Understanding IDS Concepts and Anomaly Detection in Cybersecurity

Intrusion Detection Systems (IDS) are security applications designed to detect malicious activities within your network traffic. The primary goal of IDS security systems is to identify harmful behavior, log these activities, and facilitate their examination. There are six fundamental approaches in IDS systems aimed at detecting and preventing unauthorized access. Some of these methods are implemented in various software packages, while others are strategies that organizations can use to reduce the likelihood of a successful attack.

The Evolution of IDS Systems

Looking back at the history of IDS systems, we see the use of network devices called HUBs. Until a few years ago, HUBs were commonly used. The main issue with HUBs was that they broadcasted requests received on one port to all ports. Today, HUBs have been replaced by devices known as switches. With a HUB, when a packet was transmitted from a source network to a destination network, the MAC address was used to find the destination upon reaching the final segment. All computers in this segment could see the transmitted packet, but only the computer with the matching MAC address would accept it; others would ignore it.

At some point, it was discovered that if network devices chose not to ignore packets, they could see all the traffic in the network segment. In other words, if a HUB was used within a network, all incoming and outgoing packets could be observed. This led to the development of the first systems known as packet sniffers. Subsequently, the need arose to analyze these packets for signs of an attack, leading to the creation of intrusion detection systems. The idea was to listen to all packets on the network to detect unauthorized access.

Intrusion Prevention Systems

Preventive blocking systems attempt to prevent intrusions before they occur. These systems operate by observing potential threats or danger signs and blocking the user or IP address from which these signs originate. For example, if you notice frequent port scans from a specific IP address, this could indicate a potential attack, and you would block the IP address in your firewall.

In today’s technological landscape, detecting and avoiding such intrusions has become quite complex. There is a potential to mistakenly block legitimate users. The complexity arises from the difficulty in distinguishing legitimate traffic from indicators of an attack. This situation can lead to false positives, where the system incorrectly identifies legitimate traffic as a type of attack. Typically, a software system can alert you about suspicious activities, and then a network administrator decides whether to block the traffic. If the software automatically blocks addresses it deems suspicious, you risk blocking legitimate users. This is where IDS systems come into play. If the software automatically blocks the attack, it is referred to as an Intrusion Prevention System (IPS).

Beyond Basic Components

Beyond their basic components, IDS can be classified based on how they respond to detected anomalies or how they are deployed. A passive IDS simply logs the activity and alerts the administrator. An IPS or active IDS, on the other hand, stops the relevant anomaly. Additionally, IDS/IPS can be defined based on whether they monitor a single machine or an entire network segment. If it’s a single machine, it is called a Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS).

Anomaly Detection

Anomaly detection is security software that works to detect intrusion attempts and inform the administrator. The general process is simple. The system, or the intrusion detection security application, looks for any abnormal behavior. All activities that do not match the normal user access pattern are noted and logged. The software compares the observed activity with the expected normal usage profiles. Profiles are usually developed for specific users, user groups, or applications. Any activity that does not match the normal behavior definition is considered an anomaly and is logged. Sometimes this is referred to as “backtracking” detection or process.

There are specific ways to detect an anomaly:

Threshold Monitoring
Resource Profiling
User/Group Work Profiling
Executable Profiling

Threshold Monitoring

Threshold monitoring sets acceptable behavior levels in advance and observes whether these levels are exceeded. It can include simple rules like a limited number of failed login attempts or more complex rules like monitoring the time a user is connected and the amount of data downloaded. Thresholds provide a definition of acceptable behavior. Unfortunately, characterizing intrusive behavior solely by threshold limits can be somewhat challenging. Creating appropriate threshold values or suitable time frames to check these threshold values will usually be difficult, leading to a high rate of false positives.

Resource Profiling

Resource profiling measures resource usage across the system and develops a usage profile. By looking at how a user normally uses system resources, the system can define usage levels that are outside normal parameters. Such abnormal readings may indicate ongoing illegal activity. An increase in usage may also indicate a benign increase in workload rather than an attempt to breach security.

User/Group Work Profiling

In user/group work profiling, the IDS maintains individual work profiles for users and groups. These users and groups are expected to conform to the defined profiles. As user activities change, the expected work profile is updated to reflect these changes. Some systems try to monitor the interaction between short-term and long-term profiles. Short-term profiles capture recently changing work patterns, while long-term profiles reveal usage over a long period. However, creating a profile for an irregular or dynamic user base will be challenging. Broadly defined profiles allow for the review of any activity, while narrowly defined profiles may constrain user activity.

Executable Profiling

Executable profiling aims to measure and monitor how programs use resources when a specific source user requests them. For example, system services are usually not traceable by the specific user who initiated them. Viruses, Trojans, worms, trapdoors, and other software attacks are also addressed by determining how system objects such as files and printers are used not only by users but also by other system entities. In most traditional systems, any program, including a virus, inherits all the privileges of the user running the software. The software is not limited to the principle of least privilege, which requires only the privileges necessary to run properly.

Executable profiling allows the IDS to identify activities that may indicate an attack. When a potential threat is identified, it adopts a method to inform the administrator, such as a network message or email.

IDS Applications

Each IDS system on the market has its strengths and weaknesses. Deciding which system is best for a particular environment depends on many factors, including the network environment, the required security level, budget constraints, and the skill level of the person who will work directly with the IDS.

Snort

Snort is the best-known open-source intrusion detection and prevention system. It is installed on a server to monitor incoming traffic. For more information, you can visit the official Snort website.