Question

1- Identify and describe the categories and models of intrusion detection and prevention systems.

2- Define and describe honeypots, honeynets,and padded cell systems.

Answer 1

1.

Intrusion Detection System (IDS)

i) An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.

ii) Tt is a software application that scans a network or a system for harmful activity or policy breaching.

iii) Any malicious violation is generally reported either to an administrator or collected centrally using a security information and event management (SIEM) system.

iv) Organizations need to fine-tune their IDS products when they install them for the first time. It means properly setting up the IDS to recognize what normal traffic on the network looks like as compared to malicious activity.

v) Intrusion prevention systems also monitor network packets inbound the system to check the malicious activities involved in it and at once sends the warning notifications.

Classification of Intrusion Detection System:
IDS are classified into 5 types:

1. 1. Network Intrusion Detection System (NIDS):
   Network intrusion detection systems (NIDS) are set up at a planned point within the network to monitor traffic from all of the devices on the network. It performs an observation of passing traffic on the whole subnet and matches the traffic that is passed on the subnets to the gathering of known attacks. Once an attack is identified or abnormal behavior is observed, the alert are often sent to the administrator. An example of an NIDS is installing it on the subnet where firewalls are located so as to ascertain someone is trying crack the firewall.
2. 2. Host Intrusion Detection System (HIDS):
   HIDS run on independent hosts or devices on the network. A HIDS keep track of the incoming and outgoing packets from the device only and an alert to the administrator iis sent whenever a suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent over to the administrator to investigate. An example of HIDS usage are often seen on mission critical machines, which are not expected to vary their layout.
3. 3. Protocol-based Intrusion Detection System (PIDS):
   Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would consistently resides at the front end of a server, controlling and interpreting the protocol between a user/device and the server. It is trying to secure the web server by regularly tracking and monitoring the HTTPS protocol stream and accept the related HTTP protocol.
4. 4. Application Protocol-based Intrusion Detection System (APIDS):
   APIDS is a system or agent that usually resides within a group of servers. It identifies all intrusions by monitoring and analyzing the communication on application specific protocols. For example, it would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server.
5. 5. Hybrid Intrusion Detection System :
   Hybrid intrusion detection system is a type of IDS that is made by the combination of two or more approaches of the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop an entire view of the network system. Hybrid intrusion detection system are more effective in comparison to the other IDS's. Prelude is an example of Hybrid IDS.

Detection Method of IDS:

1. 1. Signature-based Method:
   Signature-based IDS detects the attacks on the basis of the specific patterns like number of bytes or number of 1’s or number of 0’s within the network traffic. They can also detect on the basis of the already known malicious instruction sequence that is used by the malware. The detected patterns in the IDS are referred to as signatures.

   Signature-based IDS can detect the attacks whose pattern already exists in system but it's quite difficult to detect the new malware attacks as their pattern is not known to them.

2. 2. Anomaly-based Method:
   Anomaly-based IDS can detect the unknown malware attacks as new malware are developed rapidly. There is use of machine learning to produce a trustful activity model and anything coming is compared with that model and it is declared suspicious if it is not found in model. Machine learning based method features a better generalized property as compared to signature-based IDS as these models can be trained consistent the applications and hardware configurations.

Intrusion Prevention System (IPS)

i) Intrusion Prevention System is additionally referred to as Intrusion Detection and Prevention System.

ii) It is a network security application that monitors network or system activities for malicious activity.

iii) Major functions of IPS are to spot malicious activity, collect information about this activity, report it and make attempts to block or stop it.

iv) IPS generally record information associated with observed events, notify security administrators of important observed events and produce reports.

v) Many of them can respond to a detected threat by attempting to prevent it from succeeding.

