Intrusion Detection System

What is an Intrusion?
 Intrusion refers to any unauthorized access or activity within
a network, system, or application.

 An intrusion can be defined as “any set of actions that attempt

to compromise the: Integrity, confidentiality, or availability
of a resource”.

 The goal of an intrusion can vary from stealing data,

disrupting services, damaging systems, or performing
reconnaissance for future attacks.
Intruders
 Intruders are individuals or entities that attempt to gain
unauthorized access to a network, system, or data.

They can be of two types:

 Outsiders: Intruders from outside the network. They may attempt
to go around the firewall to attack machines on the internal
network.
 Eg: Phishing, Malware, DoS etc

 Insiders: Intruders that legitimately use your internal network.

These include users who misuse privileges or who impersonate
privileged users.
 Eg: Over-privileged user, disgruntled employee etc
Intrusion Types
Q) How can an intrusion occur?

 Intrusions can occur through various means, each exploiting

different vulnerabilities in physical, system, or remote access.

 Physical Intrusion
 Remote Intrusion
 System Intrusion
Intrusion Types: Physical Intrusion
1. Physical Intrusion: involves attackers gaining
unauthorized physical access to hardware or facilities. This
type of intrusion can compromise network security and
system integrity directly.

Here are some common methods:

 Tailgating/Piggybacking: Following authorized personnel

into restricted areas without permission.

 Social Engineering: Manipulating individuals to gain access,

such as posing as maintenance staff or delivery personnel.
Physical Intrusion (Contd..)
 Tampering with Devices: Physically manipulating network
devices, such as routers or switches, to intercept or alter data.

 Installing Rogue Devices: Plugging in unauthorized devices

like USB drives with malware, keyloggers, or network sniffers.

 Booting from External Media: Booting a system from a

malicious USB drive or CD to bypass security controls.

 Theft of Hardware: Stealing laptops, servers, or other

devices to access sensitive data directly.
Intrusion Types: Remote Intrusion
2. Remote Intrusion: involves attackers gaining unauthorized access to systems or
networks over the internet or other remote connections.

Common methods include:

 Man-in-the-Middle (MitM) Attacks: Intercepting and potentially altering

communication between two parties.

 Port Scanning and Enumeration: Scanning for open ports and services to
identify potential vulnerabilities.

 Remote Code Execution (RCE): Exploiting vulnerabilities in software to execute

arbitrary code on a remote system.

 SQL Injection: Injecting malicious SQL queries into web applications to access or
modify databases.
Remote Intrusion (Contd..)
 Phishing Emails: Sending deceptive emails to trick users into revealing
credentials or downloading malware.

 Spear Phishing: Targeting specific individuals with customized phishing

attacks.

 Drive-by Downloads: Compromising websites to automatically download

and install malware when users visit.

 Malicious Attachments/Links: Distributing malware through email

attachments or links to compromised websites.

 Default Credentials: Using default usernames and passwords set by

manufacturers that have not been changed.

 Insecure Authentication Mechanisms: Exploiting weak or improperly

implemented authentication methods.
Intrusion Types: System Intrusion
3. System Intrusion: involves attackers exploiting
vulnerabilities within the operating system or applications to
gain unauthorized access or control.

Common methods include:

 Buffer Overflows: Sending more data to an application than it

can handle, causing it to execute arbitrary code.

 Unpatched Software: Taking advantage of known

vulnerabilities in software that has not been updated or patched.
System Intrusion (Contd..)
 Password Cracking: Using techniques like brute force,
dictionary attacks, or phishing to obtain passwords.

 Credential Stuffing: Using stolen username-password pairs

from previous breaches to gain access to multiple accounts.

 Vertical Privilege Escalation: Exploiting vulnerabilities to

gain higher-level privileges (e.g., from user to administrator).

 Horizontal Privilege Escalation: Accessing another user's

account without gaining additional privileges.
Intrusion Detection System (IDS)
 An Intrusion Detection System (IDS) is a security technology
designed to detect and respond to unauthorized or malicious
activity within a network or on a specific host.

