Due to a growing number of intrusions and since the Internet and local networks have become so ubiquitous, organizations increasingly implementing various systems that monitor IT security breaches. Intrusion Detection Systems (IDS) are those that have recently gained a considerable amount of interest. This is an introductory article to this topic. It gives an overview of several types of detectable attacks, symptoms that help in intrusion detection, describes IDS tasks, different architectures and concepts in this field.
1.What is an Intrusion Detection System?
An Intrusion Detection System (abbreviated as IDS) is a
defense system, which detects hostile activities in a network.
The key is then to detect and possibly prevent activities that
may compromise system security, or a hacking attempt in progress
including reconnaissance/data collection phases that involve for
example, port scans. One key feature of intrusion detection
systems is their ability to provide a view of unusual activity
and issue alerts notifying administrators and/or block a
suspected connection. According to Amoroso , intrusion
detection is „a process of identifying and responding to
malicious activity targeted at computing and networking
resources". In addition, IDS tools are capable of distinguishing
between insider attacks originating from inside the organization
(coming from own employees or customers) and external ones
(attacks and the thread posed by hackers).
2.What is not an IDS?
Contrary to popular market(ing) belief and terminology employed in the literature on intrusion detection systems, not everything falls into this category. In particular, the following security devices are NOT IDS:
A taxonomy of attacks and intrusions
Since intrusion detection systems deal with hacking breaches, let us take a closer look at these dangerous activities. To assist in the discussion of their taxonomy, some definitions will be helpful although they may vary :
Generally, attacks can be categorized in two areas:
In terms of the relation intruder-victim, attacks are categorized as:
Attacks are also identified by the source category, namely those performed from internal systems (local network), the Internet or from remote dial-in sources). Now, let us see what types of attacks and abuses are detectable (sometimes hardly detectable) by IDS tools to put them in the ad-hoc categorization. The following types of attacks can be identified:
It is important to remember, that most attacks are not a single action, rather a series of individual events developed in a coordinated manner.
3.You are at risk
To recognise possible attacks, examine systems for any abnormal behavior . This may be helpful in detecting real attacks. Let us take a closer look at the types of symptoms that are helpful in tracing intruders.
4.Utilizing known vulnerabilities
In most cases, any attempt to take advantage of faults in
organization security systems may be considered as an attack and
this is the most common symptom of an intrusion. However the
organization itself may “facilitate” the task of attackers,
using tools which aid in the process of securing its network –
so called security and file integrity scanners. They operate
either locally (assisting system administrators in vulnerability
assessment) or remotely but may also be deliberately used by
5.Recurrent abnormal network activity
An intruder actually trying to compromise a system often uses
a large number of exploits and makes many unsuccessful attempts.
His activities differ from those of the user working with the
system  Mans00]. Any penetration-testing tool should be able
to identify suspicious activities after a certain threshold has
been exceeded. Then, an alert may be produced and diffused. This
passive technique allows detection of intruders without
discovering a clear picture of the event (exploits involved,
tools, services, software configuration, etc.), by only
quantitatively examining network activities.
6.Mistyped commands or answers in automated sessions
Network services and protocols are documented in a precise manner and use determining software tools. Any incompability with known patterns (including typical human errors such as misprints occurring in network packets) may be valuable information to detect services that are possibly being targeted by an intruder.
If the system audit facility uses, for example, send mail relaying, then the relevant log sequence behaves in a regular and predictable manner. However, if the log indicates that a specific process has given illegal commands, it might be a symptom of either a non-malicious event or a spoofing attempt.
The examining of hostile attempts may include:
7.Directional inconsistencies in traffic
Any directional inconsistency in packets or sessions is one
of the symptoms of a potential attack.
The following directional inconsistencies may be considered as attack evidence indicators:
8.Unexpected attributes as an intrusion symptom
The most frequent cases are the ones where one is expected to deal with a set of attributes of packets or specific requests for services. It is possible to define the expected attribute pattern. If encountered attributes do not match this pattern, this may indicate a successful intrusion or intrusive attempt.
There is also a more general notion than service mix, namely user and service profiles that help in distinguishing between typical and unexpected attributes. A signature file that holds a common set of services for a specific user may also store additional information composed of multiple attributes. These may include typical system-related working hours of the user, location of the workstation (site in geographic context, IP addresses), intensity of using resources, typical session duration by individual services.
