Lesson 3 Intrusion Detection Systems

Active Response

Involves taking an action based on an attack or threat.

Network-based IDS (NIDS)

An IDS system that primarily uses passive hardware sensors to monitor traffic on a specific segment of the network.

Host-based IDS (HIDS)

An IDS system that primarily uses software installed on a specific host such as a web server.

Intrusion

N/A

Signature Based Detection IDS

Primarily focused on evaluating attacks based on attack signatures and audit trails.

Analyzer

The component or process that analyzes the data collected by the sensor.

Data Source

The raw information that the IDS/IPS uses to detect suspicious activity.

Deception

a response that fools the attacker into thinking that the attack is succeeding while the system monitors the activity and potentially redirects the attacker to another system that is designed to be broken

Event

anything that happens or is continuously happening that indicates that a suspicious activity has occurred

Notification

communicate event related information to the appropriate personnel when an event has occurred

Shunning

ignoring an attack

Logging

involves recording that an event has occurred and under what circumstances

Alert

is a message from the analyzer indicating that an event of interest has occurred

Activity

is an element of a data source that is of interest to the operator

Manager

is the component or process the operator uses to manage the IDS/IPS

Sensor

is the component that collects data from the data source and passes it to the analyzer for analysis

Operator

is the person primarily responsible is the person primarily responsible for the IDS/IPS

Administrator

is the person responsible for setting the security policy

Notification

is the process or method by which the IDS/ IPS manager makes the operator aware of an alert

Passive Response

is the simplest type of response to an intrusion

Anomaly-Detection IDS

learns what the normal operation is and then spots deviations from it; can establish the baseline either by being manually assigned values or through automated processes that look at traffic patterns

Behavior-Based-Detection IDS

looks for variations in behavior such as unusually high traffic, policy violations, and so on

Heuristic IDS (HIDS)

uses algorithms to analyze the traffic passing through the network; require more tweaking and fine-tuning to prevent false positives