Types of Attacks

1. Scanning Attacks:

   • Attackers probe systems to find vulnerabilities.
   • Examples: Port scanning, vulnerability scanning.

2. Denial-of-Service (DoS):

   • Overloads systems, making them unusable.
   • Types: Flooding attacks (e.g., SYN flood), Application-layer attacks (e.g., HTTP flood), Distributed Denial-of-Service (DDoS).

3. Penetration Attacks:

   • Attackers exploit vulnerabilities to gain unauthorized access.
   • Examples: SQL injection, Cross-Site Scripting (XSS), Privilege escalation.

4. Social Engineering Attacks:

   • Manipulating people to share sensitive info (e.g., phishing, baiting).

Detection and Prevention

• Detection means spotting attacks as soon as they occur.
• Prevention means actively blocking these attacks from causing damage.

Methods for Detection & Prevention

• Intrusion Detection Systems (IDS):
  • Monitor and alert on suspicious activities.
• Intrusion Prevention Systems (IPS):
  • Actively block malicious traffic immediately.

Tools & Technologies Used

For Detection

• IDS tools:
  • Snort (Network-based IDS)
  • OSSEC (Host-based IDS)
  • Wireshark (Packet analyzer): Captures and inspects network packets.
  • Nessus/OpenVAS: Scans systems for known vulnerabilities.

For Prevention

• IPS Tools: (e.g., Suricata, ModSecurity)
  • Perform real-time threat blocking.
• Firewalls: Control and filter traffic.
• Encryption: Protect sensitive data.
• Anti-malware and Antivirus software: Detect and block malware.
• Security Information & Event Management (SIEM): Centralized monitoring, analyzing logs, and rapid threat detection.

Why important?

• Early detection and prevention reduce potential damage.
• No single method or tool can handle all attacks; therefore, using multiple tools together (layered security) is essential for robust protection.

Types of Data Threats

1. Internal Threats (from within organizations)

• Employees or Insiders who misuse their access intentionally (malicious) or unintentionally due to negligence (careless).
• Example: An employee accidentally exposing sensitive information by clicking on a phishing email.

2. External Threats (from outside attackers)

• Attacks by hackers or cybercriminals who have no authorized access.
• Examples: Phishing, Malware, DDoS attacks.

Why are threats critical?

• They can lead to data loss, financial damage, reputation harm, or even legal consequences.
• Can compromise confidentiality, integrity, or availability of data.

Protective Measures against threats

• Internal: Employee training, least privilege access (grant minimal required access).
• External: Firewalls, IDS/IPS, encryption, and regular vulnerability assessments.

What is IDS?

An Intrusion Detection System (IDS) is a security mechanism designed to monitor, analyze, and detect malicious activities or violations of security policies within computer systems or networks.

IDS is like a security guard for computers and networks. It watches everything that happens to identify if someone tries to enter or misuse the system without permission.

Types of Intrusion Detection Systems (IDS)

IDS monitors computers or networks to identify security threats or unauthorized activities.

1. Host-Based IDS (HIDS)

• What it does: Checks individual computers (hosts) by analyzing system logs, file changes, and running processes for suspicious activity.
• Example: OSSEC, Tripwire
• Use case: Detecting insider threats or unauthorized file modifications.

2. Network-Based IDS (NIDS)

• What it does: Monitors network traffic to identify threats before they reach individual computers. Checks network packets for malicious patterns.
• Example: Snort, Suricata
• Use case: Identifying network-wide threats (e.g., external attackers scanning your network).

3. Protocol-Based IDS (PIDS)

• What it does: Specifically analyzes network protocols (e.g., HTTP, DNS) for abnormal patterns or malicious activities.
• Example: ModSecurity
• Use case: Protecting web servers and services from protocol-specific attacks like SQL injection.

4. Hybrid IDS

• What it does: Combines the capabilities of both Network-based and Host-based IDS, providing a complete view across network and host environments.
• Example: Suricata
• Use case: Large organizations requiring comprehensive security coverage at network and host levels.

Why different types?

• Each IDS type has strengths and weaknesses.
  • HIDS detects threats deep within systems but is resource-heavy.
  • NIDS efficiently protects networks but misses internal threats.
  • PIDS offers deep protocol analysis but limited overall scope.
• Hybrid IDS provides a balanced approach, reducing individual limitations through integration.

Quick Recap

1. Network-based (NIDS) – Watches network traffic for suspicious activities. (Example: Snort)
2. Host-based (HIDS) – Checks individual computers for unauthorized changes. (Example: OSSEC)
3. Protocol-based (PIDS) – Looks closely at network protocols (like HTTP) for unusual behavior. (Example: ModSecurity)
4. Hybrid IDS – Combines network and host checks for complete security. (Example: Suricata)

Role (Purpose) of IDS

• Watch and detect threats in real-time.
• Inform immediately when a threat is detected.
• Record events for later analysis (like security camera footage).

Advantages

• Detects threats quickly.
• Alerts you immediately so you can act fast.
• Useful for security audits and investigations.

Disadvantages

• Generates false alarms, causing confusion or ignoring genuine threats.
• Needs regular updates and fine-tuning—can be resource-heavy.
• Struggles with encrypted or very advanced attacks.

Where is IDS used practically?

• Banks (to protect financial data)
• Hospitals (to keep patient data safe)
• Companies and government offices (to secure sensitive information)

When do we use IDS?

• When constant security is needed.
• When handling important or regulated data.

IDS Architecture

The architecture of an Intrusion Detection System (IDS) defines how it gathers data, analyzes it, and alerts you about threats.

Key Components of IDS Architecture

1. Sensors (Data Collection Layer):

• Act like eyes and ears.
• Collect data from network traffic (network sensors) or from system logs/files (host sensors).

