nvh_ids_3
October 2, 1998
Page 3
Technology Overview
Network Based Intrusion Detection
Network-based intrusion detection systems use raw network packets as the data source. A
network-based IDS typically utilizes a network adapter running in promiscuous mode to monitor
and analyze all traffic in real-time as it travels across the network. Its attack recognition module
uses four common techniques to recognize an attack signature:
· Pattern, expression or bytecode matching,
· Frequency or threshold crossing
· Correlation of lesser events
· Statistical anomaly detection
Once an attack has been detected, the IDS response module provides a variety of options to
notify, alert and take action in response to the attack. These responses vary by product, but
usually involve administrator notification, connection termination and/or session recording for
forensic analysis and evidence collection.
Host Based Intrusion Detection
Host-based intrusion detection started in the early 1980s before networks were as prevalent,
complex and interconnected as they are today. In this simpler environment, it was common
practice to review audit logs for suspicious activity. Intrusions were sufficiently rare that after-
the-fact analysis proved adequate to prevent future attacks.
Todays host-based intrusion detection systems remain a powerful tool for understanding
previous attacks and determining proper methods to defeat their future application. Host-based
IDS still use audit logs, but they are much more automated, having evolved sophisticated and
responsive detection techniques. Host based IDS typically monitor system, event, and security
logs on Windows NT and syslog in Unix environments. When any of these files change, the IDS
compares the new log entry with attack signatures to see if there is a match. If so, the system
responds with administrator alerts and other calls to action.
Host-based IDS have grown to include other technologies. One popular method for detecting
intrusions checks key system files and executables via checksums at regular intervals for
unexpected changes. The timeliness of the response is in direct relation to the frequency of the
polling interval. Finally, some products listen to port activity and alert administrators when
specific ports are accessed. This type of detection brings an elementary level of network-based
intrusion detection into the host-based environment.