Introduction to intrusion:

In intrusion refers to an attacker gaining unauthorized access to a device, network, or system.

Cyber criminals use increasingly sophisticated techniques and tactics to infiltrate organizations
without being discovered. Any illegal activity carried out on a digital network. A security event,
or a combination of multiple security events, that constitutes a security incident in which an
intruder gains, or attempts to gain, access to a system or system resource without having
authorization to do so. An illegal entrance into your network or an address in your assigned
domain. Intrusions can be passive (in which access is achieved quietly and undetected) or
aggressive (in which access is gained overtly and without detection). Intrusions might occur from
the outside or from within your network structure (an employee, customer, or business partner).
Some intrusions are just aimed to alert you that an intruder has entered your site and is defacing
it with various messages or obscene graphics. Others are more malevolent, attempting to harvest
sensitive data on a one-time basis or as part of a long-term parasitic connection that will continue
to siphon data until it is identified. Some intruders will try to implant code that has been carefully
developed. Others will infiltrate the network, stealthily siphoning out data on a regular basis or
altering public-facing Web sites with varied messages. An attacker can acquire physical access to
your system (by physically accessing a restricted computer and its hard drive and/or BIOS),
externally (by assaulting your Web servers or breaching your firewall), or internally (by
physically accessing a restricted machine and its hard disc and/or BIOS) (your own users,
customers, or partners). Any of the following can be considered an intrusion −Malware,
sometimes known as ransomware, is a type of computer virus. Attempts to obtain unauthorized
access to a system DDOS (Distributed Denial of Service) attacks Destruction of cyber-enabled
equipment Employee security breaches that are unintentional (like moving a secure file into a
shared folder) Untrustworthy users, both within and external to your company. Phishing
campaigns and other methods of deceiving consumers with ostensibly genuine communication
are examples of social engineering assaults.

Need to intrusion:
1. Isolate the affected systems: Disconnect compromised devices from the network to prevent
further spread of the intrusion.
2. Alert your team: Inform your IT/security team about the intrusion so they can assess the
situation and take appropriate actions.
3. Change passwords: Immediately change passwords for all affected accounts and systems.
Ensure that strong, unique passwords are used.
4. Scan for malware: Run antivirus and anti-malware scans on all affected systems to identify
and remove any malicious software.
5. Review logs: Examine system logs, network traffic logs, and any other relevant logs to
identify the source and extent of the intrusion.
6. Patch vulnerabilities: If the intrusion exploited known vulnerabilities, apply patches and
updates to affected systems to prevent further exploitation.
7. Inform stakeholders: Depending on the severity and impact of the intrusion, consider
notifying relevant stakeholders, such as customers, partners, and regulatory authorities.
8. Restore from backups: If necessary, restore affected systems from clean backups to ensure
they are free from any malicious activity.
9. Implement security enhancements: Strengthen your security measures by implementing
additional security controls, such as intrusion detection systems, firewalls, and access
controls.
10. Conduct a post-mortem: After the immediate threat is mitigated, conduct a thorough
investigation to understand how the intrusion occurred and identify any weaknesses in your
security posture. Use this information to improve your security defenses

Vulnerability
A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized
access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious
code, install malware, and even steal sensitive data. Vulnerabilities can be exploited by a variety
of methods, including SQL injection, buffer overflows, cross-site scripting (XSS), and open-
source exploit kits that look for known vulnerabilities and security weaknesses in web
applications. Many vulnerabilities impact popular software, placing the many customers using
the software at a heightened risk of a data breach, or supply chain attack. Such zero-day exploits
are registered by MITRE as a Common Vulnerability Exposure (CVE).
Sources Of Vulnerabilities
Software Bugs
Software bugs are one of the leading causes of vulnerabilities. These are errors or faults in a
program that cause it to produce incorrect or unexpected results or behave in unintended ways.
They can be introduced during the software development process due to oversight, lack of
understanding, or even subtle errors in coding.
1. Functional errors
This is a broad type of error that happens whenever software doesn’t behave as
intended. For example, if the end user clicks the “Save” button, but their entered data isn’t
saved, this is a functional error. After some investigation, a software tester may identify a
more specific culprit behind the error and reclassify it as a different type of bug.
2. Syntax errors
A syntax error occurs in the source code of a program and prevents the program
from being properly compiled. This type of error is very common and typically occurs
when there are one or more missing or incorrect characters in the code. For example, a
single missing bracket could cause a syntax error.
Compiling programs typically indicate where a syntax error has occurred so the
programmer can fix it.