2. Detection Engine (Analysis Layer):

• The brain of the IDS.
• Uses two main detection methods:
• Signature-based: Checks data against known attack patterns.
• Anomaly-based: Finds unusual activities by comparing against normal patterns.

3. Alerting System (Notification Layer):

• Immediately informs administrators or security systems when it finds something suspicious.
• Uses emails, dashboards, or Security Information and Event Management (SIEM) systems.

4. Response System (Action Layer - Optional):

• Can be passive (just alerts) or active (takes immediate action, e.g., blocks traffic or isolates systems).

How IDS Works End-to-End?

Sensors → Detection Engine → Alerting System → Response System
            

• Sensors collect and forward data.
• Detection engine analyzes and identifies threats.
• Alerting system notifies administrators instantly.
• Response system takes action (if configured).

Why this architecture matters

• Clearly separates tasks: Data collection, analysis, notification, and response.
• Allows quick detection and response to threats.
• Easy to manage and tune each part individually for maximum effectiveness.

Quick Recap: How IDS works

• Collect data: IDS sensors gather system or network data.
• Analyze data: Checks if the data matches known attacks or unusual patterns.
• Alert & respond: Warns the administrator, who then acts.

Information Sources for IDS

Information sources are the data that IDS uses to detect threats or suspicious activities.

1. Host-Based Sources

These are data collected directly from individual computers (hosts).

• System Logs: Records events such as logins, file access, or errors.

• File Integrity Checks: Tracks changes to important files or directories.

• Process Monitoring: Monitors what software is running on a system.

• Audit Trails: Detailed records of user activities (e.g., login/logout history).

Example Tools: OSSEC, Tripwire

2. Network-Based Sources

These sources involve data collected from network traffic.

• Network Traffic Logs: Capture and inspect data traveling through the network (packets).

• Firewall Logs: Records allowed or blocked network connections.

• Router and Switch Logs: Information about data movement across networks.

• Packet Capture Tools: e.g., Wireshark, tcpdump for deep traffic analysis.

Example Tools: Snort, Suricata, Wireshark

Why Multiple Sources Matter

• Combining host-based and network-based sources gives IDS a complete picture, increasing threat detection accuracy.
• Host sources detect internal threats or misuse, while network sources identify external threats.

Why IDS is Needed

• Attackers constantly develop new ways to bypass traditional security (like firewalls). IDS adds an essential security layer by detecting both known and unknown threats early.

Types of IPS

• Network-based (NIPS): Guards entire network traffic (like a gatekeeper at the entrance).
• Host-based (HIPS): Monitors a specific computer or device closely.
• Wireless IPS (WIPS): Protects wireless networks from unauthorized access.
• Application Layer IPS: Protects applications from threats like SQL injection.

Primary Conceptual Role

• Actively prevents attacks by stopping malicious actions immediately as they happen.
• Enforces security rules strictly, not just alerting but actively blocking threats.

Advantages

• Blocks threats in real-time, thus minimizing damage.
• Enforces security proactively, unlike IDS which only alerts.
• Protects systems even if users don’t react promptly.

Disadvantages

• Can mistakenly block legitimate traffic (False positives).
• Deep packet inspection may slow down the network (Latency issue).
• Complex to manage, requiring continuous tuning.

Practical Example

• If attackers launch a DDoS attack, IPS identifies excessive harmful traffic and immediately blocks it, protecting the network before disruption occurs.

Why do we use IPS?

• Traditional systems (like firewalls or IDS) only detect or partially stop threats. IPS directly blocks threats, significantly reducing real-time risks.

How IPS Works Conceptually

• Step 1: Continuously inspects incoming network traffic.
• Step 2: Compares this traffic against known attack patterns (signatures) and normal behaviors.
• Step 3: Immediately blocks or mitigates threats upon detection.
• Step 4: Alerts administrators simultaneously.

When and Where do we deploy IPS?

• In environments needing real-time protection (e.g., banking transactions, healthcare systems).
• Where a security breach can have severe consequences (critical infrastructure).

Why is IPS critical despite having Firewalls?

• Firewalls block based on simple rules, missing sophisticated or unknown threats.
• IPS provides deeper analysis and proactive real-time blocking, significantly reducing risk exposure.

Limitations of Firewall

• Only detects threats it explicitly knows about.
• Can't effectively detect sophisticated or unknown threats.
• Doesn’t analyze detailed traffic patterns deeply.

Conceptual Need for IDS/IPS

IDS and IPS complement firewalls by adding deeper analysis:

• IDS (Intrusion Detection System):
  Acts like security cameras, constantly watching for suspicious activities and immediately notifying authorities when unusual actions occur, but doesn’t directly stop them.

• IPS (Intrusion Prevention System):
  Actively intervenes to stop attacks immediately—like a security guard who doesn’t just notice but also physically stops the intruder.

Why we specifically need IDS/IPS

1. Advanced Threat Detection:
   Firewalls alone cannot detect new or unknown attacks. IDS/IPS use anomaly detection and behavioral analysis, identifying threats before they cause harm.

2. Internal Security:
   Firewalls primarily watch external boundaries; IDS/IPS can detect threats occurring within the network or hosts (insider threats).

3. Real-time Response:
   IPS can instantly block harmful actions, reducing damage significantly compared to firewalls alone.

4. Regulatory Compliance:
   Organizations must follow standards like GDPR or HIPAA, which require detailed monitoring and active prevention capabilities beyond firewalls.

Perspective

• Relying only on a firewall leaves significant security gaps; it is only effective against known or straightforward threats.
• IDS/IPS fills these critical gaps by monitoring behaviors, detecting unknown threats, and proactively stopping sophisticated attacks.