IDS Basics

The purpose of an Intrusion Detection System (IDS) is to detect and report attacks in real time. A traditional, nonheuristically based IDS consists of three functional components namely, a monitoring component, an inference component, and an alerting component. The monitoring component collects activity data, which in most cases happens to be network traffic. As we're dealing specifically with Web attacks, we're concerned only with attacks being launched over a network, not with attacks originating from within the target system itself. The data collected from the monitoring component are then passed to the inference component. The inference component analyzes the captured data to determine whether the activity that generated that data is normal activity or malicious activity. Every attack has a telltale signature a pattern by which an attack is recognized and classified. Most commercial and open-source IDSs rely on signatures to recognize attacks. If an attack is detected, the alerting component generates a response, based on how the system is configured. Responses can be either passive or active. Responses such as sending an alert message to an administration console or adding an entry within the system's log files are passive responses. Sending a configuration directive to a firewall to block an intruder's network traffic is an active response. If we consider the location of the IDS mechanism, we can group various IDSs into two categories namely, network IDSs and host-based IDSs.

Network IDSs

Network intrusion detection systems are dedicated systems placed strategically on a network segment to detect attacks directed at any host on that network. A single network IDS can monitor multiple network segments and provide aggregated reports of attacks occurring throughout the network. All data traveling through the network are captured and analyzed. For this purpose, a network IDS needs to be very fast and drop as little network traffic as possible.

Popular network IDSs include commercial products such as ISS's RealSecure (http://www.iss.net/products_services/enterprise_protection/rsnetwork/index.php) and Intrusion.com's SecureNet (http://www.intrusion.com/products/productcategory.asp?lngCatId=4) and open source products such as Snort (http://www.snort.org/).

Host-Based IDSs

Host-based IDSs run on the system to be monitored. They monitor only data directed toward and originating from that particular system. Apart from relying on network traffic for detecting attacks, a host-based IDS can also monitor other system parameters such as running processes, file system access and integrity, and user logins to identify malicious activity.

Popular host-based IDSs include BlackIce Defender from ISS systems (http://www.iss.net/products_services/hsoffice_protection/blkice_protect_pc.php) and Psionic PortSentry (http://www.psionic.com/products/portsentry.html).

Each IDS model has advantages and disadvantages, but when it comes to Web attacks, the effectiveness of network IDSs and host-based IDSs is more or less the same.