3. Logic errors
A logic error represents a mistake in the software flow and causes the software to
behave incorrectly. This type of error can cause the program to produce an incorrect
output, or even hang or crash. Unlike syntax errors, logic errors will not prevent a program
from compiling. A common logic error is the infinite loop. Due to poorly written code, the
program repeats a sequence endlessly until it crashes or halts due to external intervention,
such as the user closing a browser window or turning the power off.

4. Calculation errors
Anytime software returns an incorrect value — whether it’s one the end user sees
or one that’s passed to another program — that’s a calculation error. This could happen for
several reasons:
 The software is using the wrong algorithm to calculate the value.
 The calculation has a data type mismatch.
 The developers have coded the calculation or value hand-off to another program
incorrectly.
While such an error can be costly in certain contexts — like in banking, where an
incorrect calculation can result in the loss of money — hunting down the calculation error
is typically just a matter of math.
5. Unit-level bugs
David LaVine, founder of RocLogic Marketing and a former engineer, says unit-
level software bugs are the most common. They’re also typically the easiest to fix. After
your software is initially coded, you need to see how it works through unit testing —
taking a small, logical section of code and verifying that it performs as designed. This is
where various forms of state machine bugs, calculation errors, and basic logic bugs are
often uncovered.
“The bugs are relatively easy to isolate when you’re dealing with a small amount of
code that’s within your control,” LaVine says. “They’re also relatively easy to replicate
because there aren’t a lot of complex, asynchronous interactions taking place yet.”
6. System-level integration bugs
This type of bug occurs when two or more pieces of software from separate subsystems
interact erroneously. Often the two sets of code are written by different developers.
LaVine explains that even when there’s a solid set of requirements for developers to
follow, there’s usually some level of interpretation required or details that get overlooked,
causing the interaction between two pieces of software to fail.
“System-level integration bugs are harder to fix because you’re dealing with more than
one piece of software, so the complexity increases while overall visibility decreases,”
LaVine says. “This class of bug is often caused by things like byte-swapping, message
parsing, or memory overflow issues.”
7. Out of bounds bugs
LaVine notes that these types of software bugs show up when the end user interacts
with the software in ways that weren’t expected. This often occurs when the user sets a
parameter outside the limits of intended use, such as entering a significantly larger or
smaller number than coded for or inputting an unexpected data type, like text where a
number should be
8. Misconfiguration
Misconfiguration refers to the incorrect setup of an application, database, network device,
or security control. This can inadvertently leave gaps in a system’s defense, giving malicious
actors potential entry points to exploit.

