1. Overview of IDS Components

• Detection Engine: Analyzes data to detect potential intrusions.
• Data Sources: Collects information from hosts and networks.
• Alerting System: Notifies administrators of security threats.
• Response System: Takes action when an intrusion is detected.

2. Information Sources in IDS

• Definition: Raw data collected to detect threats and malicious activity.
• Types:

1. Host-Based Information Sources
2. Network-Based Information Sources

3. Host-Based Information Sources

• Definition: Data collected from individual systems (e.g., servers, workstations).
• Key Sources:
  • System Logs: OS and application logs (e.g., Linux syslog, Windows Event Logs).
  • File Integrity Checking: Detects unauthorized file changes (Tripwire, OSSEC).
  • Process Monitoring: Tracks system activity and CPU/memory usage.
  • Audit Trails: Logs user activities and security events.

Advantages:

• Detects insider threats.
• Provides detailed host-level monitoring.

4. Network-Based Information Sources

• Definition: Monitors network traffic to detect intrusion attempts.
• Key Sources:
  • Network Traffic Logs: Captures data packets (Wireshark, tcpdump).
  • Firewall Logs: Monitors blocked/unusual network activity (pfSense, Cisco ASA).
  • Router/Switch Logs: Records packet forwarding details (Cisco, Juniper).
  • NIDS/NIPS Logs: Logs from Snort, Suricata, Bro IDS.

Advantages:

• Detects external threats before they reach endpoints.
• Provides network-wide threat visibility.

5. Combining Host-Based & Network-Based Sources

• Why Combine?
  • Holistic View: Detects both internal and external attacks.
  • Enhanced Threat Detection: Identifies attacks that bypass individual defenses.
  • Real-Time Monitoring: Improves response to active threats.

Example:

• An attacker may bypass network defenses but leave traces in host logs (e.g., file modifications).

6. Goals of Intrusion Detection Systems (IDS)

Primary Goals:

1. Attack Detection: Identifies unauthorized access and policy violations.
2. Alerting & Notification: Notifies security teams of potential threats.
3. Forensic Analysis: Logs data to aid in security investigations.
4. Attack Prevention: When integrated with Intrusion Prevention Systems (IPS).

Secondary Goals:

• Policy Enforcement: Ensures compliance with security standards.
• Resource Protection: Detects and prevents resource exhaustion attacks.

7. IDS Architecture

• Key Components:
  • Sensors: Collect data from hosts and networks.
  • Analysis Engine: Detects patterns of attacks (Signature-Based & Anomaly-Based).
  • Alerting Mechanism: Sends notifications via Email, SMS, SIEM dashboards.
  • Response System: Takes action (passive logging or active blocking).

8. IDS Detection Mechanisms

• Signature-Based Detection: Matches known attack patterns.
• Anomaly-Based Detection: Identifies deviations from normal behavior.

9. IDS Alerting System

• Real-Time Alerts: Immediate notifications for critical threats.
• Log-Based Alerts: Alerts generated from event logs.

10. IDS Response System

• Passive Response: Logs the threat but takes no direct action.
• Active Response: Blocks attackers (e.g., blacklisting IPs).
• Integration with IPS: Automates prevention for detected threats.

11. IDS Design Considerations

1. Scalability: Can handle high traffic volumes.
2. Accuracy: Minimizes false positives/negatives.
3. Deployment Flexibility: Uses HIDS, NIDS, or Hybrid IDS based on environment.
4. Integration: Works with firewalls, SIEMs, and other security tools.

Conclusion

• IDS collects and analyzes host-based and network-based data to detect threats.
• Combining both sources improves detection accuracy and response times.
• IDS plays a crucial role in network security and incident response.