Intrusion detection system

 What is an Intrusion Detection System?  Working of Intrusion Detection System  Classification of Intrusion Detection System  Intrusion Detection System Evasion Techniques  Benefits of IDS ______________________________________________________________________________ What is an Intrusion Detection System?  A system called an Intrusion Detection System (IDS) observes network traffic for malicious transactions and sends immediate alerts when it is observed.  It is software that checks a network or system for malicious activities or policy violations.  Each illegal activity or violation is often recorded either centrally using an SIEM (Security information and event management) system or notified to an administration.  IDS protects a computer network from unauthorized access from users, including perhaps insiders.  It uses machine learning techniques such a predictive model (i.e. a classifier) capable of distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good (normal) connections’. Working of Intrusion Detection System  An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any suspicious activity.  It analyzes the data flowing through the network to look for patterns and signs of abnormal behavior.  The IDS compares the network activity to a set of predefined rules and patterns to identify any activity that might indicate an attack or intrusion.  If the IDS detects something that matches one of these rules or patterns, it sends an alert to the system administrator.  The system administrator can then investigate the alert and take action to prevent any damage or further intrusion. Classification of Intrusion Detection System Intrusion Detection System are classified into 5 types: 1. Network Intrusion Detection System (NIDS): It examines traffic from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches the collection of known attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the administrator.  An example of a NIDS is installing it on the subnet where firewalls are located in order to see if someone is trying to crack the firewall. 2. Host Intrusion Detection System (HIDS): It runs on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission-critical machines, which are not expected to change their layout. Intrusion Detection System (IDS) 3. Protocol-based Intrusion Detection System (PIDS): It comprises a system or agent that would consistently reside at the front end of a server, controlling and interpreting the protocol between a user/device and the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accepting the related h***: protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer then this system would need to reside in this interface, between to use the HTTPS. 4. Application Protocol-based Intrusion Detection System (APIDS): It is a system or agent that generally resides within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on application-specific protocols.  For example, this would monitor the SQL protocol explicitly to the middleware as it transacts with the database in the web server. 5. Hybrid Intrusion Detection System: It is made by the combination of two or more approaches to the intrusion detection system. In the hybrid intrusion detection system, the host agent or system data is combined with network information to develop a complete view of the network system. The hybrid intrusion detection system is more effective in comparison to the other intrusion detection system.  Prelude is an example of Hybrid IDS. Intrusion Detection System Ducking Techniques 1. Fragmentation: Dividing the packet into smaller packet called fragment and the process is known as fragmentation. This makes it impossible to identify an intrusion because there can’t be a malware signature. 2. Packet Encoding: Encoding packets using methods like Base64 or hexadecimal can hide3. Traffic Complication: By making message more complicated to interpret, smokescreen can be utilized to hide an attack and avoid detection. 4. Encryption: Several security features, such as data integrity, confidentiality, and data privacy, are provided by encryption. Unfortunately, security features are used by malware developers to hide attacks and avoid detection. Benefits of IDS  Detects malicious activity: IDS can detect any suspicious activities and alert the system administrator before any significant damage is done.  Improves network performance: IDS can identify any performance issues on the network, which can be addressed to improve network performance.  Compliance requirements: IDS can help in meeting compliance requirements by monitoring network activity and generating reports.  Provides insights: IDS generates valuable insights into network traffic, which can be used to identify any weaknesses and improve network security. Computer security: 1 What is Computer Security? Computer security basically is the protection of computer systems and information from harm, theft, and unauthorized use. It is the process of preventing and detecting unauthorized use of your computer system. There are various types of computer security which is widely used to protect the valuable information of an organization. Computer Security types One way to ascertain the similarities and differences among Computer Security is by asking what is being secured. For example,  Information security is securing information from unauthorized access, modification & deletion  Application Security is securing an application by building security features to prevent from Cyber Threats such as SQL injection, DoS attacks, data breaches and etc.  Computer Security means securing a standalone machine by keeping it updated and patched  Network Security is by securing both the software and hardware technologies  Cybersecurity is defined as protecting computer systems, which communicate over the computer networks It’s important to understand the distinction between these words, though there isn’t necessarily a clear consensus on the meanings and the degree to which they overlap or are interchangeable. So, Computer security can be defined as controls that are put in place to provide confidentiality, integrity, and availability for all components of computer systems. Let’s elaborate the definition. Components of a Computer System The components of a computer system that needs to be protected are:  Hardware, the physical part of the computer, like the system memory and disk drive  Firmware, permanent software that is etched into a hardware device’s nonvolatile memory and is mostly invisible to the user  Software, the programming that offers services, like operating system, word processor, internet browser to the user malicious content from signature-based IDS. 2 What is the CIA Triad in Cyber Security? The CIA Triad is an information security model, which is widely popular. It guides an organization’s efforts towards ensuring data security. The three principles—confidentiality, integrity, and availability which is also the full for CIA in cybersecurity, form the cornerstone of a security infrastructure. In fact, it is ideal to apply these principles to any security program.  Confidentiality makes sure that only authorized personnel are given access or permission to modify data  Integrity helps maintain the trustworthiness of data by having it in the correct state and immune to any improper modifications  Availability means that the authorized users should be able to access data whenever required The CIA Triad is so elementary to information security that anytime data violation or any number of other security incidents occur, it is definitely due to one or more of these principles being compromised. So, the CIA Triad is always on top of the priority list for any infosec professional. Security experts assess threats and vulnerabilities thinking about the impact that they might have on the CIA of an organization’s assets. Based on that assessment, the security team enforces a specific set of security controls to minimize the risks within that environment.