IASP 470

Dr. John Yoon

Individual Project

Intrusion Detection and Prevention

Iliandra Gonzalez

Mercy College

Abstract

Intrusion detection and prevention go hand in hand because both are related to each

other basically go hand in hand. The overall focus will be on what is intrusion

detection and the types of protection available and why is it necessary in cybersecurity .

By observing the necessity of intrusion detection, one will understand the requirement

of prevention. It is fine if you alert the owner something was stolen, but it would be

better to prevent the whole theft in the first place. Overall both intrusion detection and

prevention will be analyzed on what it is, how they work, forms used currently,

different types of it, and lastly why is it needed.

Introduction

In the world of cyber security, the importance of intrusion detection and prevention is

clear. It is necessary in this field because it, in a sense, it is the field. Which leads to the first

question. What is cyber security? Cyber security is the protection of information from criminal

or unauthorized use of electronic data. This protection secures an individual's information or a

company's data. When discussing data or information, it can be referring to an individual or

group, to as large as a company. To provide security both cyber security, and physical security

are needed. This is relevant to intrusion detection and prevention because intrusion detection is

the alarm in this security system. An alarm is essential because if something is stolen, no one

will know without an indication. While prevention is self-explanatory, the need to prevent any

future incidents from happening is the necessity for protection.

Before going into why intrusion detection is important, a basic understanding is required.

Intrusion detection is a system, it can be a device or a software application that monitors a

network or system. It checks for any malicious activity or for policy violations. The intrusion

detection system (IDS) can be split into two different types of detections. The host-based

intrusion detection system (HIDS) which monitors important operating system files, and the

network intrusion detection system (NIDS) which analyzes incoming network traffic. The

difference between the two are minor yet significant for it is displayed in the actions taken during

an attack.  

The intrusion detection is made up of two components. The system is comprised of a

management console and sensors. The management console is the reporting and management

console. Meaning this console reports this information and manages the information. This is for

record purposes and allows the owner to information for any future attacks. The sensors monitor

hosts and networks in real time. The intrusion detection system has a database of attack

signatures. These attack signatures are patterns of different variations of attacks that previously

were detected. The sensor portion detects any malicious activity and it matches it with the

corresponding packet. A packet is a unit of data that is sent between an origin and destination.

The sensor will scan for any activity that seems suspicious, if it finds one, it will then find the

numbered packet with an internet address. If it finds that it matches, it will report it to

management. However, the sensor can be configured to take different actions depending on

admin.  

Intrusion detection system functions by detecting anomalies with the aim of catching

hackers before they do any damage to your network. As previously mentioned, they can be either

host based (HIDS) or network based (NIDS). The way this detection works is by looking for

signatures that are known as attacks. It also checks for any deviations from normal activity. It

uses this information to prevent attacks that are malicious to your network. It is to identify the

threat and respond to them in a timely manner. The host-based intrusion detection system and

network intrusion detection system both protect the user from viruses, malware, and other

malicious file types. The difference between the two however are, NIDS can only be installed on

certain intersection points. Examples of this would be routers or servers. HIDS can, and usually

are installed on every host machine.

A host-based intrusion detection system is like a sensor. They both collect information on

the system it is monitoring. The data collected is recorded by operating system mechanisms

referred to as audit trails. Another mechanism of data being recorded to can be system logs.

System logs are generally text files that pertain to what occurred, and the actions taken at the

time. Host based system can become limited by audit trails since they can put a strain on

performance. However, audit trails can arm the user with useful data and it is protected by the

operating system therefore, it can hardly be considered limited by it. Host based systems retrieve

information from a host.

Network based intrusion detection systems offer a different approach than host-based

systems. network based systems collects information from the network itself compared to host

based which collected from each separate host. Network based systems information is collected

from the network traffic stream. As stated previously, data travels on network segments. This

system comes with attack signatures. Attack signatures are rules that define what an attack is.

This gives the ability to customize the sensors rather than just collecting large amounts of

information. This system is portable and does not degrade the performance of other programs

running on the same network. However, since this system uses stored information, or signature

attacks, it will not detect any new exploits in the network.

