Intrusion Detection
Understanding Intrusion Detection
Computer security and security tools are becoming necessary
for all business types. Organizations usually focus on prevention
tools, like
firewalls, but ignore
detection tools such as intrusion detection systems.
Simply put, the act of an intrusion is someone attempting
to break into or misuse your system. How you define someone
and break into or misuse is up to each individual business
owner or management.
An intrusion detection system (IDS), attempts to detect
an intruder breaking into your system or a legitimate user
misusing system resources. The IDS will run constantly on
your system, working in the background, and only notifying
you when it detects something it considers suspicious or
illegal. Whether you appreciate that notification depends
on how well you've configured your intrusion detection system!
There are Two Types of Intruders:
 |
External Intruders - Most people perceive
the outside world to be the largest threat to their
security. The media scare over "hackers" coming
in over the Internet has only heightened this perception.
|
|
Internal Intruders - FBI studies have revealed
that 80% of intrusions and attacks come from within
organizations. For example, an internal staff person
knows the layout of your system, where the valuable
data is and what security precautions are in place.
|
A mechanism is needed to detect both types of intrusions
- a break-in attempt from the outside, or a knowledgeable
insider attack.
An effective intrusion detection system detects both types
of attacks.
| Key Considerations |
| |
Intrusion Detection Systems Based on Data
Source |
|
Host Based - Audits Data from a single host
to detect intrusions. |
|
Multi-Host Based - Audits Data from multiple
hosts to detect intrusions. |
|
Network Based - Network traffic data, along
with audit data from one or more hosts, to detect intrusions. |
| |
Intrusion Detection Systems Based on Model
of Intrusions |
|
Anomaly Detection Model - The intrusion detection
system detects intrusions by looking for activity that
is different from a user's or system's normal behavior.
|
|
Misuse Detection Model - The intrusion detection
system detects intrusions by looking for activity that
corresponds to known intrusion techniques (signatures)
or system vulnerabilities. |
Solutions
 |
Symantec Intruder Alert version 3.6 is a host-based,
real-time intrusion monitoring system that detects unauthorized
activity and security breaches and responds automatically.
If Intruder Alert detects a threat, it sounds an alarm
or takes other countermeasures according to pre-established
security policies in order to prevent information loss
or theft
|