9.Unexplained problems as intrusion indicators
A potential intruder may design its malicious activity with side effects that will cause odd behavior of the system. Monitoring such side effects is difficult since their location is hardly detectable , . Below there are some examples of:
10.Tasks to be performed
The main task of intrusion detection systems is defense of a computer system by detecting an attack and possibly repelling it. Detecting hostile attacks depends on the number and type of appropriate actions (Fig.1). Intrusion prevention requires a well-selected combination of “baiting and trapping” aimed at both investigations of threats. Diverting the intruder’s attention from protected resources is another task. Both the real system and a possible trap system are constantly monitored. Data generated by intrusion detection systems is carefully examined (this is the main task of each IDS) for detection of possible attacks (intrusions).
(Fig.1) Intrusion detection system activities
(Fig.2) Intrusion detection system infrastructure 
Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) – following the organization’s security policy (Fig.2). An IDS is an element of the security policy.
Among various IDS tasks, intruder identification is one of the fundamental ones. It can be useful in the forensic research of incidents and installing appropriate patches to enable the detection of future attack attempts targeted on specific persons or resources.
Intrusion detection may sometimes produce false alarms, for example as a result of malfunctioning network interface or sending attack description or signatures via email.
11.Structure and architecture of intrusion detection systems
An intrusion detection systems always has its core element - a sensor (an analysis engine) that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions. Sensors receive raw data from three major information sources (Fig.3): own IDS knowledge base, syslog and audit trails. The syslog may include, for example, configuration of file system, user authorizations etc. This information creates the basis for a further decision-making process.
(Fig.3) A sample IDS. The arrow width is proportional to the amount of information flowing between system components 
The sensor is integrated with the component responsible for data collection (Fig.4) — an event generator. The collection manner is determined by the event generator policy that defines the filtering mode of event notification information. The event generator (operating system, network, application) produces a policy-consistent set of events that may be a log (or audit) of system events, or network packets. This, set along with the policy information can be stored either in the protected system or outside. In certain cases, no data storage is employed for example, when event data streams are transferred directly to the analyzer. This concerns the network packets in particular.
Fig.4 IDS components 
The role of the sensor is to filter information and discard any irrelevant data obtained from the event set associated with the protected system, thereby detecting suspicious activities. The analyzer uses the detection policy database for this purpose. The latter comprises the following elements: attack signatures, normal behavior profiles, necessary parameters (for example, thresholds). In addition, the database holds IDS configuration parameters, including modes of communication with the response module. The sensor also has its own database containing the dynamic history of potential complex intrusions (composed from multiple actions).
Intrusion detection systems can be arranged as either centralized (for example, physically integrated within a firewall) or distributed. A distributed IDS consists of multiple Intrusion Detection Systems (IDS) over a large network, all of which communicate with each other. More sophisticated systems follow an agent structure principle where small autonomous modules are organized on a per-host basis across the protected network . The role of the agent is to monitor and filter all activities within the protected area and — depending on the approach adopted — make an initial analysis and even undertake a response action. The cooperative agent network that reports to the central analysis server is one of the most important components of intrusion detection systems. DIDS can employ more sophisticated analysis tools, particularly connected with the detection of distributed attacks . Another separate role of the agent is associated with its mobility and roaming across multiple physical locations. In addition, agents can be specifically devoted to detect certain known attack signatures. This is a decisive factor when introducing protection means associated with new types of attacks . IDS agent-based solutions also use less sophisticated mechanisms for response policy updating .
One multi-agent architecture solution, which originated in 1994, is AAFID (Autonomous Agents for Intrusion Detection) — see Fig.5. It uses agents that monitor a certain aspect of the behavior of the system they reside on at the time. For example, an agent can see an abnormal number of telnet sessions within the system it monitors. An agent has the capacity to issue an alert when detecting a suspicious event. Agents can be cloned and shifted onto other systems (autonomy feature). Apart from agents, the system may have transceivers to monitor all operations effected by agents of a specific host. Transceivers always send the results of their operations to a unique single monitor. Monitors receive information from a specific network area (not only from a single host), which means that they can correlate distributed information. Additionally, some filters may be introduced for data selection and aggregation , .
(Fig.5) An AAFID compliant representation of an intrusion detection system employing autonomous agents 
If you would like us to email you when one of our authors releases another article on WindowSecurity.com, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!