Classification of Intrusion Prevention System (IPS):

1. 1. Network-based intrusion prevention system (NIPS):
   It monitors the whole network for suspicious traffic by analyzing protocol activity.
2. 2. Wireless intrusion prevention system (WIPS):
   It monitors a wireless network to look for suspicious traffic by analyzing wireless networking protocols.
3. 3. Network behavior analysis (NBA):
   It examines network traffic to spot threats that generate unusual traffic flows, like distributed denial of service attacks, specific forms of malware and policy violations.
4. 4. Host-based intrusion prevention system (HIPS):
   It is an inbuilt software package which operates one host for doubtful activity by scanning events that occur within that host.

Detection Method of Intrusion Prevention System (IPS):

1. 1. Signature-based detection:
   Signature-based IDS operates packets within the network and compares with pre-built and preordained attack patterns referred to as signatures.
2. 2. Statistical anomaly-based detection:
   Anomaly based IDS monitors network traffic and compares it against an established longtime baseline. The baseline will identify what is normal for that network and what protocols are used. However, It may raise a fwarning or alse alarm if the baselines aren't intelligently configured.
3. 3. Stateful protocol analysis detection:
   This IDS method recognizes divergence of protocols stated by comparing observed events with pre-built profiles of generally accepted definitions of not harmful activity.

Comparison of IPS with IDS:

1. Intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected.
2. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address.
3. IPS can also correct CRC( cyclic redundancy check ) errors, defragment packet streams, mitigate TCP sequencing issues and clean up unwanted transport and network layer options.

2.

Honeypot

i) Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the tricks and kinds of attacks being used by hackers.

ii) It acts as a possible target on the web and informs the defenders about any unauthorized attempt to the information system.

iii) Honeypots are mostly employed by large companies and organizations involved in cybersecurity.

iv) It helps cybersecurity researchers to learn about the different type of attacks used by attackers.

v) It is suspected that even the cybercriminals use these honeypots to decoy researchers and spread wrong information.

vi) The cost of a honeypot is usually high because it requires specialized skills and resources to implement a system such that it appears to provide an organization’s resources still preventing attacks at the backend.

Types of Honeypot:
Based on their deployment, honeypots are divided into :

1. 1. Research honeypots- These are often used by researchers to analyze hacker attacks and deploy alternative ways to stop these attacks.
2. 2. Production honeypots- Production honeypots are deployed in production networks alongside the server. These honeypots act as a frontend trap for the attackers, consisting of false information and giving time to the administrators to enhance any vulnerability within the actual system.

Advantages of honeypot:

1. 1. Acts as a rich source of information and helps collect real-time data.
2. 2. Identifies malicious activity even if encryption is used.
3. 3. Wastes hackers’ resources and time.
4. 4. They improves overall security.

Disadvantages of honeypot:

1. 1. Being distinguishable from production systems, it can be easily identified by experienced attackers.
2. 2. Having a narrow field of view, it can only identify direct attacks.
3. 3. A honeypot once attacked can be used to attack other systems.
4. 4. Fingerprinting(an attacker can identify the real identity of a honeypot ).

Honeynet: A Network of Honeypots

i) A honeynet is a decoy network that contains one or more honeypots.

ii) It looks like a real network and contains multiple systems but is hosted on one or only a few servers, each representing one environment.

iii) For example, a Windows honeypot machine, a Mac honeypot machine and a Linux honeypot machine.

iv) Example of a honeynet topology

v) Any system on the honeynet may function as a point of entry for attackers. The honeynet gathers intelligence on the attackers and diverts them from the real network.

vi) The advantage of a honeynet over a simple honeypot is that it feels more like a real network, and features a much larger catchment area. This makes honeynet a better solution for large, complex networks – it presents attackers with an alternative corporate network which can represent an attractive alternative to the real one.

Padded Cell Systems

i) A padded cell is a honeypot that has been protected such that it can't be compromised easily. In other words, a padded cell may be a hardened honey pot.

ii) In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS. when the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no harm-the nature of this host environment is what gives the approach its name, padded cell.

iii) Like honey pots, padded cells are well-instrumented and offer unique opportunities for a would-be victim organization to monitor the actions of an attacker.

Hope this helps you.

Happy Learning..