Intrusion Detection Technology

An intrusion detection system (IDS) is a device that monitors any suspicious activity and network traffic in a system and alerts the network administrator or the system. In certain cases, the IDS may respond to malicious traffic by blocking the source IP address or user from accessing the network.

Although intrusion detection and prevention systems are mainly used for identifying malicious activities and reporting attempts, many organizations employ them for other purposes such as identifying problems with security policies, recording existing threats and preventing individuals from violating security policies.

IDS can detect suspicious traffic in different ways. As a hardware application, intrusion detection systems serve as a solid back-up in preparation for attacks. The intrusion detection process involves collating information from computer systems and networks. In combination with behavioural data forensics, intrusion systems form a reliable platform to trace threats and preventions from internal and external sources.

As technology becomes increasingly more sophisticated, there is a growing need for a high level of control over such advanced systems. Intrusion detection systems work to compliment firewalls already set in place, which allows the intrusion network to incorporate security audits, monitoring and recognition of attack.

How it Works?

A standard intrusion detection system is based on a target and a command console. The network pack created when a sensor device feeds data (network package formed as a result of one computer communicating with another) from a network into a detection unit.

During misuse of information whereby predefined patterns of misuse have been identified, an alarm is set off which is detected by the central console followed by a response sub-system that delivers an alert such as an e-mail or audible message to a  security unit. Correlations of the alert are then generated to determine the activity of misuse.  

In general, IDS is operated by generating a set of expectations related to the user, with respect to the previous interaction with the user. These expectations are used in identifying the presence of intruders.

For statistical analysis, the system will generate expectations and compare them with the user behaviour. For instance, whenever someone logs in at a specific terminal using a password for which a set of behaviours is already created, the current behaviour is compared with the user profile. If behaviour is found to be different, the following three events may occur:

• The system may communicate the difference to the user who decides the further course of action.
• The system may directly take measures by disconnecting the user or preventing the user from accessing the terminal.
• The system may wait till some major risk occurs before opting for first or second option.  

The operation of IDS depends on the human expertise to selects the behaviors required and monitored. These factors are designed to acquire those behaviors, such as user location, date and time of access, port ID, CPU time, etc.

The behaviors along with these factors constitute the profile of the user. The performance and user profiles can be compared either by creating a single set of expectations or user-specific profiles for individuals.

The system reports errors in the form of “alpha” and “beta” levels or “type I” and “type II” levels. However, in certain systems, the intruder may be charged for browsing a set of files, and hence the files may not be changed. The company would receive money even if the intruders access the system.

Products on the Market

The need for intrusion detection systems has grown with the increasing number of complex threats across the world. Some of the security products that are currently available in the market are listed below.

StarNeT™ 1000

Senstar’s StarNeT™ 100 is a multi-functional software package that is operated based on Windows^®. It acts as a security management system, and set-up and configuration tool for other Senstar’s products such as IntelliFIBER™, Perimitrax^®, etc.

UltraLink^®

UltraLink^®, another product of Senstar is a series of hardware components that can be connected to Senstar’s Silver Network to provide supervised dry-contact inputs and outputs.

Microwave sensors are a new breed of detection systems that are designed to trace walking, running or crawling human targets. These sensors are used mainly in the outdoor environment. Southwest Microwave are key manufacturer for bi-static microwave sensors. The INTREPID^TM MicroTrack is one such example of detection systems by this company. This sensor is designed for high security applications. The following video by Southwest Microwave is a great demonstration of exactly how this intrusion system works.

Advantages and Disadvantages

Some of the main advantages and disadvantages of intrusion detection systems are outlined below:

Advantages

• Accuracy of information – statistical behavioural data

• Multi-host signatures which are fundamental for analysis methods

• All source material is traceable and archived.

Disadvantages

• Unfortunately, there is no real-time identification of intrusion data, which means that a real-time response is also unlikely.

Intrusion detection systems are becoming increasingly more advanced when it comes to network-based and host-based systems and combining both platforms will make intrusion detection more effective. Future developments need to place focus on how intrusion detection systems can gather data on misuse effectively without being able to use a signature. Furthermore, there needs to be caution where automatic feedback is delivered in the event of a detected intrusion of a system.

Sources and Further Reading

• Intrusion Detection Systems - CISCO
• Intrusion-Detection Systems – University of Southern California
• Southwest Microwave, inc.