Types of Security Misconfigurations

You could be a victim of security misconfiguration for several reasons. With multiple
parties involved in developing a web application, proper implementation of a security
framework could slip through the cracks. Undertrained staff, lack of understanding, and
failure to review patches are some causes. The most common security misconfiguration that
occur are listed below:
1. Unpatched systems
Attackers can exploit a bug that has not been patched to execute a malicious program.
Cybercriminals commonly exploit this loophole to scan environments for any unpatched
systems and leverage the same to access applications illegally.
2. Default account settings
You might set up a few trust configurations to streamline access between systems.
However, this opens up your application to attacks and breaches across your network that
compromise vital data.
3. Unencrypted files
Unencrypted or poorly encrypted files give hackers ample opportunity to illegally
access your system, steal data or modify it with false information.
4. Unsecured devices
Using compromised devices or credentials or reusing the same passwords for different
systems could make your environment insecure. Even if attackers could gain unauthorized
access to one of your systems, the entire network could be exploited.
5. Web application and cloud misconfiguration
Cyber Attackers could detect misconfiguration vulnerabilities in your system and
exploit the same, causing severe harm directly or indirectly.
6. Insufficient firewall protection
If you leave services running on a firewall, it could expose a window for attackers to
exploit vulnerabilities and disrupt your syste
7. Unpatched Software
Unpatched software is another common cause of vulnerabilities. When software
developers discover a bug or a security flaw in their product, they usually release a software
update or a ‘patch’ to fix the problem. However, if users or administrators neglect to install
these patches, the software remains vulnerable.
Unpatched vulnerabilities refer to security flaws or weaknesses in software, hardware,
or systems that have not yet been addressed through an update or patch. Threat actors can
exploit these vulnerabilities to steal data and gain unauthorized access to a network. Software
vendors typically release updates or patches to mitigate risks once vulnerabilities are
identified. Unfortunately, organizations that fail to implement timely patches and updates
leave their systems vulnerable to exploitation by cyber criminals.
Unpatched system vulnerabilities pose the following risks for businesses:
 Data Breaches: Unpatched security vulnerabilities give attackers an entry point to
gain unauthorized access to the company’s sensitive data.
 System Downtime: Outdated software and systems are more prone to performance
issues, crashes, and instabilities, resulting in business interruptions and unexpected
downtime.
 Ransomware Attacks: Ransomware groups exploit unpatched system
vulnerabilities to encrypt important files and demand payment for the decryption key.
 Compliance Violations: Organizations subject to regulatory requirements must
maintain a certain level of security. Failure to patch systems can result in compliance
violations, leading to hefty fines and penalties.
 Malware Infections: Threat actors can exploit unpatched software vulnerabilities to
infect systems with malware, leading to system disruptions.
 Reputational Damage: Successful cyber attacks due to unpatched vulnerabilities can
damage a business’s reputation, erode customer trust, and lead to costly legal liabilities.
8. Lack of Security Awareness
In many instances, vulnerabilities stem from a lack of security awareness among
users. This can lead to risky behaviors such as using weak passwords, clicking on suspicious
links, or sharing sensitive information, which could expose systems to threats.
What are the causes of poor security awareness and how to fix it?
 The most common cause of poor security awareness is less or no security awareness
training. Therefore, companies across industries can arrange security awareness training
programs for their employees.
Many training programs are available that companies can choose from. However, when
choosing a security awareness program, companies should have the following approach:
 The program must reinforce security awareness concepts
 The training program must track an employee’s success
 The program must conduct mock tests. For instance, ‘live fire’ exercises are used to check
the understanding of employees about phishing emails and other tactics

Insufficient Testing
Insufficient or improper testing can also result in vulnerabilities. If software or systems aren’t
thoroughly tested for potential security issues before deployment, vulnerabilities may go
undetected and provide an open door for attackers Security Weakness Prevalence COMMON
Detectability EASY Insufficient input/output validation vulnerability occurs when an application
fails to properly check and sanitize user input or validate and sanitize output data. This
vulnerability can be exploited in the following ways:
Insufficient Input Validation: When user input is not thoroughly checked, attackers can
manipulate it by entering unexpected or malicious data. This can bypass security measures and
lead to code execution vulnerabilities or unauthorized system access.
Insufficient Output Validation: If output data is not properly validated and sanitized, attackers
can inject malicious scripts that get executed by users’ browsers. This can lead to cross-site
scripting (XSS) attacks, enabling data theft, session hijacking, or the manipulation of displayed
content.
Lack of Contextual Validation: Failing to consider the specific context or expected data
formats can result in vulnerabilities like SQL injection or format string vulnerabilities. These
occur when unvalidated user input is directly incorporated into database queries or improperly
handled in format string functions, allowing attackers to manipulate queries or execute arbitrary
code.
Failure to Validate Data Integrity: Without validating data integrity, the application becomes
vulnerable to data corruption or incorrect processing. Attackers can tamper with critical system
variables or introduce malformed data that disrupts the application’s functionality.
These vulnerabilities often arise from errors in application logic, incomplete implementation of
validation checks, lack of security awareness, or insufficient testing and code review practices.