 It monitors network traffic or system activities for suspicious

behavior or known patterns of attack and generates alerts to
notify administrators of potential security incidents.
Firewall vs IDS
 Firewall
 A firewall is designed to control incoming and outgoing
network traffic based on predetermined security rules.
 Acts as a barrier between a trusted internal network and
untrusted external networks, such as the internet.

 IDS
 Designed to detect and alert on suspicious or malicious
activities within a network or on a specific host.
 Provides detailed information about security incidents for
investigation and response.
Classification of IDS
 Intrusion Detection Systems can be categorized based on
their deployment and the scope of their monitoring.

 IDS can be classified into following:

 Network intrusion Detection Systems(NIDS)
 Host intrusion detection Systems (HIDS)
 Protocol-Based Intrusion Detection System (PIDS)
 Application Protocol-Based Intrusion Detection System
(APIDS)
1. Network Intrusion Detection System
(NIDS)
 Network Intrusion Detection Systems (NIDS) are deployed
at strategic points within the network to monitor traffic from all
devices on the network.

 Deployment: Installed at critical network points such as at the

subnet where firewalls are located.

 Functionality: Observes passing traffic on the entire subnet and

matches it against a database of known attacks or abnormal behaviors.

 Example: Installation on a Subnet with Firewalls

 A NIDS can be placed on the subnet where firewalls are located to
detect if someone is trying to compromise a firewall.
NIDS
2. Host Intrusion Detection System
(HIDS)
 Host Intrusion Detection Systems (HIDS) run on individual
hosts or devices within the network.

 Deployment: Installed on specific hosts or devices.

 Functionality: Monitors incoming and outgoing packets from the

device and compares system file snapshots to detect any unauthorized
changes.

 Example: Usage on Mission-Critical Machines

 HIDS can be used on mission-critical machines, which are not
expected to change their layout, to ensure that any unauthorized
changes are detected.
HIDS
3. Protocol-Based Intrusion Detection
System (PIDS)
 Protocol-Based Intrusion Detection Systems (PIDS) focus
on monitoring and interpreting specific protocols between a
user/device and a server at the transport layer or network layer.

 Deployment: Resides at the front end of a server, monitoring the

protocol communication.

 Functionality: Regularly monitors protocol streams (e.g., HTTPS)

and ensures that the communication complies with expected
standards.

 Example: Monitoring HTTPS Protocol

 A PIDS on an HTTPS server checks for malformed SSL handshake
packets or TLS downgrade attacks.
4. Application Protocol-Based Intrusion
Detection System (APIDS)
 Application Protocol-Based Intrusion Detection
Systems (APIDS) works at the application layer, monitoring
application-specific protocols.

 Deployment: Generally resides within a group of servers.

 Functionality: Focuses on specific application protocols. Detects

application-layer attacks that look valid to the protocol but are
malicious for the application itself.

 Example: Monitoring SQL Protocol, HTTP or SMTP.

 Detects SQL injection, cross-site scripting (XSS), and malicious API
calls.
 Detects email header spoofing or malware-laden attachments.
Functions of IDS
Intrusion Detection Systems (IDS) are essential components of a
comprehensive cybersecurity strategy.

The key functions of IDS include:

1. Monitoring
 Network Monitoring: IDS continuously monitors network traffic,
inspecting packet headers and payloads for signs of malicious activity.

 Host Monitoring: IDS monitors the activities and status of

individual hosts, including system calls, application logs, and file
integrity.
Functions of IDS (Contd..)
2. Detection

 Signature-based Detection: Identifies known threats by

comparing network traffic or system behavior against a database of
known attack signatures.

 Anomaly-based Detection: Identifies deviations from normal

behavior, flagging activities that do not match established baselines as
potential threats.

 Hybrid Detection: Combines signature-based and anomaly-based

methods to improve detection accuracy and reduce false positives.
Functions of IDS (Contd..)
3. Alerting
 Real-time Alerts: Generates immediate alerts when potential
threats are detected, allowing administrators to respond quickly.

 Alert Prioritization: Categorizes alerts based on severity, ensuring

that the most critical threats are addressed first.

