Detection of Network Intrusion Description

Detection of Network Intrusion

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. It is a software application that scans a network or a system for harmful activity or policy breaching. Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms.

Threat Hunting Steps

Network Intrusion Detection System

Network intrusion detection systems (NIDS) are set up at a planned point within the network to examine traffic from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the administrator.

Why NIDS ? And Their Types

Due to the sophistication of cyber threats and data breaches, implementing and maintaining network security, data security and information security requires a defense in depth approach.Organizations need to secure their networks with a combination of technologies and detection methods designed to combat multiple attack vectors. common elements used to secure enterprise network configurations is intrusion detection .Inside the secure network, an NIDS detects suspicious activity to and from hosts and within traffic itself, taking proactive measures to log and block attacks.

Signature-based NIDS

Signature-based NIDS detects the attacks on the basis of the specific patterns such as number of bytes or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already known malicious instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures. Signature-based NIDS can easily detect the attacks whose pattern (signature) already exists in system but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.

Anomaly-based NIDS

Anomaly-based NIDS was introduced to detect the unknown malware attacks as new malware are developed rapidly. In anomaly-based NIDS there is use of machine learning to create a trustful activity model and anything coming is compared with that model and it is declared suspicious if it is not found in model. Machine learning based method has a better generalized property in comparison to signature-based NIDS as these models can be trained according to the applications and hardware configurations

How to Detect Network Intrusions

Knowing how to detect network intrusions is a key element of network security. A more effective and long term solution is a network monitoring tool with deep packet inspection (DPI). It can identify anomalies in network traffic – such as fragmented packets and activity across non-standard ports – to alert network administrators of a potential intrusion, and provide the information required to conduct a thorough investigation. Network monitoring tools with DPI can further enhance security by identifying malicious insider activity and access to file shares. It can also improve network performance and management by bringing bottlenecks, bandwidth issues and unused resources to the attention of network administrators.

NIDS Tools

Snort

Snort is the most well-known open-source tool and is capable of running on Windows, Linux and Unix operating systems while analyzing real-time traffic. Snort has three modes: packet sniffer mode, packet logger and intrusion detection.Snort is able to detect OS fingerprinting, port scanning, SMB probes and many other attacks by using signature-based and anomaly-based techniques.

Suricata

Suricata is a modern alternative to Snort with multi-threading capabilities, GPU acceleration and multiple model statistical anomaly detection. It’s also compatible with Snort’s data structure and you can implement Snort policies in Suricata. Suricata can examine TLS/SSL certificates, HTTP requests and DNS transactions.

Zeek

Zeek differs from Snort as it also runs on the application layer, giving you the ability to track different services from different OSI layers such as HTTP, DNS, SNMP and FTP. Zeek uses signature-based and anomaly-based detection methods and has a diverse user community.

Sguil

Sguil is a collection of components for network security monitoring. It can run on any operating system that supports tcl/tk. Once installed, analysts can receive alerts from Snort, Suricata, OSSEC, Zeek and other data sources

Security Onion

Security Onion is an Ubuntu-based Linux distribution for IDS and network security monitoring (NSM), and consists of several of the above open-source technologies working in concert with each other. The platform offers comprehensive intrusion detection, network security monitoring, and log management by combining the best of Snort, Suricata, Zeek, as well as other tools such as Sguil, Squert, Snorby, ELSA, Xplico, among others others.