COMPONENTS AND ARCHITECTURE:

IDS –Intrusion Detection System
Any unauthorized access is called Intrusion. An Intrusion Detection System is a network
security technology originally built for detecting vulnerability exploits against a target
application or computer and produces report to the management.
Components

The four Typical IDS Components are an IDS sensor or agent, a management server, a
database server, and an IDS console.
1. IDS sensor or agent
They are the first component of an IDS. These sensors can either be host or network-
based. It is the part of IDS that deploy on a network or host to monitor their activity.
Sensors monitor wired or wireless networks (network traffic, system logs, and other data
sources for suspicious activity). They provide alerts when potential breaches are detected. It
is responsible for the collection of data and monitor the activity.
2. Management server
 A Management server is responsible for collecting data from sensors. The
management server can also correlate and analyze this data to determine intrusion has
occurred.

3. Database server
An IDS database server is where you’ll store the event data your IDS sensors and
agents record. Some IDS tools store data in an embedded database, while others use an
external database like MySQL, Oracle, or MS SQL.
4. IDS console/User interface
The IDS console is where you’ll perform administrative or management tasks. It
is responsible for displaying GUI and generating alerts.
Basically, some IDS consoles can configure sensors/agents and conduct monitoring
and analysis, while others are only capable of configuring sensors/agents.
(or)

The major components of IDS are Audit data processor, Knowledge base, Decision engine,
Alarm generation and responses.
Common Components of an IDS/IPS

Incoming Traffic/logs data - Packets, logs.

1. Data Preprocessor
Data pre-processing is required in all knowledge discovery tasks, including network-
based intrusion detection, which attempts to classify network traffic as normal or anomalous.
Data pre-processing is the concept of changing the raw data into a clean data set. The dataset
is preprocessed in order to check missing values, noisy data, and other inconsistencies before
executing it to the algorithm. Collects and formats the data and analyze by the detection
algorithm.
2. Detection Algorithm
Based on the detection model, detects the difference between normal and intrusive
audit records. The most common ML algorithms used for IDS are Decision Tree, K-Nearest
Neighbor (KNN), Artificial Neural Network (ANN), Support Vector Machine (SVM), K-
Mean Clustering, Fast Learning Network, and Ensemble Methods.
IDSs can be software applications that are installed on endpoints or dedicated
hardware devices that are connected to the network. Some IDS solutions are available as
cloud services. Whatever form it takes, an IDS uses one or both of two primary threat
detection methods: signature-based or anomaly-based detection.
3. Alert Filter
It determines the severity of detected intrusive activity based on decision criteria.
Then alerts the operator. It selects a smaller portion of analyzed data to reduce the number of
alerts passing to other stages of analyses. The main goal of the filtration phase is to reduce
the number of alerts that have no or limited relevance to identifying suspicious activities. It
saves the system requirements for processing IDS alerts and reduces the number of false
positive alerts entering the next processing phase.

ARCHITECTURE (IDS)
An intrusion detection system is similar to an automated auditing mechanism. Like the
auditing systems, it consists of three parts: an agent, a director, and a notifier.
Fig: General IDS Architecture

