the
detection is the process of comparing definitions of profile that is known to be malicious.) Another
what activity is considered normal against observed problem with building profiles is that it can be very
events to identify significant deviations. An IDPS challenging in some cases to make them accurate,
using anomaly-based detection has profiles that because computing activity can be so complex. For
represent the normal behavior of such things as users, example, if a particular maintenance activity that
hosts, network connections, or applications. The performs large file transfers occurs only once a
profiles are developed by monitoring the month, it might not be observed during the training
characteristics of typical activity over a period of period; when the maintenance occurs, it is likely to
time. For example, a profile for a network might be considered a significant deviation from the profile
show that Web activity comprises an average of 13% and trigger an alert. Anomaly-based IDPS products
of network bandwidth at the Internet border during often produce many false positives because of benign
typical workday hours. The IDPS then uses statistical activity that deviates significantly from profiles,
methods to compare the characteristics of current especially in more diverse or dynamic environments.
activity to thresholds related to the profile, such as Another noteworthy problem with the use of
detecting when Web activity comprises significantly anomaly-based detection techniques is that it is often
more bandwidth than expected and alerting an difficult for analysts to determine why a particular
administrator of the anomaly. Profiles can be alert was generated and to validate that an alert is
developed for many behavioral attributes, such as the accurate and not a false positive, because of the
number of e-mails sent by a user, the number of complexity of events and number of events that may
failed login attempts for a host, and the level of have caused the alert to be generated.
 Stateful Protocol Analysis Stateful protocol protocol models also typically take into account
analysis is the process of comparing predetermined variances in each protocol’s implementation. Many
profiles of generally accepted definitions of benign standards are not exhaustively complete in explaining
protocol activity for each protocol state against the details of the protocol, which causes variations
observed events to identify deviations.6 Unlike among implementations. Also, many vendors either
anomaly-based detection, which uses host or violate standards or add proprietary features, some of
network-specific profiles, stateful protocol analysis which may replace features from the standards. For
relies on vendor-developed universal profiles that proprietary protocols, complete details about the
specify how particular protocols should and should protocols are often not available, making it difficult
not be used. The “stateful” in stateful protocol for IDPS technologies to perform comprehensive,
analysis means that the IDPS is capable of accurate analysis. As protocols are revised and
understanding and tracking the state of network, vendors alter their protocol implementations, IDPS
transport, and application protocols that have a notion protocol models need to be updated to reflect those
of state. For example, when a user starts a File changes. The primary drawback to stateful protocol
Transfer Protocol (FTP) session, the session is analysis methods is that they are very resource-
initially in the unauthenticated state. Unauthenticated intensive because of the complexity of the analysis
users should only perform a few commands in this and the overhead involved in performing state
state, such as viewing help information or providing tracking for many simultaneous sessions. Another
usernames and passwords. An important part of serious problem is that stateful protocol analysis
understanding state is pairing requests with methods cannot detect attacks that do not violate the
responses, so when an FTP authentication attempt characteristics of generally acceptable protocol
occurs, the IDPS can determine if it was successful behavior, such as performing many benign actions in
by finding the status code in the corresponding a short period of time to cause a denial of service.
response. Once the user has authenticated Yet another problem is that the protocol model used
successfully, the session is in the authenticated state, by an IDPS might conflict with the way the protocol
and users are expected to perform any of several is implemented in particular versions of specific
dozen commands. Performing most of these applications and operating systems, or how different
commands while in the unauthenticated state would client and server implementations of the protocol
be considered suspicious, but in the authenticated interact.
state performing most of them is considered benign.
Stateful protocol analysis can identify unexpected III. LIMITATIONS
sequences of commands, such as issuing the same
command repeatedly or issuing a command without Noise
first issuing a command upon which it is dependent.
Another state tracking feature of stateful protocol Noise can severely limit an Intrusion detection
analysis is that for protocols that perform
systems effectiveness. Bad packets generated from
authentication, the IDPS can keep track of the
authenticator used for each session, and record the software bugs, corrupt DNS data, and local packets
authenticator used for suspicious activity. This is that escaped can create a significantly high false-
helpful when investigating an incident. Some IDPSs alarm rate.[3]
can also use the authenticator information to define
acceptable activity differently for multiple classes of Too few attacks
users or specific users. The “protocol analysis”
performed by stateful protocol analysis methods It is not uncommon for the number of real attacks
usually includes reasonableness checks for individual to be far below the false-alarm rate. Real attacks are
commands, such as minimum and maximum lengths often so far below the false-alarm rate that they are
for arguments. If a command typically has a
often missed and ignored.[3]
username argument, and usernames have a maximum
length of 20 characters, then an argument with a
Signature updates
length of 1000 characters is suspicious. If the large
argument contains binary data, then it is even more
Many attacks are geared for specific versions of
suspicious. Stateful protocol analysis methods use
protocol models, which are typically based primarily software that are usually outdated. A constantly
on protocol standards from software vendors and changing library of signatures is needed to mitigate
standards bodies (e.g., Internet Engineering Task threats. Outdated signature databases can leave the
Force [IETF] Request for Comments [RFC]). The IDS vulnerable to new strategies
 IV. RECOMONDATIONS

NIST, SP 800-42, Guideline on Network Security Testing

Clearly, existing IDS and IPS technologies have http://csrc.nist.gov/publications/nistpubs/
some limits, the need to protect at choke points only
being chief among them. Aside from increases in NIST, SP 800-51, Use of the Common Vulnerabilities and
processing speed, yielding the ability to inspect and Exposures (CVE) Vulnerability Naming Scheme
protect more data per second, it seems that http://csrc.nist.gov/publications/nistpubs/
incorporating IDS and IPS technology into the
network infrastructure is a logical next step. Some NIST, SP 800-53, Recommended Security Controls for
vendors are already providing something like this in Federal Information Systems
the way of add-on modules or blades for existing http://csrc.nist.gov/publications/nistpubs/
switches. But I think we will begin to see a
hybridization of switch and security technologies in
the next few years. A single device that appears to be NIST, SP 800-61, Computer Security Incident Handling
a switch but has enough intelligence to perform a Guide
security analysis of not just every packet crossing the http://csrc.nist.gov/publications/nistpubs/
backplane but keep state on and watch every
conversation, a session in network parlance. Such a
device eliminates the need for separate IDS
or IPS sensors sitting in the network and can
conceivably protect system on adjoining ports from
each other which is possible but cost prohibitive
using today's technology. These hybrid devices will
be much more than just a switch with IPS. They will
both require new technologies within the switch
chassis and enable new network architectures
without. Whenever these devices arrive however, the
need for them exists today.

Do note however, that the foregoing discussion

does not mention firewalls. The merger of firewalls
and IPS/IDS technologies isn't necessarily logical.
Firewalls are designed for very rapid inspection of
packet headers so they can make very rapid decisions
about passing traffic.

Intrusion Detection and Prevention Systems are

designed to delve far deeper into packets and entire
network sessions. I think it will be many years before
we see network devices that can effectively deal with
both of these jobs.

V. REFRENCES

IETF, RFC 2267, Network Ingress Filtering: Defeating

Denial of Service Attacks Which Employ IP Source
Address Spoofing http://www.ietf.org/rfc/rfc2267.txt

NIST, SP 500-267, A Profile for IPv6 in the U.S.

Government, Version 1.0 (DRAFT)
http://www.antd.nist.gov/

NIST, SP 800-31, Intrusion Detection Systems

http://csrc.nist.gov/publications/nistpubs/