Technologies, Methodologies and Challenges in Network Intrusion Detection and Prevention Systems

Abstract

This paper presents an overview of the technologies and the methodologies used in Network Intrusion Detection and Prevention Systems (NIDPS). Intrusion Detection and Prevention System (IDPS) technologies are differentiated by types of events that IDPSs can recognize, by types of devices that IDPSs monitor and by activity. NIDPSs monitor and analyze the streams of network packets in order to detect security incidents. The main methodology used by NIDPSs is protocol analysis. Protocol analysis requires good knowledge of the theory of the main protocols, their definition, how each protocol works.Keywords: Intrusion Detection and Prevention System, Protocol Analysis, Sensor, Signature, State(ProQuest: ... denotes formulae omitted.)1 IntroductionIncreasing size and complexity of the Internet and Intranet networks have led to increasing number of vulnerabilities that could be exploited. Thus, the internal and external attacks on the information systems are increasing at an alarming rate. Also, these are becoming more severe and sophisticated. The attackers find ingenious ways to bypass the security controls and to compromise the security and the well functioning of the information systems. They are motivated by financial, political, and military objectives. In this context, defending wide area networks from malicious traffic, unauthorized access to systems involves many problems.In security information systems Network Intrusion Detection and Prevention Systems (NIDPS) are important tools to detect possible incidents and also, to attempt to stop them in real time. Due to changing attacks, intrusion detection methodologies and technologies continuously evolve, adding new detection capabilities, to avoid detection. They must adapt to new forms of malware, to the public networks, increased traffic.2 Concepts of Intrusion DetectionAn intrusion is a successful action to gain access to an information system, to compromise it or to make it unavailable. This is possible due to the presence of vulnerability in the target system that can be exploited by a motivated intruder.Intrusion Detection and Prevention is the process of monitoring the information systems by sensors or agents and analyzing the collected information to detect and to attempt to stop the attacks in real time, identifying vulnerabilities, the violation of security policies or standard security practices.An Intrusion Detection and Prevention System (IDPS) is a tool that monitors information systems, collects, analyzes information, and initiates responses when an intrusion is detected.Intrusion Detection Systems (IDSs) mainly work as defensive mechanisms. They only alert the system administrators that an incident has occurred. Intrusion Prevention Systems (IPSs) can take some actions to attempt to stop the attack, such as breaking the connection or modifying the firewall rules to deny access to the intruder. The response of the classic IDS can be slow if the system administrator is busy while the response of the IPS is automatic. An architecture that uses together IPS and IDS technologies is the best solution for defense in depth.Conceptually, a generic IDPS consists of modular components. It mainly has the following components: monitoring system, storage, analyzer, and responder.* Monitoring system - monitors and logs the events in a computer system or network;* Storage - stores information, called audit record, about suspicious activities or intrusions; also, the security policies used in analysis are stored;* Analyzer - uses different analysis methodologies to detect the incidents;* Responder - the response mechanism of incidents.The IDPSs could be classified as:* By detection methodology [12], [18]:- misuse-based detection- anomaly-based detection- stateful protocol analysis* By activity [12]:- network-based- wireless-based- network behavior analysis- host-based* By behavior on detection:- passive- active* By collection and analysis frequency:- continuous- periodicThe detection methodologies describe the characteristics of the analyzer. …