4. Logging and Reporting

 Event Logging: Records all detected events and activities, providing
a detailed audit trail for forensic analysis.

 Reporting: Generates reports summarizing detected threats, attack

trends, and system vulnerabilities. These reports are useful for
compliance, management review, and strategic planning.
Functions of IDS (Contd..)
5. Analysis
 Traffic Analysis: Examines network traffic patterns to identify unusual behavior
indicative of attacks such as Distributed Denial of Service (DDoS), port scanning, and
data exfiltration.

 Behavioral Analysis: Monitors user and system behavior to detect deviations from
normal patterns that could indicate insider threats or compromised accounts.

6. Response Coordination
 Incident Response Support: Provides valuable information to assist in the
investigation and response to detected incidents.

 Integration with Other Security Tools: Works with other security solutions
such as firewalls, Security Information and Event Management (SIEM) systems, and
Intrusion Prevention Systems (IPS) to enhance overall security posture.
Functions of IDS (Contd..)
 7. Maintenance of Security Baselines
 Baseline Establishment: Establishes baselines of normal
network and system behavior, which are crucial for effective
anomaly detection.
 Baseline Updates: Regularly updates these baselines to
reflect changes in network and system configurations, ensuring
continued effectiveness of anomaly-based detection.
Intrusion Detection System
architecture
Detection Mechanism
 Intrusion Detection Systems (IDS) use various detection
mechanisms to identify potential security breaches, attacks,
or malicious activities within a network or system.

 The primary detection mechanisms in IDS are categorized

into three main types:
 Signature-Based Detection,
 Anomaly-Based Detection
 Hybrid Detection.
1. Signature-Based Detection/Misuse
Detection
 Signature-based detection, also known as misuse detection, relies on
predefined patterns or signatures of known threats.

 Each signature is a distinct pattern that characterizes a specific attack or

malicious activity.

 The IDS maintains a database of known attack signatures.

 Incoming network traffic or system activity is monitored and compared

against these signatures.

 If a match is found, the IDS generates an alert indicating a potential

intrusion.
Signature-Based Detection (Contd..)
 Example:
 A sequence of code that appears in a particular malware variant is an
example of an attack signature.
 The IDS scans incoming HTTP requests for these patterns. If a
request contains ' OR '1'='1' or similar patterns, it matches the
signature of a SQL injection attack.

 Advantages:
 High accuracy for known threats.
 Low false positive rate for known attacks.
 Disadvantages:
 Ineffective against new, unknown attacks (zero-day attacks).
 Requires regular updates to the signature database.
2. Anomaly-Based Detection
 Anomaly-based IDS identifies deviations from a normal behaviour predefined by
statistical methods.

 This method relies on establishing a baseline of normal activity and then

detecting any significant deviations from this baseline.

 The IDS learns the normal behavior of the network or system over time
 such as a process that uses more bandwidth than normal, or a device opening a
port.

 Anomaly detection can be done using the concepts of Machine Learning.

 It involves employing algorithms to identify patterns in data that deviate from
the norm.
 These deviations, or anomalies, can indicate potential security threats, system
failures, or other unusual events.
Anomaly-Based Detection (Contd..)
 Example:
 Detecting Unusual Login Activity
 The IDS establishes a baseline of normal login behavior, such as typical login
times, frequency, and geographic locations of users.
 Detect zero-day exploits: This ability to detect unknown and unforeseen
threats makes them well-suited for catching zero-day exploits.

 Advantages:
 Can detect new, previously unknown attacks.
 Useful for identifying insider threats and subtle attacks.
 Disadvantages:
 Higher false positive rate compared to signature-based detection.
 Requires a comprehensive and accurate baseline to be effective.
3. Hybrid Detection
 Hybrid detection combines both signature-based and anomaly-based detection
mechanisms to leverage the strengths of both approaches while mitigating their
weaknesses.

 Multi-layered Monitoring: Incoming traffic and system activity are

analyzed through both signature matching and anomaly detection.

 Example: Detects a SQL injection attempt from an IP, Sees the same IP
suddenly making many unusual requests.