The advantages of network intrusion detection systems are that they are low cost, they are

easier to deploy, and can detect network-based attacks. Furthermore, they have the capability of

retaining evidence, providing real time detection/ quick response, and detecting failed attacks.

NIDS can be deployed on each network segment making loading software unnecessary. This

reduces management so there is no need for sensor software on a host level; this lowers the cost

for the owner. It is easier to deploy since it does not affect the existing infrastructure, it will

monitor for attacks regardless of the operating system. NIDS can detect attacks that host-based

sensors fail to detect. Since NIDS does live network traffic the attacker is incapable of removing

evidence since it’s logged. Functioning in real time allows it to have a quick response to attacks.

If a NIDS is deployed outside the firewall it will detect any attacks the firewall prevented.

The advantages of a host-based intrusion detection system are that it verifies the

success/failure of an attack, monitors the systems activities, and detects attacks that the NIDS fail

to detect. Host based systems also have close to real time detection and response, do not require

any additional hardware, and have a lower entry cost. Host based systems monitors all user

logon and activities so improper change can be tracked. The capability to detect attacks that

Network based systems fail to see is due to the fact that since it monitors a larger group of users,

some attacks can come from a user and the network-based systems will not be alerted. Meaning

it is checking for outside attacks and any malicious activity on the network, it will not scan for

unusual activity from a user.  

Continuing off intrusion detection, the goal is prevention. Intrusion prevention is a

preemptive approach to network security which is used to identify threats and respond to them. It

is similar to intrusion detection system (IDS), however it has its own identity. The intrusion

prevention system (IPS) monitors network traffic like IDS but handles it differently. The

intrusion prevention system is a network security/ threat prevention that examines network traffic

flow. This is done to detect and prevent vulnerable exploits in the network. It does not offer true

real time response, but since it checks and processes the attack; it can still be considered an

advantage that host-based systems can provide. Since host-based systems reside in the host

systems, it does not require any additional hardware. Generally, host-based intrusion detection

systems sensors are cheaper compared to network based intrusion detection systems.

   The intrusion detection system and the intrusion prevention system both increase the

security level of networks. They both monitor network traffic and inspect network packets. They

scan each packet for any suspicious data. Both intrusion detection system and intrusion

prevention system detection is mostly based on signatures acquired over time or recognizable

ones.  The difference between IPS and IDS is the actions they take when an attack is detected.

The actions that differ are focused during the initial phases such as the network scanning and

port scanning phases. Both help an individual, and at larger scales, a corporation.

Within the network scanning and port scanning phase, the main difference in intrusion

detection system is it provides the network with a level of security against any suspicious

activity. This is achieved by aiming warning messages at systems administrators. This achieves

a level of preventive security against any suspicious activity. However, unlike intrusion

prevention system (IPS), it is not designed to block attacks. For the best security as a whole for

the company, it is best to have both intrusion detection and prevention systems. A detailed

overview of what intrusion prevention system is and what it provides will be given to have an

understanding of why it is necessary. Overall both are required to ensure security for the owner

long term, and there are several network intrusion detection tools that are available.

There are plenty network intrusion detection tools currently out today, luckily almost all

are open source and available for different operating systems. Open source means the software’s

original source code is available freely and can be redistributed and modified. The top five

network intrusion detection tools according to Matthew Pascucci on searchsecurity, starting from

the top is Snort. Snort has been the leader of network intrusion detection and prevention tools.

The other good options are security onion, OSSEC, OpenWIPS-NG, Suricata, and Bro IDS.

Security onion monitors networks and does intrusion detection. It distributes an image as sensors

within the network to monitor several subnets and VLANS. It can run on virtual and VMware.

The next is OSSEC, their client is capable of performing file integrity monitoring and a rootkit

detection. This is done to create different policies tailored for the company’s needs. The next

open source network detection is OpenWIPS-NG. It is a bit different for is it a wireless intrusion

detection system/ prevention system that relies on a server, sensor, or interface. This detection

system runs on a commodity hardware, it can scan detect and prevent attacks. The fourth one is

Suricata, it has a similar architecture to Snort. The two both rely on signatures and can use the

VRT Snort rules. Both also have the same emerging threat rule set, Suricata is simply newer.

