Page 184 - DCAP516_COMPUTER_SECURITY
P. 184
Computer Security
Notes 6. Unquestionable Detection Accuracy: It is imperative that the quality of the signatures is
beyond question, since false positives can lead to a Denial of Service condition. The user
MUST be able to trust that the IDS is blocking only the user selected malicious traffic. New
signatures should be made available on a regular basis, and applying them should be
quick (applied to all sensors in one operation via a central console) and seamless
(no sensor reboot required).
7. Fine-grained Granularity and Control: Fine grained granularity is required in terms of
deciding exactly which malicious traffic is blocked. The ability to specify traffic to be
blocked by attack, by policy, or right down to individual host level is vital. In addition, it
may be necessary to only alert on suspicious traffic for further analysis and investigation.
8. Advanced alert Handling and Forensic Analysis Capabilities: Once the alerts have been
raised at the sensor and passed to a central console, someone has to examine them, correlate
them where necessary, investigate them, and eventually decide on an action. The capabilities
offered by the console in terms of alert viewing (real time and historic) and reporting are
key in determining the effectiveness of the IPS product.
14.5 Intrusion Detection System
Intrusion Detection System (IDS) technology is an important component in designing a secure
environment. It is a type of security management system for computers and networks. An IDS
gathers and analyzes information from various areas within a computer or a network to identify
possible security breaches, which include both intrusions and misuse.
It is software and/or hardware designed to detect unwanted attempts at accessing, manipulating,
and/or disabling of computer systems, mainly through a network, such as the Internet. These
attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled
employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can
compromise the security and trust of a computer system. This includes network attacks against
vulnerable services, data driven attacks on applications, host based attacks such as privilege
escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses,
and worms).
Notes An IDS can be composed of several components: Sensors which generate security
events, a Console to monitor events and alerts and control the sensors, and a central
Engine that records events logged by the sensors in a database and uses a system of rules
to generate alerts from security events received.
There are several ways to categorize an IDS depending on the type and location of the sensors
and the methodology used by the engine to generate alerts. In many simple IDS implementations
all three components are combined in a single device or appliance.
While there are several types of IDSs, the most common types work the same. They analyze
network traffic and log files for certain patterns. What kind of patterns you may ask? While a
firewall will continually block a hacker from connecting to a network, most firewalls never
alert an administrator.
The administrator may notice if he/she checks the access log of the firewall, but that could be
weeks or even months after the attack. This is where an IDS comes into play. The attempts to pass
through the firewall are logged, and IDS will analyze its log. At some point in the log there will
be a large number of request-reject entries.
178 LOVELY PROFESSIONAL UNIVERSITY
