What Is Intrusion Detection?
Intrusion detection is a reasonable supplement to the firewall, helping the system deal with network attacks, expanding the system administrator's security management capabilities (including security auditing, monitoring, attack identification and response), and improving the integrity of the information security infrastructure. It collects information from several key points in a computer network system and analyzes it to see if there are any violations of security policies and signs of attacks on the network. Intrusion detection is considered as the second security gate behind the firewall, which can monitor the network without affecting the performance of the network, thereby providing real-time protection against internal attacks, external attacks and misoperations. [1]
- James P. 1980 Anderson wrote a technical report entitled "Computer Security Threat Monitoring and Surveillance", which first introduced terms such as "threat". The "threat" referred to here is basically the same as an intrusion. The intrusion or threat is defined as: potential, premeditated, unauthorized access in an attempt to render the system unreliable or unusable. 1984 to 1986
- The principle of intrusion detection is from a group
- (1) Information collection . The first step in intrusion detection is information collection, which includes the status and behavior of systems, networks, data, and user activities. Moreover, information needs to be collected at several different key points (different network segments and different hosts) in the computer network system. In addition to the factors that extend the detection range as much as possible, there is an important factor that information from a source is possible. No doubt, but the inconsistency of information from several sources is a good indicator of suspicious behavior or intrusion.
- Of course, intrusion detection relies heavily on the reliability and correctness of the collected information, so it is necessary to use only real and accurate software that is known to report this information. Because hackers often replace software to confuse and remove this information, such as subroutines, libraries, and other tools called by programs.
- Most IDS programs can provide very detailed analysis of network traffic, and they can monitor any defined traffic. Most programs have default settings for FTP, HTTP, and Telnet traffic. There are other traffic such as NetBus, local and remote login failures, etc. Users can also customize their own policies. Some common detection techniques are discussed below.
Intrusion detection network traffic management
- IDS programs like Computer Associates' eTrust Intrusiofl Detection (formerly SessionWall), Axent IntruderAlert, and ISS RealSecure allow logging, reporting, and blocking almost all forms of network access. You can also use these programs to monitor the network traffic of a host. ETrust Intrusion Detection can read the last web page visited by users on this host.
- If policies and rules are defined, you can get FTP, SMTP, Telnet, and any other traffic. This rule helps track that connection and determine what has happened on the network and what is happening now. These procedures are very effective tools when you need to determine the consistency of policy implementation in your network.
- Although IDS is a valuable tool for security managers or auditors, company employees can also install programs like eTrust Intrusion Detection or Intrude Alert to access important information. Not only can attackers read unencrypted messages, they can also sniff passwords and gather important protocol information. Therefore, the first task is to check whether there are similar programs running on the network. [3]
Intrusion detection system scan
- As mentioned earlier, how to apply different policies to enhance effective security, this task requires control in different parts of the network, from the operating system to the scanner, IDS program and firewall. Many security experts combine these programs with IDS. System integrity checks, extensive logging, hacker prisons and lure programs are all effective tools that can work with IDS. [3]
Intrusion detection tracking
- IDS can do more than just record incidents. It can also determine where the incident occurred. This is the main reason why many security experts buy IDS. By tracking the source, you can learn more about the attacker. These experiences not only document the attack, but also help determine the solution. [3]