Chapter 7 - 04 - Understand Different Types of IDS-IPS and their Role PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Summary
This document discusses different types of intrusion detection systems (IDS), including misuse and anomaly detection systems. Misuse detection systems use predefined rules to identify known attacks. Anomaly detection systems detect deviations from normal behavior to spot unknown attacks. The document also addresses advantages and disadvantages of each system.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Anomaly and Misuse Detection Systems Misu...
Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Anomaly and Misuse Detection Systems Misuse Detection System Anomaly Detection System oo | Auditing Modules Interference Engine Ul maz.u.? Target Systems Anomaly and Misuse Detection Systems Misuse Detection System In a misuse detection system, first the abnormal behavior system is defined and then the normal behavior. The misuse detection system works differently from an anomaly detection system in that it has a static approach in detecting attacks. Generally, misuse detection systems show a low rate of false positives as the rules are predefined, such as rule-based languages, state transition analysis, expert system, etc. [ Detection Module J Auditing Modules Profiles Interference Engine Target Systems @% = @o =Y =g m? Figure 7.67: Misuse detection system Module 07 Page 828 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Advantages = More accurate detection than an anomaly detection system = Fewer false alarms Disadvantage = Unable to detect new attacks due to predefined rules Anomaly Detection System An anomaly detection system involves detecting intrusions on the network. It uses algorithms to detect discrepancies occurring in a network or system. It categorizes an intrusion as either normal or anomalous. Anomaly intrusion is a two-step process where the first step involves gathering information of how data flows and the second step involves working on that data flow in real time and detecting if the data is normal or not. By implementing this process, an anomaly detection—based IDS protects the target systems and networks that may be vulnerable to malicious activities. Anomalies in the system can be detected through artificial intelligence, neural networks, data mining, statistical method, etc. Detection Module ¥ 8 Auditing Modules Profiles Anomaly Detection 1] =0 =) =) Target Systems E=Y = =Y Figure 7.68: Anomaly detection system Advantages * |t detects and identifies probes in network hardware, thereby providing early warnings about attacks. * |t has the ability to detect a wide range of attacks in the network. Disadvantages = |f a legitimate network behavior is not part of the designed model, the system will detect it as anomalous. This increases the number of false positive alerts in the system. *= Network traffic varies and deployment of the same model throughout can lead to a failure in detecting known attacks. Module 07 Page 829 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Behavior-based IDS O An DS IDS is categorized based on how it reacts to a potential Active IDS Mode Passive IDS Mode intrusion Traffic 35 4 A Traffic & A QQ 1tIt functions functions inin one one of two modes, of two modes, : : R $ i active or passive, based on the - Firewall behavior after an behavior after an attack attack [.. J : ¢ V'v Active IDS: Detects and ¥4 2. [4!'}ronlflng-: “Frontlings g responds to detected intrusions e" 1ps PS listenand Listen and *: § Active E§ Listen and vv' Passive IDS: Only detects Monitor ¥ * Response :§ Monitor Menttor intrusions v Active IDS Mode Passive IDS Mode Copyright © by Behavior-based IDS Behavior-based intrusion detection techniques assume an intrusion can be detected by observing a deviation from normal or expected behavior of the system or users. The model of normal or valid behavior is extracted from reference information collected by various means. The IDS later compares this model with current activity. When a deviation is observed, an alarm is generated. An IDS is categorized based on how it reacts to a potential intrusion. It functions in one of two modes, active or passive, based on the behavior after an attack. Active IDS Mode 44 ~' | Active IDS Mode ; E P 5 Firewall : Listenand * E Active. Monitor Monitor ** Response Response L Active IDS Mode J i 3 \L o. Figure 7.69: Active IDS Mode Module 07 Page 830 EC-Council Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Detects and responds to detected intrusions. An active IDS is configured to automatically block suspected attacks without any intervention from the administrator. Such an IDS has the advantage of providing real-time corrective action in response to an attack. The exact action differs per product and depends on the severity and type of the attack. Passive IDS Mode Passive IDS Mode Traffic E é ;. Firewall ¢ H ¥.