Intrusion Detection Systems Fundamentals

Abstract

AbstractIn network security, breaching or access to an authorized system is a major concern to any enterprise. The condition worsens when an enterprise works with government organizations, has private or confidential data, or the enterprise itself is a data warehouse, or it is one of the Top-level domain servers (TLDs) around the globe that an attacker intrusion to these enterprises could have a significant impact worldwide. The attacker can obtain valuable information that can be sold out in the black market. In order to prevent such malicious intent by an attacker, the system administrator uses various techniques—firewalls, demilitarized zone (DMZs), intrusion prevention system (IPS), intrusion detection system (IDS). From the perspective of security people, IDS is one of the favorable options among others, and it is the first line of defense when dealing with the network, as it is easy to deploy and flexible to understand. It will constantly monitor the network and system for malicious activity or any policy violation. Furthermore, it will try to alert the system administrator, log the activity in the log files, and avoid specific traffic into the system, which can otherwise lead to an intrusion. It can distinguish normal and malicious traffic by analyzing the characteristic of network traffic; this analysis is based on your ruleset that the administrator prepared and configure it within the IDS. Rules are an integral part of the detection system; any alert would only raise when you have that rule in the rule file. There are certain disadvantages too in the IDS, such as false alarms that occur when regular traffic is mismarked as suspicious network traffic and an alarm is raised. Machine learning and deep learning algorithms are tested on various IDS datasets in order to reduce the false alarm rate. However, these algorithms heavily depend on the quality of the datasets. This chapter will discuss intrusion detection systems (IDS), their types, and how we can formulate them in our system to detect malicious traffic and prevent unauthorized access. We will also install and analyze Snort—network IDS and open-source host-based IDS (OSSEC) to perform log analysis, alerting system, and rule generation.KeywordsIntrusion detection systemSnortOSSECIDS