The process of monitoring the events occurring in a computer system or network, analysing them for signs of possible incidents, and attempting to stop detected possible incidents.
In Definition 2, an “attempt” can be sending an alarm to the administrator(s), resetting a network connection, reconfiguring a firewall to block traffic from the source address, etc.
Thus, “intrusion detection and prevention system” (IDPS) is synonymous with “intrusion prevention system” (IPS) [SM07, Appendix A], and is a bit of a redundant term.
Fig. 1 shows an example of a high-end IPS appliance from Cisco.
In the 1970s and the early 1980s, administrators had to print out system logs on papers and manually audit the printout [KV02]. The process was clearly 1️⃣ reliant on the auditors’ expertise, 2️⃣ time-consuming, and 3️⃣ too slow
to detect attacks in progress.
In the 1980s, storage became cheaper, and intrusion detection programs became available for analysing audit logs online, but the programs could only be run at night when the system’s user load was low [KV02]. Thus, detecting attacks
in time remained a challenge.
In the early 1990s, real-time intrusion detection systems (IDSs) that analysed audit logs as the logs were produced became available [KV02].
Since the inception of IDSs, the quality and quantity of audit logs have always been a challenge [KV02]:
Quality
The accuracy (how often the data are correct) and precision (how close the reported values are to the true values) of the data collected are crucial.
Inaccurate or imprecise data could lead to false negatives (illegitimate events misdiagnosed as legitimate) or false positives (legitimate events misdiagnosed as illegitimate).
Quantity
On one hand, not collecting enough data ⇒ an attack could evade detection. For example, network-related data alone cannot help with detecting a malware that does not access any network.
On the other, collecting too much data (from too many sources and/or too frequently) ⇒ storage could run out and processing could take too long.
Effective detection of attacks depends on capturing all relevant data at sufficiently fine time scales.
These are abuses and attacks of known patterns that can be encoded in computer-interpretable rules or signatures.
An abuse is an intentional or unintentional violation of organisational policies.
Anomalies
An anomaly, also called outlier, is a “significant” deviation from some model of normalcy, where “significance” is contextual and can be fluid.
A model of normalcy is called a baseline model and is often challenging to build for a dynamic environment.
Accordingly, intrusion detection algorithms can be classified as [SM07; YT11, p. 2; BK14, p. 4; Led22; Pal22]:
Rule-based / signature-based
A rule specifies the conditions of legitimacy of an event, typically with the help of signatures.
Signatures can be
exploit-facing, e.g., malicious byte sequences, email subject headings associated with phishing, email attachments containing executable binaries, traffic going to known malicious domains, scanning of file hashes; or
vulnerability-facing, e.g., SSH requests specifying a vulnerable version number, system log entries indicating disablement of auditing.
Signatures can encode violations of organisational policies, e.g., remote login attempts as “root”.
Stateful protocol analysis or deep packet inspection analyses protocols at the application layer to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations [SH09, Jun16].
This is an example of rule-based detection, contrary to the classification in [LRLT13].
As threats grow, the dictionary of signatures necessarily grows, demanding more computational and storage resources accordingly.
Rule-based detection is effective against known threats that can be expressed using a set of rules and signatures.
Rule-based detection is ineffective against known threats that are hard to capture using a finite set of rules and signatures, e.g., multi-stage attacks; as well as previously unknown threats.
Snort is an industry-standard open-source rule-based intrusion prevention software (hence, also an intrusion detection software). It can for example be found in the appliance in Fig. 1.
Anomaly-based / behaviour-based
This is the application of machine learning techniques to determining whether a user or component behaviour is anomalous.
Depends on the prior establishment of a baseline behavioural model.
Can detect previously unknown attacks as long as the attacks manifest as anomalies relative to the baseline model.
Effective at detection but tends to produce excessive false positives.
Behaviour-based detection, when applied to network behaviour, falls into the area of network behaviour analysis.
End-to-end process of collecting, extracting, analysing, modelling, and interpreting network behaviour (e.g., distributed denial of service, worm, backdoor, policy violation) of end systems and network applications from a large volume of network traffic data such as TCP/IP data packets and network flows.
A network behaviour analysis pipeline typically consists of these steps [Xu22, Fig. 2.1]: 1️⃣ network traffic data collection, 2️⃣ data storage and preprocessing, 3️⃣ behavioural feature selection and exploration, 4️⃣ analysis and modeling, 5️⃣ behavioural insights and applications.
Depending on its type, an IDS can comprise several types of components, as shown in Fig. 2: sensors/agents (which monitor and analyse network activities and may also perform preventive actions), management servers, database servers, user and administrator consoles, and management networks [SM07].
There is more than one way to classify IDSs. See the attachment for different classifications of IDSs.
Fig. 2: IDS components. In this context “sensor” is synonymous with “agent”.
Watch the following LinkedIn Learning video for a quick summary of IDS:
D. K. Bhattacharyya and J. K. Kalita, Network Anomaly Detection: A Machine
Learning Perspective, CRC Press, 2014. https://doi.org/10.1201/b15088.
[FGCMF21]
M. Fuentes-García, J. Camacho, and G. Maciá-Fernández, Present and future of network security monitoring, IEEE Access9 (2021), 112744–112760. https://doi.org/10.1109/ACCESS.2021.3067106.
A. Johnson, K. Dempsey, R. Ross, S. Gupta, and D. Bailey, Guide for security-focused configuration management of information systems, NISP Special Publication 800-128, August 2011. https://doi.org/10.6028/NIST.SP.800-128.
R. Kemmerer and G. Vigna, Intrusion detection: a brief history and overview, Computer35 no. 4 (2002), supl27–supl30. https://doi.org/10.1109/MC.2002.1012428.
[KGVK19]
A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, Survey of intrusion detection systems: techniques, datasets and challenges, Cybersecurity2 no. 1 (2019), 20. https://doi.org/10.1186/s42400-019-0038-7.
[Led22]
J. Ledesma, IDS vs. IPS: What Organizations Need to Know, Varonis Inside Out Security Blog, June 2022. Available at https://www.varonis.com/blog/ids-vs-ips.
[LRLT13]
H.-J. Liao, C.-H. Richard Lin, Y.-C. Lin, and K.-Y. Tung, Intrusion detection system: A comprehensive review, Journal of Network and Computer Applications36 no. 1 (2013), 16–24. https://doi.org/10.1016/j.jnca.2012.09.004.
[LDVH+18]
L. Liu, O. De Vel, Q.-L. Han, J. Zhang, and Y. Xiang, Detecting and preventing cyber insider threats: A survey, IEEE Communications Surveys & Tutorials20 no. 2 (2018), 1397–1417. https://doi.org/10.1109/COMST.2018.2800740.
[Mav20]
N. Mavis, Snort 101, YouTube video by Cisco Talos Intelligence Group, February 2020. Available at https://youtu.be/W1pb9DFCXLw.
[NDP18]
J. Navarro, A. Deruyver, and P. Parrend, A systematic survey on multi-step attack detection, Computers & Security76 (2018), 214–249. https://doi.org/10.1016/j.cose.2018.03.001.