Sensors/Agent:
Data gathering device (sensor) is responsible for collecting data from the monitored system.
An agent obtains information from the target such as a computer system or a data sources. The
source may be a log file, another process or network packets. The information may be sent
directly to the analyzer. These are responsible for monitoring network traffic or system activity
for suspicious behaviour or security policy violations. Usually, it is pre-processed into a specific
format. Also the agent may discard information that it deems irrelevant.
Host-based agents usually use system and application logs to obtain records of events and
analyze them. The events to look for and to analyze are determined by the intrusion detection
mechanism.
 Network-based agents use a variety of devices and software to monitor network traffic. It can
detect network-oriented attacks such as denial of service attack introduced by flooding a network.
It can monitor traffic for a large number of hosts. It can also examine the contents of the traffic
itself.
Analyzers and Recognition Model:
The analyzers or Detector ( Intrusion Detection ( ID) analysis engine) processes the data
collected from sensors to identify intrusive activities or to determine if an attack is in progress or
has occurred. The analyzer itself reduces the incoming log entries to eliminate unnecessary and
redundant records. It then uses an analysis engine, this aims at analyzing the collected
information and detecting cyber attack patterns or possible abnormal behaviour, by using
predefined rules, utilizing specific attack techniques such as (signature or statistical and
AI,anomaly detection), or machine learning algorithms.
Because the functioning of the analyzer is critical to the effectiveness of the intrusion
detection system, it is usually run on a separate system.
Knowledge base (database ):
It contains information collected by the sensors, but in pre-processed format (e.g. knowledge
base of attacks and their signatures, filtered data, data profiles, etc.). This information is usually
provided by network and security experts. A database server is an important component of the
overall IDS/IPS architecture. It is a repository of all the events triggered by the sensors, logs
generated, user policies and profiles, and other functional information.
Configuration device:
It provides information about the current state of the IDS.
Response
Component initiates actions when an intrusion is detected. These responses can either be
automated (active) or involve human interaction (inactive).
The notifier accepts information from the analyzer and takes the appropriate action. In some
cases, this is simply a notification to the system security officer that an attack is believed to be
underway. In other cases, the notifier may take some action to respond to the attack.
User Interface:
The user interface provides a way for security analysts or administrators to view alerts,
configure the IDS settings, and take action on detected threats. It may include dashboards,
reports, and alert notifications. A management console provides an interface to the users and
administrators for configuring and managing sensor systems. The users connect to the
management console through a client system over a web interface or any other client software. A
Management Graphical Interface should provide the following:
 Alert/Event Viewer: Displays all the intrusions detected by the sensors, which have
violated the defined set of policies. The alert viewers should be able to provide drill-
down capabilities to view all the details of individual alerts such as host, destination,
service, type of attack, and action taken.
 Incident Generator: This enables the creation of real-time correlative analysis of
attacks on the network. This should provide the type of incident that has occurred and
when it has occurred.
 Report Generators: To generate various security reports for the management and
further analysis. It should have the capability of generating reports automatically as
well e-mailing them to individuals.
 System Configuration Tools: Provides all the system configuration features. Setting
polices, profiles, responses to attacks, sensor mode of operation, user created profiles,
baseline scheduling, defining user roles and responsibilities, sending alerts to central
network management console, and other sensor level configurations. It should also
have the capabilities to send alerts to the central network management console and
alerting administrators through triggering cell phone calls and SMS services.
The actual architecture of IDS may vary depending on the specific implementation and
deployment environment.

Overall View
The primary function of a sensor is to analyze traffic and respond when the attacks are
detected. The sensor examines each and every packet's header and data content that enters the
network. The sensor looks for a pattern and behavior in the network traffic that indicates
malicious activity and sends alerts to the management console. The sensor examines the packets
and checks against the user-defined policies or rule sets, which contains the priorities of the
attacks to be monitored and the counter measures to be taken when an attack is detected.
If an attack is detected, the sensor sends an alert to the management console, logs the alert,
and responds to the attack as per the defined policy. The policies for sensors can be configured to
several types of responses generating alerts, logging events, resetting TCP connections, blocking
traffic at firewalls, scrubbing malicious packets, and even dropping the packets entirely before
reaching the final destination.
How does an IDS work?
 An IDS monitors the traffic on a computer network to detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of
abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
 Then if, IDS detects something that matches one of these rules or patterns, it sends
an alert to the system administrator.
 The system administrator can then investigate the alert and take action to prevent
any damage or further intrusion.
Terminology
 Alert/Alarm
A signal suggesting that the system has been or being is attacked.
 True positive
A legitimate attacks which triggers an IDS to produce an alarm
 True Negative
When no attack has taken place and no alarm is raised.
 False Positive
An event signalling an IDS to produce an alarm when no attack has taken place.
 False Negative
An failure of an IDS to detect an actual attack.

