Question

In: Computer Science

What types of intrusion detection have been implemented in your organization?

#1) What types of intrusion detection have been implemented in your organization? If you do not work for an organization, research different intrusion detections and describe how it works.

#2) A company has suffered a data breach. Investigators are able to establish exactly when the data breach occurred, but on checking the IDS logs, no evidence of the breach is present. What type of intrusion detection error condition is this?


Solutions

Expert Solution

Question #1)

I do not work for an organization. An Intrusion Detection System (IDS) is basically a software type. They are automated systems that monitor and analyze the network. IDSs are generally placed between the external networks such as the public Internet and the internal (corporate) network of an organization. IDSs are specifically, placed behind the firewall on the edge of a network. One of the types of IDS called Network Intrusion Detection System (NIDS), with its one of the components called sensors, is placed at choke points in the network for monitoring. These choke-points are called the De-Militarized Zone (DMZ) or at network borders.

IDS, which is the acronym for Intrusion Detection Systems in network security, is by far, a valuable tool or solution to detect intrusions. It has the ability to locate and identify malicious activities on the network by examining network traffic in real-time, providing visibility unrivaled by any other detective control.

* It ensures the right and appropriate tool is used for the right job making it the right system to detect attack techniques.
* IDSs are available in network and host forms, hence they work at both networks and at the host level to detect attacks.
* HIDS: The Host Intrusion Detection (IDS) is installed as an agent on a machine (at the host level) to be protected and monitored to see the behavior of the attacks, their techniques, and action, accordingly.
* NIDS: Network IDS, on the other hand, examines the traffic (at the network level) between the hosts, looking for patterns or signatures of nefarious (criminal) behavior, basically, the attack techniques. IDS systems acquire signatures to implement to detect the latest threats.

Every environment is different and determining what is normal for the network, allows focusing better on anomalous and potentially malicious behavior. This saves time and brings real threats to the surface for remediation. Hence, the placement of the IDS device in the network is an important consideration in detecting attack techniques.

Hence, for the highest visibility of the attack techniques and their behavior, IDS are mostly deployed behind the firewall on the edge of the network. However, this also excludes traffic that occurs between hosts.

An example is Suricata, which is open-source software. It delivers real-time intrusion detection, intrusion prevention, and network monitoring.

Basically, IDS works by knowing or detecting the attack techniques using pattern matching or by the signatures or the specific actions that they perform. It is called signature-based IDS or misuse detection. The IDS looks for behavior and traffic matching the patterns of known attacks.

Different types of IDS to know attack techniques and to remediate the same:
There are four main types of Intrusion Detection System (IDS):

* Network Intrusion Detection System (NIDS).
* Host-based Intrusion Detection System (HIDS).
* Perimeter Intrusion Detection System (PIDS)
* Virtual Machine (VM)-based Intrusion Detection System (VMIDS).

A NIDS monitors the traffic to and from all devices on a network scanning all inbound and outbound traffic.

A HIDS monitors the inbound and outbound packets from the device only and alerts the user or administrator of any suspicious activity that has been detected.

A signature-based Intrusion Detection System (IDS) monitors data packets on the network and compares those packets against a database of signatures or attributes from known malicious threats.

Anomaly-based IDS monitors network traffic comparing it against an established baseline. The baseline identifies what is 'normal' for that network- what sort of bandwidth, protocols are used, what ports, and devices connect to each other. This, then alerts the administrator or user when anomalous traffic is detected or that is significantly different from the baseline.

A passive IDS simply detects suspicious or malicious traffic and alerts the administrator or user using an alerting system and it is up to them to take action to block the activity or respond in an appropriate way.

Reactive IDS takes pre-defined proactive actions to respond to the threats (attack techniques), detect suspicious or malicious traffic, and alerts the administrators. This involves blocking any further network traffic from the source IP address or user.

Specifically speaking IDS uses IPS – Intrusion Prevention System, working at network-level and application-level, filtering with a reactive IDS to proactively protect the network, resolving or stopping any attack techniques.

Question #2)
Answer:

An IDS might allow an intrusion based on a "false negative" state error condition, which is the most dangerous and serious state, with the IDS identifying an activity as acceptable behavior, however, in actual, the activity is an attack. Hence, the IDS logs would not have recorded, saved, and stored the attack, thus leaving no evidence of the breach, as the IDS allowed the activity considering it an acceptable behavior without logging the activity in the IDS logs. Also, a NIDS would not indicate if the attack was successful or not. IDS sensor response actions can stop an attacker, however, it does not stop a specific attack. This type of incident or attack can happen when IDS sensor response actions do not and cannot stop email viruses and automated attackers, for example, computer worms. Also, IDS sensors cannot do anything about network evasion techniques and are vulnerable to it. IDSs cannot properly categorize attacks. IDSs cannot be trained in highly dynamic and ever-changing environments. Also, the IDS may be gradually trained by hackers, attackers, intruders, or bad actors.

NIDS will not be able to scan protocols or content in case, network traffic is encrypted. Signature-based IDS cannot detect novel attacks.


Related Solutions

Identify three conditions that would need to be implemented (or have already been implemented) in your organization to create a culture of innovation and change.
Identify three conditions that would need to be implemented (or have already been implemented) in your organization to create a culture of innovation and change.
Identify three conditions that would need to be implemented (or have already been implemented) in your...
Identify three conditions that would need to be implemented (or have already been implemented) in your organization to create a culture of innovation and change.
Identify three conditions that would need to be implemented (or have already been implemented) in your...
Identify three conditions that would need to be implemented (or have already been implemented) in your organization to create a culture of innovation and change.
1) What are firewalls and intrusion detection systems? 2)Why are encryption applications an important security tool?...
1) What are firewalls and intrusion detection systems? 2)Why are encryption applications an important security tool? 3)What kind of budgeting does your job use? What are the pain points that management feels because of this? Where are you seeing the benefit, or the problems, that result, and would another budgeting model work better?
An intrusion detection system (IDS) is a device or software application that monitors network or system...
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station
1) In your opinion, what are the two most important tools/programs that have been implemented this...
1) In your opinion, what are the two most important tools/programs that have been implemented this year by the Federal Reserve and the US Congress in their attempt to fend off a deep Covid-19 based recession? What evidence do you have in actual results or from an example in the textbook? 2) In your opinion what are a few potential long term effects of these actions on the economy?
Some DRM systems have been implemented on open systems and some have been implemented in closed...
Some DRM systems have been implemented on open systems and some have been implemented in closed systems. a. What is the primary advantage of implementing DRM on a closed system? b. What is the primary advantage to implementing DRM on an open platform?
Consider a company that has an intrusion detection system in half of its systems (50%), has...
Consider a company that has an intrusion detection system in half of its systems (50%), has bring your own device (BYOD) for 30% of its employees, and uses three systems (computers 40%, smartphones 25%, and cloud 35%). The probability of a breach is 11%. The probability of a breach given there is an intrusion detection is 15% The probability of a breach given there is no intrusion detection 25% The probability of a breach given employees’ use their own devices...
Please explain as much as possible. 1. Demonstrate an understanding of how Intrusion Detection Systems and...
Please explain as much as possible. 1. Demonstrate an understanding of how Intrusion Detection Systems and protocol analyzers work. 2. Demonstrate an understanding of how to use event logs, session data, and network communication to find and remediate network intrusions 3. Demonstrate understanding of network security monitoring and incident response
1- Identify and describe the categories and models of intrusion detection and prevention systems. 2- Define...
1- Identify and describe the categories and models of intrusion detection and prevention systems. 2- Define and describe honeypots, honeynets,and padded cell systems.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT