mod4 mod4 Intrusion Detection System (IDS) Overview links ../mod4/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked idsl4_01 1 Welcome to the lesson on Intrusion Detection Systems Overview. When you have completed this lesson, you will be able to identify the different types and methods of an intrusion detection system, or IDS. You will also be able to recognize what Snort is and why it is important. You will be able to differentiate the different types of IDS events. Finally, you will be able to identify various shortcomings of IDSes. There are four topics in this lesson. After you have completed the Introduction, you will learn about the two different types of intrusion detection systems and the three operating methods they use to detect malicious activity. You will learn about the most commonly deployed system that will be the basis for examples within this course. Finally, you will learn about the true and false alerts produced by IDSes and the shortcomings of the IDSes. Screen 1 of 10. Please use the up and down arrows to navigate through the Introduction to D O D I D S Analysis Course, Intrusion Detection System I D S Overview. For each screen you will hear a description. The description is cued by an audio tone. Complex screens are divided into several descriptions. Listen to the description, and then select the play audio narration button to continue. You can access the glossary and a list of resources at any time without losing your place in the course.Topic title: Introduction. Screen title: Objectives and Topics. Bulleted text and text boxes appear with objectives and topics in support of audio. Text box appears with References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. idsl4_02 2 An intrusion detection system is a tool to help you monitor a network, a system, or a host. The system then alerts you to suspicious or malicious activities, policy violations, and anomalies. The alerts allow you to analyze the traffic and mitigate the risks of an intrusion. There are two main types of intrusion detection systems that you can implement: a host-based IDS, or HIDS, and a network-based IDS, or NIDS. The HIDS is a software agent installed on an individual server or workstation that monitors activities only related to the machine on which the HIDS is installed. The NIDS is an appliance placed strategically on the network and monitors all network traffic destined to and from devices connected to that network. For the purpose of this course, we will focus on network-based intrusion detection systems. Any further references to IDS will refer to a NIDS, unless otherwise stated. Select each type of IDS to learn more about what it is and how it works. idsl4_02_01 2 A host-based IDS, or HIDS, is a software agent that sits on a host system. The host could be a server or an individual workstation. The agent inspects whether the computer system's security policies have been circumvented. A HIDS monitors all or part of the behavior and state of a computer system. The HIDS analyzes traffic only to and from that system. It also examines the system calls, application logs, file system modifications, and other host activities and states. HIDS has a vantage point of only the one host it resides on. It cannot tell you if the network attack is more widespread than just that one host. Host Based I D SPopup 1 of 2. Popup title: Host Based I D S. An image of a computer workstation appears with a magnifying glass shown over it enclosed within concentric circles. Text and bullet points appear in support of audio. idsl4_02_02 2 A network-based IDS, or NIDS, is an independent device that is strategically placed on a network in order to gain access to all traffic traversing that particular network segment. The IDS will typically gain access to the network through a hub, a switch, or a network tap, with each method having its own advantages and disadvantages. The NIDS monitors all network packets, including traffic to and from multiple hosts on the network. This system is designed and configured to analyze the traffic and alert you to potential malicious activity. NIDS should have a vantage point that includes all hosts on the network segment, based on deployment requirements, allowing you to be notified of a widespread or ongoing intrusion. Network Based I D SPopup 2 of 2: Popup title: Network Based I D S. An image of two workstations and a server appears with a magnifying glass over one of the workstations, all enclosed within concentric circles. Text and bullet points appear in support of audio. Screen 2 of 10. Topic title: I D S iz and the D o D Overview. Screen title: What are the two types of I D S iz? Image of a generic computer network appears. Image of a masked man with a laptop appears, with an animated line moving toward the computer network image. Text box displays Alert Suspicious Activity, and then Malicious Code Found and Removed. Text box displays bulleted text in support of audio. An image of a computer workstation appears with a magnifying glass shown over it enclosed within concentric circles. This image is labeled host based I D S. An image of two workstations and a server appears with a magnifying glass over one of the workstations, all enclosed within concentric circles. This image is labeled network based I D S. Animation shows the magnifying glass in the host based I D S moving across the computer and its monitor. Animation shows the magnifying glass in the network based I D S moving across the two workstations and the server. The network based I D S image is highlighted. Host based I D S text turns into selectable button labeled hidz, and network based I D S turns into