Countermeasures of attacks
Security countermeasures are the controls used to protect the confidentiality, integrity,
and availability, authority of data and information systems.
Common examples of countermeasures include security controls, policies,
procedures, or technology created to prevent the effects of security incidents.
Types of Attacks
There are different types of attacks such as malware attacks, database security threats,
Trojans and so on.
 Attacks against availability, confidentiality, integrity, authority. Attacks against
miscellaneous security objectives.

Countermeasures of Attacks
The some of the counter measures are,

 Authentication

Authentication is the process of allowing people, often employees, to identify who

they are so that they can gain access to the company's facilities or computer network. The
process is extremely important to help prevent unauthorized access, which can lead to
catastrophic data breaches. Authentication verifies the identity of a user or service.
 Access control

Access control is a security technique that regulates who or what can view or use
resources in a computing environment. There are two types of access control: physical and
logical. Physical access control limits access to campuses, buildings, rooms and physical IT
assets. Logical access control limits connections to computer networks, system files and data.
 Audit and intrusion detection

An Intrusion Detection System (IDS) is a monitoring system that detects suspicious

activities and generates alerts when they are detected. Based upon these alerts, a security
operations center (SOC) analyst or incident responder can investigate the issue and take the
appropriate actions to remediate the threat.
 Extrusion detection

Extrusion detection is a specialized form of IDS. Extrusion detection or outbound

intrusion detection is a branch of intrusion detection aimed at developing mechanisms to
identify successful and unsuccessful attempts to use the resources of a computer system to
compromise other systems.
 Cryptography

Cryptography is the process of hiding or coding information so that only the person a
message was intended for can read it. Encrypting data with different keys may take different
times. The key and the data affects the time taken to encrypt or decrypt, which gives a
leakage of information about the key. Even monitoring power consumption may reveal which
instructions are being executed.
 Deploying Firewall and NGFW

Traditional firewalls and NGFWs are both designed to identify and block malicious or
unwanted traffic from crossing network boundaries. A next-generation firewall (NGFW) is a
network security device that provides capabilities beyond a traditional, stateful firewall.
 Anti-virus software

Antivirus is a kind of software used to prevent, scan, detect and delete viruses from a
computer. Antivirus products work by detecting, quarantining and/or deleting malicious code
(such as viruses), to prevent malware from causing damage to your device.
 Conduct Audits Regularly

Conducting audits creates accountablity throughout your organization. Controls

created by your system may have weakened over time and regular auditing allows you to spot
areas where this is occurring so you can correct them. One of the primary benefits of regular
safety audits is that they help companies stay up-to-date with the latest safety regulations and
standards.
 Keep Your Software System Updated

It's important to keep your software up to date because updates enhance existing
features, patch security flaws, add new security features, fix bug issues and improve
performance for devices.
 Installing Endpoint Detection & Response (EDR)

Endpoint detection and threat response (EDTR), is an endpoint security solution that
continuously monitors end-user devices to detect and respond to cyber threats like ransomware and
malware. Installing EDR is needed.
Bring Awareness About Cyber Attacks and Be cautious while clicking any links and
files to be download.
Do keep all devices, such as laptops and computer physically secured. If a device is
lost or stolen, report it immediately to competent authority. Antivirus software should be
installed on computer and it should be kept updated. Don't install unauthorized programs on
your work computer / laptop.
Classification Of Intrusion Detection Systems:
There are two main types of IDSes based on where the security team sets them up:
● Network intrusion detection system (NIDS).
● Host intrusion detection system (HIDS).
The way an intrusion detection system detects suspicious activity also allows us to define two
categories:
● A signature-based intrusion detection system (SIDS).
● An anomaly-based intrusion detection system (AIDS).
Depending on your use case and budget, you can deploy a NIDS or HIDS or rely on
both main IDS types. The same applies to detection models as many teams set up a hybrid
system with SIDS and AIDS capabilities.

