By AMSAT Nov 25,2020
Intrusion Detection and Its Types
Intrusion detection is the practice of supervising and possibly foiling attempts to encroach upon or otherwise compromise a system and network resources.
What Is Intrusion Detection?
Broadly speaking, intrusion detection works like this: You have a computer system which is attached to a network, and maybe even to the internet. You have a web server, attached to the internet, and you are keen to let your clients, staff, and potential clients access the web pages stored on that web server.
Nonetheless, you are not willing to allow unlawful access to that system by anyone, be that staff, clients, or unknown third parties. For instance, you do not want people, except the web designers hired by your company, to be able to change the web pages on that computer. Typically, a firewall or authentication system of some kind will be put to use to avert unauthorized access. Occasionally, though, simple firewalling or authentication systems can be wrecked. Intrusion detection is a set of instruments that you put in place to warn of attempted unlawful access to the computer.
Why Use Intrusion Detection?
There is only one underlying reason why using intrusion detection systems is important: an organization, or individual, wants to defend their data’s and systems’ integrity. The fact that you cannot always secure your data from threat actors in today’s digital environment with instruments such as ordinary password and file security, leads to a series of problems. Sufficient system protection is certainly the first step in safeguarding data protection. For instance, it is futile to attach a system directly to the internet and hope that nobody infiltrates it, if it has no administrator password! By the same token, it is imperative that the system avert access to critical files or authentication databases except by authorized systems administrators. Additional measures beyond those usually expected of an intranet system should always be made on any system connected to the internet. Firewalling and other access prevention mechanisms should always be put in place.
Types of Intrusion Detection Systems
Intrusion Detection systems fall into two extensive categories: Network-based systems and host-based systems.
Network-based systems are placed on the network, close to the system or systems being monitored. They scrutinize the network traffic and determine whether it falls within satisfactory limits. Host-based systems, on the other hand, actually run on the system being monitored, assessing the system to find whether the activity on the system is adequate. More recent types of intrusion detection system are those that are located in the operating system kernel and supervise activity at the lowest level of the system.
These systems have lately started becoming available for a few platforms, and are fairly platform- specific.
Monitoring Incoming Connections
It is likely on most hosts to screen packets that seek to access the host before those packets are passed onto the networking layer of the host itself. This mechanism seeks to secure a host by intercepting packets that reach for the host prior to inflicting any damage.
Some of the measures that can be taken include:
- Spot incoming connection attempts to TCP or UDP ports that are unauthorized, such as attempts to connect to ports where no services are available. This is often symptomatic of a possible cracker having a “poke around” to discover vulnerabilities.
- Spot incoming portscans. This, again, is a certain issue that should be dealt with, and forewarning a firewall or adapting the local IP configuration to deny access from a likely prowler host is one action to take.
Monitoring Login Activity
In spite of the network administrator’s best efforts, and the most recently deployed and supervised intrusion detection software, a hacker seldom manages to trespass and log on to a system using an unidentified type of attack. Possibly an intruder will have acquired a network password by some means (packet sniffing or otherwise) and now has the capability to log on to the system remotely.
Monitoring Root Activity
The objective of all threat actors is to acquire super-user (root) or administrator access on the system that they have been affected. Well-maintained and dependable systems that are used as web servers and databases will typically have little or no activity by the super-user, barring at specific times of the day or night for scheduled system maintenance. Luckily, crackers do not believe in system maintenance, who hardly stick to scheduled downtime windows and often work at odd hours of the day. They carry out activities on the system that are rare for even the most propeller-headed system administrator.
Monitoring the File Systems
Once a hacker has affected a system, then they will begin to change files on the system. For instance, a successful hacker might want to install a packet sniffer or portscan detector, or adapt some of the system files or programs to incapacitate some of the intrusion detection systems that they have worked around. Installing software on a system typically involves adapting some part of that system. These changes will typically take the form of adapting files or libraries on the system.
Ready to Get Started?
Our specialists are ready to tailor our security service solutions to fit the needs of your organization.