9: IDS and IPS Flashcards
What is an IDS
device or software application that monitors a network (network based IDS) or monitors a system (host based IDS) for intrusive activities
is IDS a substitute for firewall
No it complements the function of a firewall.
Monitoring activities : Network based IDS vs Host based IDS
Network based IDS monitors activities on identified network.
Host based IDS monitor activities on a particular single system or host
False positive rate : Network based IDS vs Host based IDS
The False positive rate (wrong alarm) is HIGH for network based IDS
False positive rate (wrong alarm) is LOW for hot based IDS
What does each IDS detect
Network based is better for detecting attack from outside
Host better for detecting attack from insider.
What do network based IDS check for
They check for attacks on irregular behavior by inspecting the contents and header information of all packets moving across the network
what do host based IDS check for
They can detect activity on host computer such as deletion of files, modification of program
Components of an IDS
Sensors/ analyzers/Administrative console/ user interface
What does a sensor do
Collects the data (in the form of network packets, log files) AND SEND IT TO ANALYZER
What does an anlayzer do
It analyzes the data and determine the intrusive activity
User interface
Enable user to view results and take necessary action
Administrative control
To manage the IDS rules and functions
Types of IDS
Signature based/ statistical based/ Neural network
Signature based IDS
Intrusion is identified based of known type of attacks. Such known patterns are stored in form of signature.
Statistical based
Determine (known and expected) behavior of the system. Any activity which falls outside the scope of normal behavior is flagged as intrusion
Neural network
It’s similar to statistical IDS, but with added self-leaning functionality. IT monitors the general pattern of activities and create a database
Limitation of IDS
Cannot detect application level vulnerabilities
Back doors into application
Cannot detect encrypted traffic
Network IDS placed between internet and firewall
It will detect all the attack attempts (whether or not they enter the firewall).
Network IDS placed between firewall and the corporate network
It will detect only those attempts which enter the firewall ( cases where the firewall failed to block the attack).
IPS vs IDS
IDS only monitors and records the intrusion activities
IPS Detects and prevents intrusions
Challenges in implementation of IPS
Threshold limits that are too high or too low will reduces the effectiveness of IPS.
IPS may itself become a threat when attackers send commands to large number of host protected by IPS to make them dysfunctional.
Which IDS creates its own database
Neural Network
Which IDS system is effective in detecting farud
Neural Network
Which IDS generates MOST false positives (false alarms)
Statistical based IDS
