An intrusion detection system (IDS) is a device or software application that monitors network

and/or system activities for malicious activities or policy violations and produces reports to a
Management Station.[1] Intrusion prevention is the process of performing intrusion detection and
attempting to stop detected possible incidents.[1] Intrusion detection and prevention systems
(IDPS) are primarily focused on identifying possible incidents, logging information about them,
attempting to stop them, and reporting them to security administrators.[1] In addition,
organizations use IDPSs for other purposes, such as identifying problems with security policies,
documenting existing threats, and deterring individuals from violating security policies.[1] IDPSs
have become a necessary addition to the security infrastructure of nearly every organization.[1]

IDPSs typically record information related to observed events, notify security administrators of
important observed events, and produce reports.[1] Many IDPSs can also respond to a detected
threat by attempting to prevent it from succeeding.[1] They use several response techniques,
which involve the IDPS stopping the attack itself, changing the security environment (e.g.,
reconfiguring a firewall), or changing the attack’s content.[1]

Terminology
 Alert/Alarm: A signal suggesting that a system has been or is being attacked. [2]
 True Positive: A legitimate attack which triggers an IDS to produce an alarm. [2]
 False Positive: An event signaling an IDS to produce an alarm when no attack has taken place. [2]
 False Negative: A failure of an IDS to detect an actual attack. [2]
 True Negative: When no attack has taken place and no alarm is raised.
 Noise: Data or interference that can trigger a false positive. [2]
 Site policy: Guidelines within an organization that control the rules and configurations of an IDS.
[2]

 Site policy awareness: The ability an IDS has to dynamically change its rules and configurations
in response to changing environmental activity. [2]
 Confidence value: A value an organization places on an IDS based on past performance and
analysis to help determine its ability to effectively identify an attack. [2]
 Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to
distinguish false positives from actual attacks.[2]
 Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to
information, inflict harm or engage in other malicious activities.
 Masquerader: A user who does not have the authority to a system, but tries to access the
information as an authorized user. They are generally outside users.
 Misfeasor: They are commonly internal users and can be of two types:
1. An authorized user with limited permissions.
2. A user with full permissions and who misuses their powers.
 Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid
being captured.

[edit] Types

For the purpose of dealing with IT, there are two main types of IDS:
Network intrusion detection system (NIDS)

It is an independent platform that identifies intrusions by examining network traffic and

monitors multiple hosts. Network intrusion detection systems gain access to network traffic by
connecting to a network hub, network switch configured for port mirroring, or network tap. In a
NIDS, sensors are located at choke points in the network to be monitored, often in the
demilitarized zone (DMZ) or at network borders. Sensors captures all network traffic and
analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.

Host-based intrusion detection system (HIDS)

It consists of an agent on a host that identifies intrusions by analyzing system calls, application
logs, file-system modifications (binaries, password files, capability databases, Access control
lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software
agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.

Virtual based Intrusion Detection System

An intrusion detection system deployed inside of a Virtual Machine.

Intrusion detection systems can also be system-specific using custom tools and honeypots. In the
case of physical building security, IDS is defined as an alarm system designed to

[edit] Passive and/or reactive systems

In a passive system, the intrusion detection system (IDS) sensor detects a potential security
breach, logs the information and signals an alert on the console and or owner. In a reactive
system, also known as an intrusion prevention system (IPS), the IPS auto-responds to the
suspicious activity by resetting the connection or by reprogramming the firewall to block
network traffic from the suspected malicious source. The term IDPS is commonly used where
this can happen automatically or at the command of an operator; systems that both "detect"
(alert) and/or "prevent."

