Intrusion Detection and Prevention

Abstract

Intrusion detection and prevention are security measures used to detect and prevent cybersecurity risks to computer systems, networks, infrastructure resources, and others. Intrusion detection and prevention systems automatically detect and respond to cybersecurity risks in order to reduce potential risks through threat event attacks. They use different methods for a successful execution. In this context, the signature-based approach that corresponds to known threat event attacks is used, or the anomaly-based detection that compares definitions of what activity is considered normal against observed threat event attacks, to identify significant deviations. Other methods are the stateful protocol analysis, which compares predetermined profiles of general accepted definitions of benign protocol activities for each protocol state against observed events, to identify deviations, or the hybrid system approach that combines some or all of the other methodologies to detect and respond to cybersecurity risks, and others. However, the need of intrusion detection and prevention systems architectures require distinguished decisions to the essential methodology used and the deployed system architecture. Against this background, this chapter seeks to offer a clear explanation of respective methodologies and comparing theses methodologies with regard to effectivity and efficiency. This requires (i) a discussion regarding the importance of intrusion detection and prevention to combat against threat event attack risks, malicious threat event attacks, by logging information about them and attempt to stop this, and (ii) reporting the identified malicious threat event attacks to the cybersecurity response team. Furthermore, investigation of threat event attacks is done, because threat event actor’s seeking out computer systems, networks, and infrastructure resources to exploit vulnerabilities and to attack, causing serious problems for threat event attacks for the targeted industrial, public, and private organizations. Therefore, Intrusion Detection and Prevention Systems (IDPSs) are a valuable approach in keeping information systems secure against malicious threat event attack risks by monitoring, analyzing, and responding to possible cybersecurity violations against computer systems, networks, or infrastructure resources. The violations may result from attempts by unauthorized intruders that try to compromise the computer systems, networks, infrastructure resources, and others. These intruders can be privileged internal users that misuse their authority, or external single cyberattackers or attacker-groups. In this context, Chap. 3 introduces in Sect. 3.1 in the specific background of intrusion detection methods and in Sect. 3.1.1 in the specific characteristics and capabilities of the different intrusion detection forms and their advantages and disadvantages. Thus, anomaly detection is part of Sect. 3.1.2, while Sect. 3.1.3 refers to misuse intrusion detection, and Sect. 3.1.4 focuses on advantages and disadvantages of anomaly and misuse intrusion detection forms. Section 3.1.5 refers to the Specification-based Intrusion Detection, which combines the strength of anomaly and misuse detection, and Sect. 3.1.6 refers to the characteristics of intrusion detection types. The focus of Sect. 3.1.7 is on intrusion detection systems and its architecture. In this sense, Sect. 3.2 focusses on intrusion prevention, whereby Sect. 3.2.1 describes the intrusion prevention system, while Sect. 3.2.2 focuses on the architecture of the intrusion prevention system. Section 3.3 refers to the intrusion detection and prevention system architecture and the respective performance measures as constraints for the proof of concept approach. Section 3.4 introduces the intrusion detection capability metric, which includes the necessity developing the respective detection approach to detect known and unknown threat event attacks. Finally, Sect. 3.5 summarizes the intrusion detection and intrusion prevention approaches, concerning a stable and resilient system operation. Section 3.6 contains comprehensive questions from the topics intrusion detection and intrusion prevention methodologies and architectures, while reference section refers to references for further reading.