Intrusion Detection and Prevention Technologies

In the security world, intrusion detection systems (IDSs) are devices that detect attempts from an attacker to gain unauthorized access to a network or a host to create performance degradation or to steal information. They also detect DDoS attacks, worms, and virus outbreaks. The number and complexity of security threats have skyrocketed over recent years. Achieving efficient network intrusion security is vital to maintaining a high level of protection. Cautious protection ensures business continuity and minimizes the effects of costly interruption of services. Like firewalls, there are two different types of intrusion detection systems:

• Network-based intrusion detection systems (NIDS)
• Host-based intrusion detection systems (HIDS)

Network-Based Intrusion Detection and Prevention Systems

Network-based intrusion detection and prevention systems are designed to precisely identify, categorize, and protect against known and unknown threats targeting a network. These threats include worms, DoS attacks, and any other detected vulnerabilities. Several detection methodologies are widely deployed. These techniques or methodologies embrace the following:

• Pattern matching and stateful pattern-matching recognition
• Protocol analysis
• Heuristic-based analysis
• Anomaly-based analysis

Pattern Matching and Stateful Pattern-Matching Recognition

Pattern matching is a methodology in which the intrusion detection device searches for a fixed sequence of bytes within the packets traversing the network. Generally, the pattern is aligned with a packet that is related to a respective service or, in particular, associated with a source and destination port. This approach reduces the amount of inspection made on every packet. However, it is limited to services and protocols that are associated with well-defined ports. Protocols that do not use any Layer 4 port information will not be categorized.

This tactic uses the concept of signatures. A signature is a set of conditions that point out some type of intrusion occurrence. For example, if a specific TCP packet has a destination port of 1234 and its payload contains the string "ff11ff22," an alert will be triggered to detect such string.

Alternatively, the signature could include an explicit starting point and endpoint for inspection within the specific packet.

The benefits of the plain pattern-matching technique include the following:

• Direct correlation of an exploit
• Trigger alerts on the pattern specified
• Can be applied across different services and protocols

One of the main disadvantages is that pattern matching can lead to a considerably high rate of false positives. False positives are alerts that do not represent a genuine malicious activity. In contrast, any alterations to the attack can lead to overlooked events of real attacks, which are normally referred as false negatives.

To address some of these limitations, a more refined method was created. This methodology is called stateful pattern-matching recognition. This process dictates that systems performing this type of signature analysis must consider the chronological order of packets in a TCP stream. In particular, they should judge and maintain a stateful inspection of such packets and flows.

The advantages of stateful pattern-matching recognition include the following:

• It has the capability to directly correlate a specific exploit within the pattern.
• Supports all non-encrypted IP protocols.

Systems that perform stateful pattern matching keep track of the arrival order of packets in a TCP stream and handle matching patterns across packet boundaries.

However, stateful pattern-matching recognition shares some of the same restrictions of the simple pattern-matching methodology, which was discussed previously, including an uncertain rate of false positives and a possibility of some false negatives.

Protocol Analysis

Protocol analysis (or protocol decode-base signatures) is often referred to as the extension to stateful pattern recognition. A NIDS accomplishes protocol analysis by decoding all protocol or client-server conversations. The NIDS identifies the elements of the protocol and analyzes them while looking for an infringement. Some intrusion detection systems look at explicit protocol fields within the inspected packets. Others require more sophisticated techniques, such as examination of the length of a field within the protocol or the number of arguments. For example, in SMTP, the device may look at specific commands and fields such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT. This technique diminishes the possibility of encountering false positives if the protocol being analyzed is properly defined and enforced. On the other hand, the system can alert numerous false positives if the protocol definition is ambiguous or tolerates flexibility in its implementation.

Heuristic-Based Analysis

A different approach to network intrusion detection is to perform heuristic-based analysis. Heuristic scanning uses algorithmic logic from statistical analysis of the traffic passing through the network. Its tasks are CPU and resource intensive. This is an important consideration while planning your deployment. Heuristic-based algorithms may require fine tuning to adapt to network traffic and minimize the possibility of false positives. For example, a system signature can generate an alarm if a range of ports is scanned on a particular host or network. The signature can also be orchestrated to restrict itself from specific types of packet (for example, TCP SYN packets). Heuristic-based signatures call for more tuning and modification to better respond to their distinctive network environment.

Anomaly-Based Analysis

A different practice keeps track of network traffic that diverges from "normal" behavioral patterns. This practice is called anomaly-based analysis. The limitation is that what is considered to be normal must be defined. Systems and applications whose behavior can be easily considered as normal could be classified as heuristic-based systems.

However, sometimes it is challenging to classify a specific behavior as normal or abnormal based on different factors. These factors include negotiated protocols and ports, specific application changes, and changes in the architecture of the network.

A variation of this type of analysis is profile-based detection. This allows systems to orchestrate their alarms on alterations in the way that other systems or end users interrelate on the network.

Another kind of anomaly-based detection is protocol-based detection. This scheme is related to, but not to be confused with, the protocol-decode method. The protocol-based detection technique depends on well-defined protocols, because it detects as an anomaly any unpredicted value or configuration within a field in the respective protocol.

Devices doing protocol decoding can look at information within the packets that will look similar to a possible buffer-overflow pattern.

Note

A buffer overflow occurs when a program attempts to store more data in a temporary storage area within memory (buffer) than what it was designed to hold. In view of the fact that buffers are fashioned to contain a specific amount of information, the "extra" data or information can overflow to adjoining buffers. Attackers can generate extra data containing malicious code designed to galvanize specific actions. The attacker might send instructions to the targeted system that could damage or change data.

 

Host-Based Intrusion Detection Systems

Host-based intrusion detection systems are employed to safeguard critical computer systems containing crucial data. Whereas network-based intrusion detection systems examine activity within a network, a host-based IDS resides on a server or client machine while sharing CPU and other resources with other existing applications.

Cisco Systems offers both network- and host-based intrusion detection systems:

• Cisco Adaptive Security Appliances provide a network-based intrusion detection solution.
• Cisco Security Agent (CSA) provides a complete host-based intrusion detection solution.

The deployment of a host-based IDS can provide protection against both viruses and worms. The system supervises routines on the host by using a database of system policies and prevents malicious activity on the host by concentrating on the behavior of those activities. Host-based intrusion detection systems, such as CSA, use static and user-configured security policies to determine whether a specific behavior is allowed. In addition to personal firewall services, CSA offer spyware, adware, worm protection, and operating-system integrity assurance.