Intrusion Detection Systems
Different techniques abound for monitoring computer networks especially within the context of providing security for the network. Intrusion detection is one of such techniques used for security management of computers by analyzing and gathering information from the different areas of a computer network with the aim of identifying possible breaches in the security of the network (Allen et al., 2000).
A system put in place to implement any of these techniques is referred to as an intrusion detection system. For the computer network of an organization, the source of breaches to the network can be from within the organization owing to misuse or from outside an organization in the form of an attack. This report focuses on the external attacks on the network infrastructure of an organization. Intrusion detection systems go on to make use of scanning or vulnerability assessment to determine how secure a computer network is. When the system is extended to take care of threats by blocking them off alongside detecting them, then we have an intrusion prevention system.
Some of the functions performed by intrusion detection systems include analyzing abnormal activity patterns in the system, analyzing the system configurations and the inherent vulnerabilities, use policy violations tracking, analyzing and monitoring user and system activities etc.
Intrusion detection techniques are basically categorized into two – anomaly detection and misuse detection (Jaisankar et al., 2009). Anomaly detection aims to determine any behaviour that deviates from the known normal behaviour of a user while misuse aims at finding out actions that are consistent with known patterns of attacks.
An intrusion detection system is logically made up of two components which are the sensor and the management station. The sensor is located on a segment of the network and monitors the network for suspicious traffic which is then relayed through an alarm to the management station and an operator (ICSA.net, n.d). The schematic of a network intrusion detection system is shown in figure 1.
Figure 1: Schematic of a network intrusion detection system (ICSA.net, n.d)
According to Scarfone and Mell (2007), there are four main types of IDPs technologies and are listed as follows:
i. Network-based intrusion detection system
ii. wireless intrusion detection system
iii. host-based intrusion detection system
iv. Network Behaviour Analysis (NBA)
Network-based intrusion detection systems are used to monitor network segments or particular network devices by analyzing activities of the network protocols in order to identify suspicious activities. Although they contribute to the traffic overhead of the network, they can identify different types of events that an administrator is interested in.
Wireless intrusion detection systems monitors the network traffic that passes a wireless network and analyzes the wireless networking protocols in order to detect suspicious activities that are consistent with known patterns of attacks. Since wireless networks have physical range of transmission, they are deployed within the transmission range of a wireless network.
Host-based intrusion detection systems monitor the activities and events of a host in order to detect suspicious activities coming from the hosts. Since this is host-specific, monitoring activities are targeted at the characteristics of the host such as system logs, file access and modification, system configuration changes, the running processes, etc.
Network behaviour analysis (NBA) is aimed at identifying threats and behaviours that lead to surge in network traffic that may lead to denial of service (DoS) attacks and other such network security breaches. They are deployed mainly to analyze and monitor the interaction and network traffic between an external network and an internal network. In the analysis of the traffic passing through the network, the system examines the source and the destination IP address for each network packet, the number of the packets as well as the number of bytes of data transmitted in each of the sections, the timestamps for the start time and end time for the sessions as well as the source and destination Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports.
For the organization with 200 terminals and 20 wireless devices, the intrusion detection technique proposed for implementation is the network behavior analysis. This is preferred for this scenario as it will provide a single centralized monitoring system for the network infrastructure as a whole thereby minimizing the network traffic overhead that is generated in the reporting mechanisms of the other systems. The centralized control will also obviate the need for multiple sensors to monitor the different segments of the network or the different devices deployed on the network as is found in the use of network intrusion detection systems. In the wireless intrusion detection system, the sensors for the system have to be deployed within the transmission range of the transmitting radios of the wireless access points. These sensors sometimes have to be deployed outside where they are even open to physical attacks. This situation is not found in the network behavior analysis system.
In conclusion, different techniques are used to secure a network from intrusion. These techniques which include host-based, wireless, network-based and network behavior analysis techniques are deployed based on the type and characteristics of the network for which it is deployed.
REFERENCES
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J. and Stoner, E. (2000). State of the Practice of Intrusioin Detection. PDF. Retrieved on 13 August, 2016 from http://resources.sei.cmu.edu/asset_files/TechnicalReport/2000_005_001_16796.pdf
ICSA.net (n.d). Intrusion Detection Systems Buyer's Guide. PDF. Retrieved on 13 August, 2016 from https://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf
Jaisankar, N., Saravanan, R. and Swamy, D. (2009). Intelligent Intrusion Detection System Framework Using Mobile Agents. International Journal of Network Security and Its Applications, 1(2), Pp 72-88.
Scarfone, K. and Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS). PDF. Retrieved on 14 August, 2016 from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