nidz. Instructions appear to select each type of I D S to learn more. idsl4_03 3 There are three primary detection methods utilized by IDSes. IDSes are typically classified as signature-based, anomaly-based, or protocol-based. While each configuration uses a different methodology, the goal is still the same, to alert you to potentially malicious traffic on the network. A signature-based method looks for specific patterns of an attack in the network traffic. An anomaly-based method looks for traffic activity that falls outside of normal traffic patterns, while a protocol-based method analyzes the protocol activity against standard protocol behaviors. In the past, an IDS would only use a single technique, but many modern IDSes are capable of using a combination of all three methods. Select each method to learn more about it and its strengths and weaknesses. idsl4_03_01 3 The signature-based IDS method is the most common operating method used. This method uses static signatures, or rules, to detect malicious traffic on the network. Signature-based IDSes operate much like anti-virus software. Network traffic is examined for particular patterns or characteristics that represent an attack. Because many attacks today have distinct signatures, the patterns are preconfigured by the IDS vendor or created by the analyst of the system. If the IDS finds a pattern match in the traffic, an alert is sent to the analyst. A signature-based method works well to identify known attacks but does a poor job of identifying new, undocumented attacks. Signatures must be constantly updated to mitigate new threats. Signature basedPopup 1 of 3. Popup title: Signature based. Images blocks with ones and zeroes appear. Text and bullet points appear in support of audio. Text box flashes alert! Suspicious Activity! Text and bullet points appear in support of audio. Rollover for signatures displays the word rules. idsl4_03_02 3 An anomaly-based IDS establishes a performance baseline for normal, or routine, network traffic. The system then samples current network traffic activity against the baseline in order to detect whether or not the traffic is within baseline parameters. If the sample traffic is outside of the baseline parameters, the analyst is alerted. Anomaly-based operating methods work well on smaller, more predictable networks. These systems may be able to detect new, undocumented attacks that run outside of the baseline. This method does not scale well to larger networks because most networks continuously have new activity that is normal but will appear outside the baseline, creating a false alarm. The IDS will be only as effective as the accuracy of the established baseline. It is critical to reestablish the baseline periodically to avoid unnecessary alerts. Anomaly basedPopup 2 of 3. Popup title: Anomaly based. Text and bullet points appear in support of audio. Text box flashes alert! Suspicious Activity! An image of a graph appears indicating a baseline data range and a fluctuating data line with data points within and outside the baseline data range. Text and bullet points appear in support of audio. idsl4_03_03 3 The protocol-based IDS method monitors the communication between a client and the system, usually a server, it protects. The IDS examines the behavior and state of a protocol in use by that system. For example, for a web server the IDS would monitor the HTTP or HTTPS communications. The protocol-based IDS determines if the protocol is being implemented and utilized properly as determined by protocol design specifications. If an abnormal protocol is found, the system alerts the analyst. The primary drawbacks to implementing a protocol-analysis IDS is that configured protocols often do not follow the standard design specifications or the IDS detects broken implementations that may not be malicious, resulting in a false alarm. Protocol basedPopup 3 of 3. Popup title: Protocol based. An image of documents titled t c p I p protocol appears. Text box flashes alert! Suspicious Activity! Text and bullet points appear in support of audio. Text box displays Protocol design specifications. An image of a document titled t c p I p protocol appears. Rollover text for protocol displays A rule that allows different devices to communicate to one another. Screen 3 of 10. Topic title: I D S Types and Operations. Screen title: How does a nidz operate? An image of two workstations and a server appears with a magnifying glass over one of the workstations, all enclosed within concentric circles. This image is enclosed in a downward pointing triangle, with the text Operating Methods at the top. The triangle points are labeled signature based, with images of blocks with ones and zeroes; anomaly based, with an image of a bar graph showing a wide bar trending upward and a fluctuating line also trending upward within the wide bar. The third triangle point is labeled protocol based, with an image of documents titled t c p I p protocol. The labels appear selectable as popups. Text box displays Many I D S iz can use all three methods. Instructions appear to select each method to learn more. idsl4_04 4 Knowledge Check 1 500 750 An independent device that analyzes network traffic for malicious activity HIDS NIDS Correct. A network-based IDS is an independent device that analyzes network traffic for malicious activity. Incorrect. A network-based IDS is an independent device that analyzes network traffic for malicious activity. A software agent installed on an individual server or workstation HIDS NIDS Correct. A host-based IDS installs a software agent directly on a server or workstation. Incorrect. A host-based IDS installs a software agent directly on a server or workstation. Gains access to network traffic through a hub, switch, or network tap HIDS NIDS Correct. A network-based IDS gains access to all network traffic by connecting through a hub, a switch, or network tap. Incorrect. A network-based IDS gains access to all network traffic by connecting through a hub, a switch, or network tap. Vantage point allows you to see widespread intrusions HIDS NIDS Correct. Because the vantage point of a network-based IDS includes all devices on the network, a widespread intrusion can be detected. Incorrect. Because the vantage point of a network-based IDS includes all devices on the network, a widespread intrusion can be detected. Now check your knowledge of intrusion detection systems. Screen 4 of 10. Topic title: I D S Types and Operations. Screen title: Knowledge Check. This knowledge check presents four statements. For each statement there are two possible answers, client side attack or server side attack. Use the down arrow key to move through the statements and answer options. Use the enter key to make your selections. idsl4_05 5 Knowledge Check 1 500 750 Which of the following IDS operating methods detects whether current traffic is outside of the normal baseline parameters? Network-based IDS Signature-based IDS Anomaly-based IDS Protocol-based IDS Correct. An anomaly-based method evaluates traffic against a performance baseline of normal traffic and alerts the analyst when traffic is outside the baseline parameters. Incorrect. An anomaly-based method evaluates traffic against a performance baseline of normal traffic and alerts the analyst when traffic is outside the baseline parameters. Which of the following IDS operating methods looks for patterns in network traffic that represent known attacks? Network-based IDS Signature-based IDS Anomaly-based IDS Protocol-based IDS Correct. A signature-based method looks for patterns in network traffic that represent known attacks. Incorrect. A signature-based method looks for patterns in network traffic that represent known attacks. Which of the following IDS operating methods examines the behavior and state of a system based on RFC documents? Network-based IDS Signature-based IDS Anomaly-based IDS Protocol-based IDS Correct. A protocol-based method uses RFC documents to examine the protocol behaviors and state of a system or device. Incorrect. A protocol-based method uses RFC documents to examine the protocol behaviors and state of a system or device. Now, check your understanding of IDS operating methods. Screen 5 of 10. Topic title: I D S Types and Operations. Screen title: Knowledge Check. This is a series of three multiple choice questions. Each one has four possible choices. Use the down arrow key to move through the options. Use the enter key to make your selection. idsl4_06 6 You've learned that intrusion detection systems can be either host-based or network-based. Now, you'll learn about a specific network-based IDS called Snort. Snort is an open source NIDS. That means Snort is freely distributed and the source code is readily available for public use and modification. Snort can be configured with a combination of all three detection methods signature-based, anomaly-based, and protocol-based. Snort is the most widely deployed IDS and therefore has become the de facto standard intrusion detection system. Even if your organization does not run Snort, it is important to be familiar with this IDS because many commercial IDSes are built on top of Snort. Also, most IDSes can import Snort rules directly and use rule syntax that is very similar to Snort. Snort is a good IDS example to illustrate critical issues common to all network-based IDSs. Screen 6 of 10. Topic title: I D S Types and Operations. Screen title: What is Snort? An image of a computer workstation enclosed within concentric circles. This image is labeled host based I D S. An image of two workstations and a server appears enclosed within concentric circles. This image is labeled network based I D S. An image of a Snort logo appears with a trademark symbol and statement Snort is a registered trademark of source fire Ink. The image labeled host based I D S disappears. Images of blocks of ones and zeroes appears. An image of documents labeled T C P I P protocol appears. Text and bullet points appear in support of audio. A ribbon with number one on it appears next to the Snort logo. Rollover for open source displays Software that is freely distributed and the source code is readily available for public use and modification. idsl4_07 7 Regardless of the intrusion detection system implemented by your organization, there are four IDS event types that will apply. The system can give you a true positive, a true negative, a false positive, or a false negative. A true positive means that malicious traffic or traffic of interest has occurred and the IDS alerts you to examine it further. When there is no malicious activity and the IDS does not alert you, this event is called a true negative. If a non-malicious event occurs but the IDS alerts you as if there is malicious activity, then this is a false positive. Finally, a false negative is when there is a malicious event in the traffic, but the IDS fails to alert you. The goal of any IDS is to have only true positive and true negative events from your system. However, all real world production IDSes, have false positive and false negative events. It is common to receive alerts about traffic that is considered harmless, and it is very common not to receive alerts for intrusions that should be brought to an analyst's attention. Screen 7 of 10. Topic title: I D S Events. Screen title: Types of Events. An image of two workstations and a server appears enclosed within concentric circles. A table titled Types of Events appears with two columns labeled event type and description. The first two rows are labeled Goal. Row one shows a green plus sign with text true positive in the Event type column, and a malicious event occurs, I D S alerts in the description column. Row two shows a Green minus sign with text true negative in the Event type column, and a non malicious event occurs, I D S is silent in the Description column. The third and fourth rows are labeled Real World. The third row shows a Red plus sign with text false positive in the Event Type column, and a non malicious event occurs, I D S alerts in the Description column. The fourth row shows a red minus sign with text false negative in the Event Type column, and a malicious event occurs, I D S is silent in the Description column. Rows are highlighted, and animations of data moving from a workstation to and from the networked workstations image appear in support of audio. Text box flashes Alert! in support of audio. idsl4_08 8 False positive and false negative events are expected in any real world intrusion detection system. However, there are shortcomings of IDSes that analysts and administrators must be aware of. Corrupted or malformed data packets can cause additional false alarms by an IDS. Misconfigured devices, software bugs, corrupt data, and local packets that have escaped, generate these malformed packets and create a significantly high false alarm rate. These false alarms waste your efforts tracking items that are not real issues. The IDS can also return false negatives and fail to alert you to suspicious activities. The IDS can't analyze encrypted traffic, such as traffic going over a VPN, unless special network configurations are implemented that allow the traffic to be decrypted, analyzed by the IDS, and re-encrypted for continued transmission. It is also easy for an IDS to become overloaded due to poor configuration or insufficient hardware resources, dropping packets or leaving packets unanalyzed, because there is too much traffic to examine. And the IDS can become vulnerable to new attack strategies, if the IDS's database is not constantly updated with new signatures. The effectiveness of an IDS has a correlation with the effectiveness of the administrator and analysts responsible for the device. The more effective the analyst and administrator are at configuring the system and monitoring alerts, the better the IDS system will perform. Screen 8 of 10. Topic title: I D S Events. Screen title: I D S Shortcomings. The types of Events table briefly appears in support of audio. An image of a person using a laptop appears labeled administrator slash analyst. Text and bullet points appear in support of audio. Text box displays Alert Suspicious Activity in support of audio. An animation shows time passing on an analog clock. Animations show lines moving from off screen into the laptop in support of audio. The text NEW appears on the laptop. A server image appears labeled I D S. A graph image appears labeled effectiveness, with an animation of an upward trending line in support of audio. idsl4_09 9 Knowledge Check 1 600 750 Which of the following events describes when a malicious event occurs and the IDS is silent? True Positive True Negative False Positive False Negative Correct. A false negative event is when a malicious activity occurs but the IDS does not alert the analyst. Incorrect. A false negative event is when a malicious activity occurs but the IDS does not alert the analyst. Which of the following events describes when a non-malicious event occurs and the IDS is silent? True Positive True Negative False Positive False Negative Correct. A true negative event is when a non-malicious activity occurs and the IDS does not alert the analyst. Incorrect. A true negative event is when a non-malicious activity occurs and the IDS does not alert the analyst. Which of the following events describes when a malicious event occurs and the IDS alerts the analyst? True Positive True Negative False Positive False Negative Correct. A true positive event is when a malicious activity occurs and the IDS alerts the analyst. Incorrect. A true positive event is when a malicious activity occurs and the IDS alerts the analyst. Which of the following events describes when a non-malicious event occurs and the IDS alerts the analyst? True Positive True Negative False Positive False Negative Correct. A false positive event is when a non-malicious activity occurs and the IDS alerts the analyst. Incorrect. A false positive event is when a non-malicious activity occurs and the IDS alerts the analyst. Now, check your understanding of different types of IDS events. Screen 9 of 10. Topic title: I D S Types and Operations. Screen title: Knowledge Check. This is a series of four multiple choice questions. Each one has the same four possible choices. Use the down arrow key to move through the options. Use the enter key to make your selection. idsl4_10 10 Congratulations! You have completed the Intrusion Detection System Overview lesson. You should now be able to identify the different types and methods of IDSes. You should also be able to recognize what Snort is and why it is important. You should be able to differentiate types of IDS events. Finally, you should be able to identify various shortcomings of IDSes. Screen 10 of 10. Topic title: Conclusion. Screen title: Summary and Conclusion. The word Congratulations appears in large text. Text and bullet points display lesson objectives. Bullet points turn into checkmarks in synch with audio.