What is an Intrusion Detection System?
Intrusion detection system (IDS) stands for a hardware device or software application used to monitor and detect suspicious network traffic and potential security breaches. Malicious activities are then flagged and reported including information about the intrusion source, the target’s address, and the type of the suspected breach. This data allows cybersecurity experts to easily identify and remediate the attack before any damage has been done.
In the past, IDS has been driven by digital signatures. However, there are two drawbacks to this:
- A new threat does not have a signature so you will have to wait for that signature to be created
- Signatures need to be manually tuned and tweaked to fit into your environments.
IDS still has a role in the modern organization, but more as a firewall feature than a comprehensive security system.
There are many different classifications of intrusion detection systems. The most common classifications are:
- Network intrusion detection systems (NIDS): A software used to analyze incoming network traffic.
- Host-based intrusion detection systems (HIDS): A software used to oversee important operating system files.
IDS operates based on various methods, with the most common being the signature-based IDS and anomaly-based IDS.
- Signature-based: Signature-based IDS hunts for potential threats by analyzing specific attack patterns in network traffic or known malicious sequences utilized by malwares. The term signature-based originates from antivirus terminology which deems detected patterns as signature. The main drawback of signature-based IDS is that the system is equipped to discover known attacks, but it lacks the capability to detect new attacks with no recorded patterns.
- Anomaly-based: Anomaly-based IDS is based on more sophisticated machine learning technology allowing the system to adapt and learn new pattern attacks. Anomaly-based systems cross compare trustworthy activity in the knowledge base with new behavior patterns. This enables the IDS to detect previously unrecognized attack patterns. False positives are not that uncommon with anomaly-based IDS as the system can flag previously unknown legitimate behavior as malicious.
Ways to Evade IDS Signatures
- The most straightforward approach to evading signature-based IDS is to use traffic that doesn’t match known signatures.
- Highly-sophisticated attackers can find and exploit previously unknown vulnerabilities. Attacks on such unknown, or zero-day, vulnerabilities naturally lack signatures because they are unknown to the security industry.
- Other signature evasions confuse the signature match in a variety of ways. Attackers can scramble the attack payload, making it difficult for IDS to recognize. Fragmenting and reordering are widely-known techniques that IDS/IPS systems are prepared to catch, but there are near-infinite numbers of evasion combinations and tricks that attackers can use to sneak through.
What is the difference between IDS and IPS?
Intrusion Detection Systems (IDS) monitor network traffic for patterns that match known cybersecurity threats. Some IDS have the capability to act upon detected threats to stop the attack. These system is classified as an Intrusion Prevention Systems (IPS).
What are the disadvantages of using an IDS?
The main disadvantage of using an IDS is its inability to respond or stop attacks upon detection.
What are drawbacks of the host-based IDS?
The disadvantage to host-based IDS is its inability to discover network threats against the host. On the other hand, network-based IDS utilizes network sensors strategically placed throughout the network, allowing the system to detect reconnaissance attacks.
What is an advantage of a network-based IDS?
The main advantage of network-based IDS is that this system was designed to prevent a reconnaissance attack before it infiltrates the internal network.
Vectra AI: Modernizing IDS
Vectra is changing the way intrusion detection is done. It uses an innovative combination of data science, machine learning and behavioral analysis to detect active threats inside the network.
Because Vectra detects malicious actions instead of malicious payloads, it can identify active threats without decrypting traffic. That means attackers can no longer communicate covertly with infected hosts by using SSL-encrypted web sessions or hidden tunnels.
While traditional IDS is fixated on detecting an initial compromise, Vectra detects active threats in every phase of the cyber attack kill chain—command and control, internal reconnaissance, lateral movement, and data exfiltration.
Most important, Vectra doesn’t burden overworked security teams. Instead, it maps detections to the hosts that are under attack and scores and prioritizes threats that pose the highest risk—automatically and in real time. This gives security teams the speed and efficiency they need to prevent or mitigate data loss.