The last one is called Bro IDS. It is an intrusion detection system. Like the previous one, Bro is

like Security Onion because they both use more than intrusion detection system rules to detect

the location of the attack. It is possible for security onion to write custom signatures since it has

been documenting for the past fifteen years.

Intrusion detection systems are necessary for the protection of the company. The reason

behind this is if a company’s information gets stolen, there must be an indication that it was

stolen. Otherwise information can be stolen without any notice. The question is whether

intrusion detection systems are important in cyber security. The detection in relevant because

indication is necessary. If you get attacked an alert should allow the company to detect the

attack, intrusion prevention is what protects the company from the attack. In prevention it can

avoid an attack but is that enough security?

Intrusion prevention system is a system that monitors and prevents attacks. The intrusion

prevention system is different from the intrusion detection system because it is placed on the

direct communication path between the source and destination. Intrusion prevention system

examines network traffic flow to detect and prevent vulnerabilities. Generally, the prevention

system will send an alarm to the administrator, drop malicious packets when received, block

traffic from the source, and reset the connection. However, since the intrusion prevention system

is on an inline security component, it must work efficiently otherwise the network could degrade

in overall performance. An inline security component is a network device that receives packets

and forwards them to their destination. It uses a database consisting of signature recognition, so

it will recognize attacks. It will see the patterns based on the traffic or behavior. However, most

intrusion prevention systems come with a limitation, since there are predefined rules.

Similar to the intrusion detection system, there are host and network-based products that

function to provide protection. The following can be classified as intrusion prevention system

programs. Generally, there are anti-virus programs and firewalls. Anti-virus programs can be

viewed as clean-up programs. According to Nachenburg, “this approach has become reactive

and in the ensuing period great damage has already been inflicted on thousands of targets host

globally”. The next are firewalls. The four different variations are the static packet, the stateful

packet, the stateful inspection and proxy. The range from static packeting to be the basic tier or

low in this case, it filters by allowing or denying users access past this “wall”. Stateful in an

upgrade since it is a server, the user will request access from it and wait for a response. It is

safer, but it leaves ports open. Stateful inspection can open or close ports willingly allowing it to

be much more secure. Proxy holds rules and can break up a server connection to inspect the

protocol’s syntax. It however requires a lot of resources. Which is more beneficial to the

company.

While the two detection systems may differ they also share many similarities. Both

intrusion detection and prevention systems focus on security. They differ by the actions done

when monitoring users and actions taken afterwards. The impact of intrusion detection and

prevention systems can clearly be illustrated on the protection they provide. By storing

information and detecting behavior in packets, it counters old attacks to be used and hampers

future attacks. Overall as a whole, both can be used individually, intrusion detection system

giving visibility, while intrusion prevention systems give control. Both are not recommended to

work together, and at the end it is up to the owner’s choice of the two. However, in terms of

importance in cyber security, both have impacted the need for protection.

Work Cited

SANS Institute.(2000-2005). Host- vs. Network-Based Intrusion Detection Systems

[PDF file]. Retrieved from https://www.giac.org/paper/gsec/1377/host-vs-

network-based-intrusion-detection-systems/102574

SANS Institute InfoSec Reading Room.(2001).Intrusion Detection Systems; Definition,

Need and Challenges [PDF file]. Retrieve from https://www.sans.org/reading-

room/whitepapers/detection/intrusion-detection-systems-definition-challenges-

343

Information Technology Laboratory.(2007). Intrusion Detection and Prevention

Systems [PDF file]. Retrieved from

http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51128

Pascucci, Matthew.”Top five free enterprise network intrusion-detection

tools.”SearchSecurity,Jan.2013, http://searchsecurity.techtarget.com/tip/Top-

five-free-enterprise-network-intrusion-detection-tools