 Advantages:
 Improved detection rates for both known and unknown attacks.
 Balanced false positive and false negative rates.
 Disadvantages:
 Increased complexity in implementation and management.
 Potential for higher resource consumption.
Stealth Mode IDS
 A Stealth Mode Intrusion Detection System (IDS) operates in
a manner that is undetectable to potential attackers.

 This mode ensures that the IDS can monitor and analyze
network traffic without being discovered, thereby increasing
its effectiveness in identifying and analyzing malicious
activities.
Stealth mode IDS (Contd..)
 Most IDSs run in stealth mode, whereby an Ids has two network
interfaces:
 One for the network being monitored
 Other to generate alerts for administrative needs.

.
Responding to Alarms
Whatever the type , an intrusion detection system raise an alarm when it finds a match.

In general, responds fall into three major categories (any or all of which can be used in a
single response):

 Monitor: This involves collecting data, potentially increasing the amount of attack data
collected.
 The goal is to observe the activity to gather more information about the nature and
source of the attack.

 Protect: This action aims to reduce exposure to the attack.

 Reduce exposure and prevent damage in real-time.
 It may involve steps to mitigate the threat, such as blocking certain traffic or isolating
affected systems to prevent further damage.

 Call a Human: In this response, a human operator is alerted to take further action.
 This may involve investigating the alert, taking manual steps to address the threat, or
escalating the issue to higher authorities.
Constant arms race between IDS
vendors and Hackers
 While IDS solutions can detect many threats, hackers can get
around them.

 IDS vendors respond by updating their solutions to account

for these tactics.

 However, these solution updates create something of an

arm’s race, with hackers and IDSs trying to stay one step
ahead of one another.
IDS Evasion Tactics
1. Distributed Denial-of-Service (DDoS) Attacks
 Mechanism: In a DDoS attack, hackers flood an IDS with a massive
volume of malicious traffic from multiple sources.

 Objective: The goal is to overwhelm the IDS’s resources, making it

unable to function properly.
 During the chaos, hackers can slip real attacks through undetected as the IDS
struggles to cope with the flood of traffic.

 Example: Flooding Traffic

 Hackers launch a DDoS attack using a botnet to send overwhelming
amounts of traffic to the IDS, causing it to crash or become
unresponsive.
IDS Evasion Tactics (Contd..)
2. IP Spoofing
 Mechanism: Hackers alter the IP addresses and DNS records of
their traffic to make it appear as if it’s coming from a legitimate and
trustworthy source.

 Objective: To bypass the IDS filters that rely on source IP addresses

or DNS information for detecting malicious activities.
 This tactic can allow hackers to access networks or systems without
triggering alarms.

 Example: Faking Source IP

 A hacker sends malicious traffic using a spoofed IP address that
belongs to a trusted internal device, bypassing the IDS’s scrutiny.
IDS Evasion Tactics (Contd..)
3. Fragmentation
 Mechanism: Hackers break down malicious payloads into smaller
packets that don’t individually match known attack signatures.

 Objective: To obscure the attack’s signature and prevent the IDS

from detecting it.
 The IDS fails to piece together the fragments and misses the attack entirely.

 Example: Split Malware

 A malware payload is split into multiple small packets. These packets
are sent in a non-sequential order, confusing the IDS and bypassing its
detection mechanisms.
IDS Evasion Tactics (Contd..)
4. Encryption
 Mechanism: Hackers use encrypted protocols to hide their
malicious activities.

 Objective: To bypass the IDS’s inspection if it lacks the capability to

decrypt the traffic.
 Without the decryption key, the IDS is blind to potential threats within the
encrypted data.

 Example: Encrypted Communication

 A hacker uses HTTPS to send commands to a compromised system.
If the IDS cannot decrypt HTTPS traffic, it fails to detect the
malicious communication.
IDS Evasion Tactics (Contd..)
5. Operator Fatigue
 Mechanism: Hackers generate large numbers of false alerts to
overwhelm the incident response team.

 Objective: To distract and fatigue operators, making them more

likely to miss real threats.
 Continuous false alarms can cause operators to become desensitized or
complacent, reducing their effectiveness.

 Example: False Alert Generation

 Hackers deliberately trigger numerous benign alerts. Amidst these,
they launch a genuine attack, hoping it will go unnoticed due to the
clutter.
False Results In IDS
Although an Ids might detect an intruder correctly most of the time
it may stumble in two different ways:

1. False Positive (Type I Error): This occurs when the IDS raises
an alarm for something that is not actually an attack. In other
words, the system incorrectly identifies normal behavior as
malicious, leading to unnecessary alerts and potentially wasting
resources on investigating non-issues.

2. False Negative (Type II Error): This happens when the IDS

fails to raise an alarm for a real attack. In this case, the system does
not detect a malicious activity, allowing the attack to go unnoticed
and potentially causing harm.
Sensitivity of the System
 To many false positive means the administrator will be less confident of
the IDS’s warning, perhaps leading to real alarm being ignored.

 Also false negative means the real attack are not detected by the IDS
and are passing the IDS without an alarm being raised.

 Achieving a balance between false positives and false negatives is crucial.

If an IDS is too sensitive, it may raise too many false positives. If it is not
sensitive enough, it may miss real attacks.

 Effective IDS design involves fine-tuning the system to reduce both

types of errors, ensuring that the system is reliable and trusted by
administrators.
Security Operation Center
 A Security Operations Center (SOC) is a centralized unit
that deals with security issues on an organizational and
technical level.

 It comprises a team of cybersecurity professionals and the

necessary infrastructure to monitor, detect, analyze, and
respond to cybersecurity incidents.
Function of SOC
 Monitoring and Detection: Continuous monitoring of networks, servers,
endpoints, databases, applications, and other systems for signs of security
breaches.

 Incident Response: Coordinated efforts to respond to detected incidents to

mitigate the impact of a security breach.

 Threat Intelligence: Gathering and analyzing information about potential

threats to stay ahead of attackers.

 Forensics and Investigation: Analyzing incidents post-mortem to

understand how they happened and how to prevent future occurrences.

 Compliance Management: Ensuring that the organization meets relevant

regulatory and compliance requirements.
Personnels in SOC
 SOC Analysts: The frontline defenders who monitor
systems and respond to alerts.

 Incident Responders: Specialists who handle the

investigation and remediation of security incidents.

 Threat Hunters: Proactively search for threats that evade

automated detection systems.

 SOC Managers: Oversee the SOC operations and ensure

efficient functioning of the team and processes.
SIEM
 Security information and event management, SIEM for short, is a
solution that helps organizations detect, analyze, and respond to
security threats before they harm business operations.

 SIEM tools collect, aggregate, and analyze volumes of data

from an organization’s applications, devices, servers, and
users in real-time so security teams can detect and block attacks.

 SIEM tools use predetermined rules to help security teams define

threats and generate alerts.
Key Components of SIEM
1. Data Collection
 Sources: SIEM collects data from various sources, including
firewalls, antivirus software, intrusion detection systems (IDS),
intrusion prevention systems (IPS), servers, applications, and network
devices.
 Logs and Events: It gathers logs and events from these sources to
provide a comprehensive view of the security status.

2. Normalization
 Standardization: The collected data is normalized, meaning it is
converted into a common format that allows for consistent analysis
and correlation.
 Filtering: Irrelevant or redundant data is filtered out to focus on
significant security events.
Key Components of SIEM
3. Correlation
 Cross-Referencing: SIEM correlates data from different sources to
identify patterns and detect anomalies that may indicate a security
threat.
 Rules and Algorithms: It uses predefined rules and advanced
algorithms to correlate events and highlight suspicious activities.
 If user downloads file → runs suspicious script → sends large data externally
in short time → Raise a “Possible Data Exfiltration” alert.

4. Real-Time Monitoring and Alerting

 Continuous Monitoring: SIEM provides continuous, real-time
monitoring of security events across the network.
 Alerts: When a potential security incident is detected, SIEM
generates alerts to notify security personnel.
Key Components of SIEM
5. Incident Response
 Automated Responses: SIEM can trigger automated responses to
certain types of security incidents, such as blocking IP addresses or
quarantining compromised systems.
 Manual Responses: It also provides tools and information to assist
security teams in investigating and responding to incidents manually.

6. Reporting and Analysis

 Reports: SIEM generates detailed reports on security incidents,
trends, and compliance status.
 Analytics: It includes analytical tools for deep investigation and
understanding of security events.
Key Components of SIEM
7. Compliance Management
 Regulatory Compliance: SIEM helps organizations meet
regulatory compliance requirements by providing the necessary
logging, reporting, and audit capabilities.
Benefits of SIEM
 Comprehensive Visibility: Provides a centralized view of the security
posture of the entire organization.

 Enhanced Threat Detection: Correlates data from multiple sources to

detect complex threats that may go unnoticed by individual security tools.

 Improved Response Times: Real-time monitoring and automated responses

help mitigate threats quickly.

 Regulatory Compliance: Assists organizations in complying with various

regulatory requirements by maintaining detailed logs and generating necessary
reports.

 Incident Investigation: Facilitates thorough investigation of security

incidents with detailed logs and analytical tools.
SIEM Summary
Case Scenario
Scenario: A financial institution uses SIEM to monitor its network for security
threats.
1. Data Collection: SIEM collects logs from
 Firewalls (traffic allowed and blocked, connection attempts, and port scans)
 IDS/IPS (Data payload analysis )
 Antivirus software (malware, suspicious file activities)
 Servers (Logs system events, user activities, access attempts, and application
behaviors)

2. Normalization and Correlation: The system normalizes the data and

correlates events across different sources to identify suspicious activities.
 Converts logs from different formats into a unified format.
 Removes irrelevant data to focus on significant security events.
 Event Linking and Pattern Detection: port scanning (IDS alert) →
connection attempts (firewall logs) → failed login attempts (server logs) →
successful login from an unusual location.
Case Scenario (Contd..)
 Alert Generation: SIEM detects an unusual pattern of failed login
attempts followed by successful access from an unusual location and
generates an alert.
 SIEM generates an alert indicating a potential brute force attack or
credential stuffing.

 Response: The security team receives the alert and investigates the
incident, finding and mitigating a potential breach attempt.
 Confirm whether the successful login was authorized by contacting the user
or checking additional logs.
 Temporarily disable the compromised user account.
 Block the suspicious external IP at the firewall.
 Isolate the workstation where the suspicious executable was detected.
 Conduct a forensic analysis of the compromised server and affected
workstation.
Case Scenario (Contd..)
 Reporting: SIEM generates a detailed report on the
incident, including the timeline of events and actions taken,
helping the institution to refine its security policies and
comply with regulatory requirements.
 Timeline of Events: From the initial port scanning activity to
the successful login and subsequent response actions.
 Actions Taken: Details of the steps taken to mitigate the
threat, including account and network actions.
 Findings: Analysis results from the forensic investigation.
 Recommendations: Suggestions for improving security
policies and preventive measures.
SOAR
 Security Orchestration, Automation, and Response (SOAR)
is a category of technologies designed to help organizations
manage and respond to security incidents in a more efficient
and automated manner.

 SOAR automates and coordinates security incident response,

reducing the workload on security teams.
Components of SOAR
1. Orchestration
 Integration: SOAR platforms integrate with various
security tools (like SIEM, firewalls, threat intelligence
platforms, endpoint detection and response tools, etc.) and
IT systems to centralize and streamline security operations.

 Workflow Automation: They allow for the creation of

automated workflows that coordinate actions across different
systems and tools.
Components of SOAR
2. Automation
 Automated Response: Automates repetitive and time-
consuming tasks such as log analysis, incident response, and
threat containment, reducing the burden on human analysts.

 Playbooks: Predefined, automated response procedures

(playbooks) that can be triggered by specific security events
or alerts to handle common incidents without human
intervention.
Components of SOAR
3. Response:
 Incident Management: Helps in managing the lifecycle of
security incidents from detection through resolution,
ensuring that incidents are tracked, analyzed, and resolved
efficiently.

 Case Management: Provides tools for documenting,

tracking, and managing incident investigations, including
evidence collection and collaboration among analysts.
SOAR and SIEM