Wednesday, February 8, 2012

Intrusion Detection Systems and Intrusion Prevention Systems

If you're studying for one of the security certifications like CISSP, SSCP, or Security+ you'll come across intrusion detection systems and intrusion prevention systems. An intrusion detection system can detect and alert on potential intrusions, and an intrusion prevention system goes a step further and can block an attack. There's a lot of depth to these topics and if you want to take a deep dive into the topics, check out NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS). This blog outlines the basics.

Host-based and Network-based

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are either host-based (HIDS or HIPS) or network-based (NIDS or NIPS).
  • Host-based. A host-based system is installed on a single computer such as a workstation or server. Its goal is to protect local resources on the host and it can detect attacks or intrusions on this system, but it cannot detect attacks on other systems.
  • Network-based. A network-based system monitors network activity and will include multiple sensors installed on network devices such as routers and firewalls. These sensors report activity back to a central monitoring console. It can detect network-based attacks, but it cannot detect anomalies on individual systems.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Detection Methods

IDSs and IPSs primarily detect intrusions using one of two methods, knowledge-based or behavior-based.
  • Knowledge-based. This uses a database of known attack patterns and is similar to the signature file used to detect different types of viruses. It is also called signature-based and definition-based. The key is that the intrusion is using a known method that can be recognized. It's important to keep antivirus definitions up-to-date to detect emerging threats. Likewise, it's important to keep a knowledge-based IDPS signature file up-to-date.
  • Anomaly-based. Anomaly-based detection starts by creating a baseline of normal behavior. This baseline can take days or even weeks to create and is often called a training period. After the baseline is created, it then monitors activity and can report when activity varies from the baseline. For example, if network bandwidth usage is typically at 50 percent utilization for a specific connection, but increases to 95 percent sustained utilization, it indicates a change from the norm or an anomaly and will raise an alert. If the environment is updated or changed, the baseline needs to be updated.
Another method is known as stateful protocol analysis (also called deep packet inspection). In this method, traffic is examined for suspicious activity based on the protocol. For example, a typical File Transfer Protocol (FTP) session follows a predictable pattern where a user authenticates and then begins issuing commands. However, if the session deviates from the pattern, perhaps with the user issuing commands without authenticating, it may indicate an attack.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

False Alarms

Both knowledge-based and anomaly-based systems are susceptible to false alarms (also called false alerts and false positives). In other words, they may report an attack that isn't actually an attack. The goal of security administrators is to reduce the number of false alarms to a minimum, while also ensuring that actual attacks are reported.

Thresholds are used to set the limit between normal behavior and abnormal behavior that may indicate a potential attack. As an example, consider a TCP SYN flood attack where an attacker sends a SYN packet but not the ACK packet to complete a connection. If this happened once in a ten minute period, it probably isn't an attack. If it happened one thousand times within a minute, it very likely is an attack. An IDS would use some number between 1 and 1,000 to as the threshold and when that number is reached, it raises an alert.

There isn't a perfect number for any threshold so administrators seek a balance. If it is set too high, attacks will not be detected. If it is set too low, the IDS won't be trusted due to the high number of false alarms. Most administrators are willing to accept some false positives if it will ensure they are notified when actual attack occurs.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions


When an IDS or IPS detects a potential intrusion it can respond either passively or actively.
  • Passive. A passive response will log the event and possibly provide a notification. The notification can be an email, text message, or page sent to key personnel, or perhaps a pop-up dialog box on the system.
  • Active. An active response will include the passive capability but will also take action to block the attack. It may terminate a connection or modify the access control list (ACL) on a router or firewall to block the attack.


Active intrustion detection systems are often called intrusion prevention systems but this isn't always the case. The distinguishing difference is that an IPS is placed inline with the traffic. In other words, all traffic to a network passes through an IPS giving the IPS the ability to block malicious traffic. In contrast, an active IDS may be able to block an attack but if it is not placed inline with the traffic, it can only block it after the attack has started.