General Intrusion Detection and Prevention Systems

Hello again. In anticipation of the start of the “Reverse Engineering” course, we decided to share with you a small article on information security, which, although it has a rather indirect relation to reverse engineering, can be useful material for many.


The global market for information security products is developing under the influence of a rapidly growing variety of complex and complex threats, which leads to a direct impact on the business, and are becoming demanded not only for large and medium-sized, but also for small organizations. Currently, this is the case when traditional security tools, such as a firewall and antivirus, are not able to provide an adequate level of protection for the organization’s internal network, because malware can “mask” and send packets that look completely from the point of view of the firewall legitimate. There are many commercial solutions that can provide an adequate level of protection for an organization’s internal network, but today we will focus on a class of solutions such as intrusion detection systems and intrusion prevention systems. In English literature, these are Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

The differences between them are only that one can automatically block attacks, and the other just warns about it.
Solutions of this class can be either commercial (proprietary) or open source, and in the right hands can be an excellent addition to the general system of organization protection. This class of security features refers to the method of tracking unauthorized attempts to gain access to the protected resources of an organization, called access control monitoring. It is aimed at identifying and recording security flaws in the internal infrastructure – network attacks, attempts of unauthorized access or privilege escalation, the operation of malicious software, etc. Thus, compared with an adjacent firewall that controls only session parameters, IDS and IPS analyze the transmitted internal data streams, finding in them a sequence of bits that can be malicious actions or events. In addition, they can monitor system logs and other user activity log files.

But first things first. So, IDS – an intrusion detection system designed to register suspicious activities on the network and notify the employee responsible for information security by sending a message to the management console, sending an email, SMS message to a mobile phone, etc.

The traditional IDS consists of sensors that scan network traffic or logs and transmit to analyzers, analyzers look for malicious data in the received data and, if successful, send the results to the administrative interface. IDS are divided by network (network-based IDS, NIDS) and host (host-based, HIDS). By the name, it is clear that one monitors all the network traffic of the segment where it is installed, and the other within a single computer. For a more understandable classification of IDS, it is necessary to distinguish two more subsets that are divided by the type of traffic being analyzed: Protocol-based IDS (PIDS), which analyzes communication protocols with connected systems or users, and IDS, based on application protocols (Application Protocol-based IDS, APIDS), designed to analyze data transmitted using application-specific protocols.

Naturally, malicious activity in the analyzed traffic can be detected in various ways. Therefore, the following characteristics exist in IDS that distinguish different types of IDS technologies from each other and can be described as follows:

  • Signature IDS. Track specific patterns in traffic and work like antivirus software. The disadvantages of this approach: signatures must be up to date and IDS of this type are not able to detect unfamiliar attacks. This category can also be divided into two types: signature IDS, tracking templates – compare network packets with signatures, and status tracking – compare actions with templates. I am sure that the principle of operation of the signature NIDS that tracks patterns is known and understandable. As for the signature IDSs that monitor state, here we should understand the concept of the state that IDS operates with. Any change in the operation of the system (launching software, entering data, interaction between applications, etc.) leads to a change in state. As for IDS, the initial state is before the attack, and the compromised state is after the attack, i.e. successful infection.
  • Anomaly-based IDS. This type of IDS does not use signatures. It is based on the behavior of the system and before starting work, the stage of learning the “normal” system activity occurs. Therefore, it is able to detect unfamiliar attacks. Anomalies, in turn, in this category are divided into three types: statistical – IDS creates a profile of the regular activities of the system and compares all traffic passing through and activities with this profile; protocol anomalies – IDS analyzes traffic to identify fragments of illegitimate use of protocols; traffic anomalies – IDS detects illegitimate activities in network traffic.
  • Rule-based IDS. IDS data uses IF situation THEN act»Rule-based programming. Rule-based IDSs are similar to expert systems because The expert system is a joint work of a knowledge base, logical conclusions and rule-based programming. In this case, knowledge is the rules, and the analyzed data can be called facts to which the rules apply. For example: "IF the administrator user logged in to System1 AND made a change to File2 THEN launched" Utility3 "THEN send a notification", i.e. if the user logged on to system 1 and made a change to file 2, and then ran utility 3, then send a notification.

Thus, our IDS can warn of malicious activity, but often the task is precisely to prevent malicious activity at an early stage. This can help. IPSwhich was mentioned earlier. The methods of her work are timely (preventive) and proactive, in contrast to IDS, which performs detective functions. It is worth noting that IPS is a subclass of IDS, so it is based on its attack detection methods. IPS can operate both at the host level (HIPS) and at the network level (NIPS). The ability to prevent attacks is implemented due to the fact that network IPS, as a rule, is built in to the network and passes all traffic through it, and also has an external interface that receives traffic and an internal interface that passes traffic further if it is recognized safe. There is also the possibility of working with a copy of the traffic in monitoring mode, but then we lose the main functionality of this system.

Globally, IPS can be divided into those that analyze traffic and compare with known signatures and those that look for illegitimate traffic based on protocol analysis, based on knowledge of previously discovered vulnerabilities. The second class provides protection against an unknown type of attack. As for the methods of responding to attacks, a large number of them have accumulated, but the following can be distinguished from the main ones: blocking a connection using a TCP packet with an RST flag or through a firewall, reconfiguring communication equipment, and also blocking user records or a specific host in the infrastructure .

Ultimately, the most effective idea for protecting the infrastructure is to use IDS and IPS together in one product – a firewall, which, through in-depth analysis of network packets, detects attacks and blocks them. It is worth noting that we are talking only about one line of defense, which, as a rule, is located behind the firewall. And in order to achieve comprehensive network protection, it is necessary to use the entire arsenal of protection tools, for example UTM (Unified Threat Management) – a jointly working firewall, VPN, IPS, antivirus, filtering tools and anti-spam tools. Faced with a number of architectural problems, the next round of development of such systems among world vendors was the next generation firewall (NGFW, Next Generation Firewall), which benefits from parallel analysis of the same traffic with all protection tools, analysis of traffic for anti-virus scanning in memory, not after it is saved to the hard drive, but also due to the analysis of OSI level 7 protocols, which allows you to analyze the operation of specific applications.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *