Intrusion detection


Intrusion detection

In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system.

Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, including network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host-based, if it monitors system calls or logs, or network-based if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems).

When a probable intrusion is discovered by an IDS, typical actions to perform would be logging relevant information to a file or database, generating an email alert, or generating a message to a pager or mobile phone.

Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction can be implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.

Some authors classify the identification of attack attempts at the source system as extrusion detection (also known as outbound intrusion detection) techniques.

Intrusion prevention is an evolution of intrusion detection.

Theory

Fred Cohen published in 1984 that detection of computer viruses is undecidable and NP-complete. [Cohen, Fred, "Computer Viruses: Theory and Experiments," 7th DOD/NBS Computer Security Conference, Gaithersburg, MD, September 24-26, 1984.] In layman's terms, this means that it is impossible to detect every type of an intrusion in every type of case, and that the resources needed to detect intrusions grows with the amount of network traffic.

Paul Helman, et al, in 1992 used a scale of 0 to 1 to represent normal behavior (0) to misuse (1). [Helman, Paul, Liepins, Gunar, and Richards, Wynette, "Foundations of Intrusion Detection," The IEEE Computer Security Foundations Workshop V, 1992] The purpose of an Intrusion detection system is to provide this rating for computer activities. Helman showed that problems in doing this include imperfect and incomplete information, plus the large number, estimated at 10100, of potential events. When groupings are done to reduce the number of possible events, this becomes an NP-Hard problem to reduce singleton groups. Helman calls the above a modeling approach. An alternative is non-modeling approaches which include heuristics, clustering algorithms, and statistics.

References

Resources

For more information about intrusion detection and intrusion prevention:

"Network Intrusion Detection", 3rd ed. ISBN 0-7357-1265-4
[http://www.acm.org/crossroads/xrds2-4/intrus.html ACM's Introduction to Intrusion Detection]
[http://www.cert.org/tech_tips/intruder_detection_checklist.html CERT Intruder Detection Checklist]
[http://www.sans.org/resources/idfaq/ SANS Intrusion Detection Systems FAQ]



Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Intrusion Detection — Ein Intrusion Detection System (IDS) ist ein System zur Erkennung von Angriffen, die an ein Computersystem oder Computernetz gerichtet sind. Das IDS kann eine Firewall ergänzen oder auch direkt auf dem zu überwachenden Computersystem laufen und… …   Deutsch Wikipedia

  • Intrusion detection system evasion techniques — are modifications made to attacks in order to prevent detection by an Intrusion Detection System (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper [http://citeseer.ist.psu.edu/ptacek98insertion.html Insertion,… …   Wikipedia

  • Intrusion Detection Systems —   (IDS), Systeme, mit denen unberechtigtes Eindringen (engl. intrusion) in Computernetze erkannt und abgewehrt werden kann. Sie berücksichtigen auch Angriffe interner Personen, gegen die eine Firewall keinen Schutz bietet. Ein IDS überwacht das… …   Universal-Lexikon

  • Intrusion detection system — An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop …   Wikipedia

  • Intrusion Detection System — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… …   Wikipédia en Français

  • Intrusion Detection System — Ein Intrusion Detection System (IDS) bzw. Angrifferkennungssystem ist ein System zur Erkennung von Angriffen, die gegen ein Computersystem oder Computernetz gerichtet sind. Das IDS kann eine Firewall ergänzen oder auch direkt auf dem zu… …   Deutsch Wikipedia

  • Intrusion detection system — …   Википедия

  • Intrusion Detection System —    Abbreviated IDS. A software package designed to detect specific actions on a network that are typical of an intruder or that might indicate an act of corporate espionage. An IDS package monitors the network or the server for specific attack… …   Dictionary of networking

  • Network intrusion detection system — A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring (NSM) of… …   Wikipedia

  • Host-based intrusion detection system — A host based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyses the internals of a computing system rather than on its external interfaces (as a network based intrusion detection system (NIDS) would do) …   Wikipedia


We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.