The network intrusion detection systems (NIDS) network security technology monitors network traffic for suspicious activity; and, issues alerts when action is required to deal with the threat. Any malicious activity is reported and can be collected centrally by using the security information and event management (SIEM) method.
Here is the article to explain, Essay, and Comparison of Network Intrusion Detection Systems (NIDS)!
Security information and event management (SIEM) software give enterprise security professionals both insight into; and a track record of the activities within their IT environment. The SIEM method incorporates outputs from multiple sources and employs alarm filtering techniques to identify malicious actions. There are two types of systems, host-based intrusion, and network intrusion detection. In this essay, I will be looking at both techniques, identifying what classifies as a NID and comparing different types of NIDS.
Classification of Network Intrusion Detection Systems (NIDS);
As previously highlighted in the introductory part of the essay; there are two types of systems, host-based intrusion, and network intrusion detection. They are known as HIDS or NIDS. They are different from each other as host-based intrusion monitors malicious activities on a single computer; whereas network intrusion detection monitors traffic on the network to detect intrusions. The main difference between both systems is that network intrusion detection systems monitor in real-time; tracking live data for tampering whilst host-based intrusion systems check logged files for any malicious activity. Both systems can employ a strategy known as signature-based detection or anomaly-based detection.
Anomaly-based detection searches for unusual or irregular activity caused by users or processes. For instance, if the network was accessed with the same login credentials from several different cities around the globe all in the same day; it could be a sign of anomalous behavior. A HIDS uses anomaly-based detection surveys log files for indications of unexpected behavior; while a NIDS monitors for the anomalies in real-time.
Signature-based detection monitors data for patterns. HIDS running signature-based detection work similarly to anti-virus applications; which search for bit patterns or keywords within files by performing similar scans on log files. Signature-based NIDS work like a firewall, except the firewall, performs scans on keywords, packet types, and protocol activity entering and leaving the network. They also run similar scans on traffic moving within the network.
Comparison of different types of Network Intrusion Detection Systems (NIDS);
There are various types of NIDS available to protect the network from external threats. In this essay, we have discussed both HIDS (Host-based) and NIDS (Network Intrusion Detection System) and signature-based IDS and anomaly-based IDS. Both of them are very similar but they function differently but when combined, they complement each other.
For example, HIDS only examines host-based actions such as what are being applications used, kernel logs, files that are being accessed, and information that resides in the kernel logs. NIDS analyzes network traffic for suspicious activity. NIDS can detect an attacker before they begin an unauthorized breach of the system; whereas HIDS cannot detect that anything is wrong until the attacker has breached the system.
Both signature-based IDS and anomaly-based IDS contrast each other. For example, anomaly-based IDS monitor activities on the network and raise an alarm; if anything suspicious i.e. other than the normal behavior detected.
There are many flaws with anomaly-based IDS. Both Carter (2002) and Garcia-Teodoro (2009) have listed disadvantages
- Appropriate training required before the IDS installed into any environment
- It generates false positives
- If the suspicious activity is similar to the normal activity, it will not detected.
However, there are flaws with signature-based IDS. Carter (2002) highlights some disadvantages of signature-based IDS.
- It cannot detect zero-day attacks
- The database must updated daily
- The system must updated with every possible attack signature
- If an attack in a database is slightly modifies, it is harder to detect
Advances and developments of Network Intrusion Detection Systems (NIDS);
There have been many advances and developments towards NID over the last few years such as honeypots and machine learning. Spitzner defines honeypots as computer systems that exist designed to lure & deceive attackers by simulating a real network. Whilst these systems seem real, they have no production value. Any interaction with these systems should be illicit. There are many kinds of honeypots such as low interaction systems to high interaction and more complex systems to lure and attract advanced attackers.
For example, high interaction honeypots provide attackers with a real operating system that allows the attacker to execute commands. The chances of collecting large amounts of information on the attacker are very high as all actions exist logged and monitored. Many researchers and organizations use research honeypots; which gather information on the attacker and what tools they used to execute the attack. They exist deployed mainly for research purposes to learn how to provide improved protection against attackers.
Other Things;
Another advancement of Network Intrusion Detection is machine learning. Machine learning provides computers with the capability of learning and improving from events without existing programs explicitly. The main aim of machine learning is to allow computers to learn without human intervention and intervene accordingly.
Unsupervised learning algorithms exist used when the information provided for training exists neither marked nor classified. The task given to the machine is to group unsorted information according to patterns, similarities, and differences without any training data given prior. Unsupervised learning algorithms can determine the typical pattern of the network and can report any anomalies without a labeled data set.
One drawback of the algorithm is that it is prone to false-positive alarms; but, can still detect new types of intrusions. By switching to a supervised learning algorithm, the network can exist taught the difference between a normal packet and an attack packet. The supervised model can deal with attacks and recognize variations of the attack.
Implementation of Network Intrusion Detection Systems (NIDS) within an SME;
With threats developing every day, businesses need to adapt to the changing landscape of network security. For example, a business should focus on developing a strong security policy. This helps to define how employees use IT resources and define acceptable use and standards for company email. If a business creates a set of clear security policies and makes the organization aware of these policies; these policies will create the foundation of a secure network.
Another suggestion provided in the report by SANS is to design a secure network with the implementation of a firewall, packet filtering on the router, and using a DMZ network for servers requiring access to the internet.
More things;
Testing of this implementation must exist done by someone other than the individual or organization that has configured the firewall and perimeter security. Developing a computer incident plan is key as it will help to understand how to respond to a security incident. The plan will help to identify the resources involved and recover and resolve the incident. If a business is reliant on the internet during day-to-day operations, a company will have to disable their resources, reset them and rebuild the systems for use again which will resolve the issue.
Using personal firewalls on laptops is another suggestion for businesses to take into consideration. For example, laptop computers may exist used in the office and at other times, may exist connected to foreign networks which may have prominent security issues.
For example, the Blaster worm virus which spread from August 11th, 2003 gained access to many company networks after a laptop existed infected with the worm from a foreign network, and then the user subsequently connected to the corporate LAN. The worm eventually spread itself across the entire company network.
From the report, SANS identified that personal laptops should have personal firewalls enabled to address any prominent security issues. They also highlighted that laptops that contain sensitive data, encryption, and authentication will reduce the possibility of data existing exposed if the device is lost.
Conclusion;
From my findings, I believe that NIDS is essential in protecting a company’s network from external and internal threats. If a company chose not to implement a NID within the business, the subsequent impact would be the company would cease to exist if an attack damaged customer records or valuable data.
With the implementation of a NID within a company, the business can mitigate the impacts of an attack by using a honeypot to capture information about an attacker and what tools they used to execute the attack. This allows businesses to prepare themselves against attacks and secure any assets that could damage the company’s ability to operate. By enforcing a security and fair use policy within the company, employees are aware of the standards they must abide by when employed by the business.
This also allows the company to scrutinize employees that do not follow the practices and take legal action if necessary. A business can hire managed security service providers who can assist in implementing the appropriate security measures for the business. Businesses must check whether the company has qualified staff and proven experience of their work as the main threat of most attacks on small to medium businesses lies within the company.