Researching Intrusion Detection Systems

Network intrusion detection and prevention systems

Nunya Bidd

Abstract

Currently, there is a rapid increase in malware because of how much computers control in our lives. This paper is to help inform people on what intrusion detection and intrusion prevention systems are, how they can help, and how they can set one up. Today, people need to be more aware online than ever and these systems can help alert the user of malicious items or stop them in their tracks. There are 4 main types of these systems and this paper reviews them and can help the user decide which option is best for them.

Intrusion detection and intrusion prevention systems (IDS and IPS) are two anti-malware monitoring tools used for computers and networks. They can be servers which monitor or direct network traffic, or a program that runs in the background on a computer. Both of these work in similar ways but it depends on the user’s wants and needs. In terms of price, the best choice would be to get an intrusion detection/prevention program rather than a dedicated server as there are some high quality, free options out there to use.

Intrusion detection systems are the simpler of the two; It will go through only about half of the steps of a IPS, its purpose is to sit back and watch network traffic for anything suspicious. The NIDS are a part of the network but unlike the (network) IPS, it doesn’t redirect all the traffic and filter it out. The IDS will watch and alert the user if anything comes up. This doesn’t only include malware, the system will also alarm the user if any unexpected changes are made to the computer, such as an executable file being changed or something new being added to the boot order. If the user has computer knowledge, this would be enough to help the user identify and then remove the threats.[pic 1]

Network intrusion protection systems are the most secure option, all network traffic is redirected through the NIPS before it ever reaches any of the systems on that network. This basically acts as another layer to your firewall and it will take action to stop malicious programs. First the NIPS will alert the user, then drop the malicious packets, then it will block further traffic from the source of the packets and then reset connections once the issue is dealt with. HIPS are like NIPS, where they stop malicious activities, but they are only for an individual computer which basically makes them an anti-malware system. [pic 2]

        These systems use both signature based and anomaly based forms of detection. Signature based means that the system will watch for anything known to be malicious and block it. A list has been developed for these systems to read from which includes the names of each known malicious sight or program and is constantly being added to. Due to the rapid development of new types of malware, these systems have adapted by using anomaly based detection which look for signs and compare the sight with other known trusted sights to reach a conclusion. If a new location is assumed to be malware, it will alert the user and ask to either allow the packets, or block the sight.

        There are many free intrusion and protection programs out for the public. These work great but many of them, like the leading NID/NIP Snort, use a command line interface rather than a user interface. Snort is a great program that can stand up to more expensive IPS/IDS in terms of performance and versatility. The team behind developing Snort describes it as an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks.

It can perform protocol analysis and detect thing such as port scans, probes and has support for smaller OS like Fedora. In Snort, you set rules for the program to follow and tell it what to look for then let it run in the background, although it would be beneficial to run it on something that can act as a server rather than your main pc since the network intrusion/detection would reroute all network traffic and could cause performance issues. Another great NID/NIP is Suricata, much like Snort it uses a command line interface and has many of the same features, since it is based off of Snort. The biggest difference between the two is that Suricata uses a Unix command line interface. [pic 3]

...