Monitoring is making certain authenticated users are held accountable for their actions while logged onto a system, as well as tracking unauthorized or abnormal activities on a system and system failures.
Accountability is achieved by noting the activities of users and system services that form the operating environment and security mechanisms. A log of activities provides a record for troubleshooting analysis and supplies evidential material for legal situations.
Auditing is the process of going back and reviewing these logs and it is typically incorporated into many operating systems. Audits can be used to measure a system’s health and performance. System crashes may indicate defective programs, or invasive attempts from an unauthorized source. Logs prior to a system crash can help determine the cause.
An Intrusion Detection System (IDS) is a detective access control system programmed for ongoing monitoring of network activities and to trace any scanning and probing activities, or red flags that indicate unauthorized attempts to access the system in real-time. IDS can also be programmed to scan for potential attacks, follow an attacker’s actions, send out alerts to warn of a pending attack, scan the system for weak points and implement mechanisms that will prevent unauthorized access. It can also trace system failures and diagnose system performance. Damaging or invasive events detected by IDS can originate from: viruses; malicious code; external connections; trusted internal users engaging in unauthorized activities; and unauthorized access attempts from trusted locations. IDS systems can be split into two general categories:
- Network-based intrusion-detection systems (NIDS)
- Host-based intrusion-detection systems (HIDS)
Two different mechanisms are employed by IDS to detect malicious events:
- Knowledge-based, or signature-based detection
- Behavior-based detection
Both methods use different tactics to detect intrusions.
Host-Based IDS for Detection
Host-Based IDS (HIDS) is installed on individual systems and its function is to protect that corresponding system. Similar to a virus scanner in both function and design, they’re more reliable than NIDSs in scanning for attacks on individual systems because HIDS can scrutinize events in greater detail than a network-based IDS.
HIDS utilize audit trails and system logs. Audit trails are very reliable for tracking system events and monitoring traffic to red flag suspicious activity. Suspect activity can be anything from modification of permissions to disabling certain system security settings.
One downside is that HIDS don’t do well with tracking denial of service (DoS) attacks, particularly those that consume bandwidth. Also, HIDS dominates system resources from the computer being monitored, reducing the performance of that system.
Network-Based IDS (NIDS) for Detection
A network-based IDS (NIDS) records and evaluates network traffic, examining each network packet as it cycles through the system. One NIDS can monitor an expansive network if installed on a backbone of that network or can safeguard multiple hosts on a single network segment.
NIDS is equipped to provide enhanced defense between the firewall and hosts, though it may have issues keeping up with heavy volumes of traffic or an abundance of data that flows through the network. In this case, an attack could go undetected.
Additionally, NIDSs don’t perform well on switched networks, particularly if the routers are without a monitoring port. NIDS are reliant on the placement of sensors at various locations on a network. The sensors are typically lightweight computers with the sole purpose of traffic monitoring. This allows the bastion host to be fortified against an attack, decreasing the number of vulnerabilities to the NIDS, and allows the NIDS to operate in stealth mode, meaning NIDS is invisible to the network.
An attacker would have to know the exact location and system ID of the NIDS to detect its presence. NIDS has little interference on the overall performance of the network.
Honeypots for Intrusion Detection
A Honeypot has a similar function to IDS as it also detects intrusion attempts. Honeypots are also used as decoys to lure attackers away from vulnerable systems by appearing as a valuable system. Honeypots usually contain counterfeit files, services, and databases to entice and entrap an intruder. This qualifies honeypots as an ideal tactic for IDS monitoring.
