Wednesday, March 4, 2020

What is an IDS and how does it work?

Intrusion Detection System - IDS) is a system that monitors a network for events that may violate the security rules of that network. Among these events, there are programs that carry out activities that are beyond their common behavior, malware, and invasions of us.

IDS works by collecting user data and storing it, analyzing behavioral patterns, data flow, schedules, among others. With this information, coupled with prior knowledge of attack patterns, it is possible to discern whether the event in question is a malicious event or not.

The collection of user data is done in various ways, from input and output mechanisms, such as mouse and keyboard, to files saved on their computers; rules tables, etc. It is also possible to analyze the Network layer of the TCP / IP protocol and analyze the type of flow, incoming and outgoing packets, established connections, among others.

The Intrusion Detection System (IDS )then executes, on the data collected from users and the network flow, in real-time, algorithms looking for evidence to prove a malicious action. Once detected, the IDS then performs the action that best corresponds to that malicious activity, being within the possibilities to alert the network administrator, in the case of a passive IDS, or to block the data flow, in the case of an active IDS.

It is extremely important to emphasize that neither the detection system nor the intrusion prevention system is an antivirus, that is, it does not recognize local threats such as Trojans and worms. They are also not used as a network record, nor are they tools that assess and look for network vulnerabilities. In other words, they are monitoring tools, not security diagnostics.

Another question is about the importance of setting up an IDS. The biggest problem related to this is the number of false positives and false negatives that an IDS can generate, these numbers when very high can cause the system to become less effective. In cases of many false positives, the system becomes useless because it finds threats too often, even in cases of completely normal traffic, while too many false negatives the system has difficulties in identifying threats. Therefore, the good configuration of the IDS is directly related to the effectiveness of the system.

No comments:

Post a Comment