Your data is important to you, but do you know if others are trying to get at it?
An Intrusion Detection System (IDS) is a system that is able to detect those that are not behaving as they should. In the “real world”, your average home or office alarm system is an IDS, it detects intruders and then does something about it by flashing lights, screeching sirens, and ringing the security company. In the IT world, things are more complex, because, unlike your house, your IT system is rarely locked and unused when you are away. The IDS has to discriminate between all the traffic on your systems that is supposed to be there and weed out that which shouldn’t be there.
|
Intruder alert:
Intrusion Detection Systems 1. IDS types 2. Intruders, responses and how well do they work? 3. IDS vs IPS 4. Where to deploy? About RMIT Test Labs |
How does an ids work?
An IDS can be either a software or a hardware solution that is designed to detect unauthorised use of, or attack on, a computer system or network. The IDS looks for unauthorised attempts to gain access to a system, escalate privileges on an authorised system, or decrease the availability of a system, either from inside the organisation or from the Internet. An IDS is just one part of an interlocked and overlapping security policy.
IDSes come in many forms, with different ways of monitoring and analysing the available data. IDSes monitor events at three different levels: network, host, and application. They can analyse these events using two techniques: signature detection and anomaly detection. Some IDSes have the ability to take action when an attack is detected, but this is something we believe you should think very carefully about and obtain legal advice before attempting.
Of the two detection methods, signature detection is most commonly used in commercial IDS products, but anomaly detection is newer and growing.
Signature-based detection
Signature-based detection looks for activity that matches a predefined string that uniquely describes a known attack. Signature-based IDSes must be specifically programmed to detect each known attack. This technique is extremely effective against known attacks but it must be updated constantly to keep abreast of new attacks.
Anomaly-based detection
Anomaly-based IDSes define intrusions by identifying unusual behaviour (anomalies) that occur on the system or network being protected. The reason they work is based on the fact that the behaviour of normal workers and attackers is different and therefore the two can be individually identified to a degree. The original standard must first be measured by looking at the work patterns and bandwidth of normal use, monitoring is the done by continually comparing that against current use. There is an inherent risk in anomaly based IDSes in that “average” workload is almost impossible to determine. This is countered by the fact that with an anomaly-based IDS it is possible to detect never-before-seen attacks. Some signature-based IDSes include limited instances of anomaly detection, but few rely solely on this technology.
4%
2%
You have miss-spelled organisation, authorised, unauthorised, analysing, & analyse which should be organization, authorized, unauthorized, analyzing, & analyze. Just thought you should know, doesn't look very good or very professional.