[edit] Comparison with firewalls

Though they both relate to network security, an intrusion detection system (IDS) differs from a
firewall in that a firewall looks outwardly for intrusions in order to stop them from happening.
Firewalls limit access between networks to prevent intrusion and do not signal an attack from
inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an
alarm. An IDS also watches for attacks that originate from within a system. This is traditionally
achieved by examining network communications, identifying heuristics and patterns (often
known as signatures) of common computer attacks, and taking action to alert operators. A system
that terminates connections is called an intrusion prevention system, and is another form of an
application layer firewall.
[edit] Statistical anomaly and signature based IDSes
All Intrusion Detection Systems use one of two detection techniques:

[edit] Statistical anomaly-based IDS

A statistical anomaly-based IDS determines normal network activity like what sort of bandwidth
is generally used, what protocols are used, what ports and devices generally connect to each
other- and alert the administrator or user when traffic is detected which is anomalous(not
normal).[2]

[edit] Signature-based IDS

Signature based IDS monitors packets in the Network and compares with preconfigured and
predetermined attack patterns known as signatures. The issue is that there will be lag between the
new threat discovered and Signature being applied in IDS for detecting the threat.During this lag
time your IDS will be unable to identify the threat.[2]

[edit] Limitations
 Noise can severely limit an Intrusion detection systems effectiveness. Bad packets generated
from software bugs, corrupt DNS data, and local packets that escaped can create a significantly
high false-alarm rate.[3]
 It is not uncommon for the number of real attacks to be far below the false-alarm rate. Real
attacks are often so far below the false-alarm rate that they are often missed and ignored. [3]
 Many attacks are geared for specific versions of software that are usually outdated. A constantly
changing library of signatures is needed to mitigate threats. Outdated signature databases can
leave the IDS vulnerable to new strategies. [3]

[edit] Evasion techniques

Intrusion detection system evasion techniques bypass detection by creating different states on the
IDS and on the targeted computer. The adversary accomplishes this by manipulating either the
attack itself or the network traffic that contains th attack.

[edit] Development
A preliminary concept of an IDS began and reviews of audit trails.[4] An example of an audit trail
would be a log of user access.

Fred Cohen noted in 1984 (see Intrusion Detection) that it is impossible to detect an intrusion in
every case and that the resources needed to detect intrusions grows with the amount of usage.
Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that
formed the basis for many systems today.[5] Her model used statistics for anomaly detection, and
resulted in an early IDS at SRI International named the Intrusion Detection Expert System
(IDES), which ran on Sun workstations and could consider both user and network level data.[6]
IDES had a dual approach with a rule-based Expert System to detect known types of intrusions
plus a statistical anomaly detection component based on profiles of users, host systems, and
target systems. Lunt proposed adding an Artificial neural network as a third component. She said
all three components could then report to a resolver. SRI followed IDES in 1993 with the Next-
generation Intrusion Detection Expert System (NIDES).[7]

The Multics intrusion detection and alerting system (MIDAS), an expert system using P-BEST
and Lisp, was developed in 1988 based on the work of Denning and Neumann.[8] Haystack was
also developed this year using statistics to reduce audit trails.[9]

Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los
Alamos National Laboratory.[10] W&S created rules based on statistical analysis, and then used
those rules for anomaly detection.

In 1990, the Time-based Inductive Machine (TIM) did anomaly detection using inductive
learning of sequential user patterns in Common Lisp on a VAX 3500 computer.[11] The Network
Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-
3/50 workstation.[12] The Information Security Officer's Assistant (ISOA) was a 1990 prototype
that considered a variety of strategies including statistics, a profile checker, and an expert
system.[13] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction
and intrusion detection.[14]

Then, in 1991, researchers at the University of California, Davis created a prototype Distributed
Intrusion Detection System (DIDS), which was also an expert system.[15] The Network Anomaly
Detection and Intrusion Reporter (NADIR), also in 1991, was a prototype IDS developed at the
Los Alamos National Laboratory's Integrated Computing Network (ICN), and was heavily
influenced by the work of Denning and Lunt.[16] NADIR used a statistics-based anomaly detector
and an expert system.

The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule
language for packet analysis from libpcap data.[17] Network Flight Recorder (NFR) in 1999 also
used libpcap.[18] APE was developed as a packet sniffer, also using libpcap, in November, 1998,
and was renamed Snort one month later, and has since become the world's largest used IDS/IPS
system with over 300,000 active users.[19]

The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of
rules for classifications.[20]

In 2003, Dr. Yongguang Zhang and Dr. Wenke Lee argue for the importance of IDS in networks
with mobile nodes.[