‘.frontlln%: * lg-g'o E Listen and + Monitor. v Passive IDS Mode Figure 7.70: Passive IDS Mode Only detects intrusions. A passive IDS is configured only to monitor and analyze network traffic activity and alert the administrator of any potential vulnerabilities and attacks. This type of IDS is not capable of performing any protective or corrective functions on its own. It merely logs the intrusion and notifies an administrator, through email or pop-ups. A system administrator or someone else will have to respond to the alarm, take appropriate action to halt the attack and possibly identify the intruder. Module 07 Page 831 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls — Technical Controls Protection-based IDS o I E Untrusted Nawofk —NIDS QO An DS is classified based on the system/network | ~. Prre—. if offers protection to : W/ (OO0 O i o Ifit protects the network, it is called a network - ; : I 7 intrusion detection system (NIDS) i H i H ] I o Ifit protects a host, it is called a host intrusion E % HIDS % HIDS — HIDS ] HIDS — HIDS detection system (HIDS) detection i ] 1 1 o Ifit protects the network and a host, it is called a i = Misuse Known Attack hybrid hybrid intrusion intrusion detection detection system system (Hybrid (Hybrid 1DS) IDS) | Dsecion 'l:e.t.g?'l?: — Misuse r......... AR [EESESEERERRNNESRERNEEaREE R > E....... Detection Detecfion ‘-prrrsnneann ---------- T - |. Unknown OQ A hybrid IDS combines the advantages of both the low ! » Features Features false-positive rate of a NIDS and the anomaly-based v - i, detection detection of of aa HIDS HIDS to to detect detect unknown unknown attacks attacks i Anomaly NOVEAE> |T : Detection I 1 Copyright © byby EC EC cll. L AlAll Rights Reserved. Reserved. Reproduction Reproduction is Strictly Prohibited Protection-based IDS An IDS can be classified based on the device or network to which it offers protection. There are mainly three types of IDS technologies under this category which includes network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), and hybrid intrusion 1DS). detection systems (hybrid IDS). = |fit |f it protects the network, it is called a network intrusion detection system (NIDS) = |fit protects a host, it is called a host intrusion detection system (HIDS) = |f|If it protects the network and a host, it is called a hybrid intrusion detection system (Hybrid (Hybrid 1DS) IDS) Module 07 Page 832 Certified Cybersecurity Technician Copyright © by EC-Council EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Security Controls - Technical Controls Untrusted Network NIDS HIDS HIDS HIDS HIDS HIDS Known Attack M. ssnnnnnnnnnnnd Detection Misuse tesssssssssnssssss " Illllllll’ Detection b uasanannn e * Unknown « Features Novel Attack Anomaly TELETETERTY = Detection Figure 7.71: Protection-based IDS Network Intrusion Detection System (NIDS) NIDS is used to observe the traffic for any specific segment or device and recognize the occurrence of any suspicious activity in the network and application protocols. NIDS is typically placed at boundaries between networks, behind network perimeter firewalls, routers, VPN, remote access servers, and wireless networks. Host Intrusion Detection Systems (HIDS) HIDS is installed on a specific host and is used to monitor, detect, and analyze events occurring on that host. It monitors activities related to network traffic, logs, process, application, file access, and modification on the host. HIDS is normally deployed for protecting very sensitive information that is kept on publicly accessible servers. Hybrid Intrusion Detection Systems (Hybrid IDS) A hybrid IDS is a combination of both HIDS and NIDS. It combines the advantages of both the low false-positive rate of a NIDS and the anomaly-based detection of a HIDS to detect unknown attacks. It has its agent installed on almost every host in the network, and it has the ability to work online with encrypted networks and storing data on a single host. Module 07 Page 833 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.