Network Intrusion Detection System (NIDS)

A network-based intrusion detection system monitors and analyzes traffic coming to and
from all network devices. A NIDS operates from a strategic point (or points, if you deploy
multiple detection systems) within the network, typically at data chokepoints.
Pros of a NIDS:
● Provides IDS security across the entire network.
● A few strategically placed NIDSes can monitor an enterprise-size network.
● A passive device that does not compromise network availability or throughput.
● Relatively easy to secure and hide from intruders.
● Covers networks parts where traffic is most vulnerable.
Cons of a NIDS:
● Expensive to set up.
● If a NIDS must monitor an extensive or busy network, the system can suffer from low
specificity and an occasional unnoticed breach.
● Detecting threats within encrypted traffic can be problematic.
● Typically not an ideal fit with switch-based networks.

Host Intrusion Detection System (HIDS)

A HIDS operates from a specific endpoint where it monitors network traffic and system logs
to and from a single device.
This type of IDS security relies on regular snapshots, file sets that capture the entire system’s
state. When the system takes a snapshot, the IDS compares it with the previous state and checks
for missing or altered files or settings.
Pros of a HIDS
● Offers deep visibility into the host device and its activity (changes to the configuration,
permissions, files, registry, etc.).
● An excellent second line of defense against a malicious packet a NIDS failed to detect.
● Good at detecting packets originating from inside the organization, such as unauthorized
changes to files from a system console.
● Effective at detecting and preventing software integrity breaches.
● Better at analyzing encrypted traffic than a NIDS due to less packets.
● Far cheaper than setting up a NIDS.
Cons of a HIDS
● Limited visibility as the system only monitors one device.
● Less available context for decision-making.
● Hard to manage for large companies as the team needs to configure and handle info for every
host.
● More visible to attackers than a NIDS.
● Not good at detecting network scans or other network-wide surveillance attacks.

Signature-Based Intrusion Detection System (SIDS)

A SIDS monitors packets moving through a network and compares them to a database of
known attack signatures or attributes. This common type of IDS security looks for specific
patterns, such as byte or instruction sequences.
Pros of a SIDS
● Works well against attackers using known attack signatures.
● Helpful for discovering low-skill attack attempts.
● Effective at monitoring inbound network traffic.
● Can efficiently process a high volume of network traffic.
Cons of a SIDS
● Cannot identify a breach without a specific signature in the threat database.
● A savvy hacker can modify an attack to avoid matching known signatures, such as changing
lowercase to uppercase letters or converting a symbol to its character code.
● Requires regular updates of the threat database to keep the system up to date with the latest
risks.
Anomaly-Based Intrusion Detection System (AIDS)
An AIDS monitors ongoing network traffic and analyzes patterns against a baseline. It goes
beyond the attack signature model and detects malicious behavior patterns instead of specific
data patterns.
This type of IDS uses machine learning to establish a baseline of expected system behavior
(trust model) in terms of bandwidth, protocols, ports, and device usage. The system can then
compare any new behavior to verified trust models and discover unknown attacks a signature-
based IDS cannot identify.
For example, someone in the Sales department trying to access the website’s backend for the
first time may not be a red flag for a SIDS. For an anomaly-based setup, however, a person trying
to access a sensitive system for the first time is a cause for investigation.
Pros of an AIDS
● Can detect signs of unknown attack types and novel threats.
● Relies on machine learning and AI to establish a model of trustworthy behavior.
Cons of an AIDS
● Complex to manage.
● Requires more processing resources than a signature-based IDS.
● High amounts of alarms can overwhelm admins.
Attacks against various Security Objectives
1.DoS and DDoS Attacks
What is a DDoS attack?
A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers or
machines to flood a targeted resource. Both types of attacks overload a server or web application
with the goal of interrupting services.
What is a DoS attack?
A denial-of-service (DoS) attack floods a server with traffic, making a website or resource
unavailable.
What are the types of DoS attacks?
There are six types of attacks; Teardrop attack, Flooding attack, IP Fragmentation attack,
Volumetric attack, Protocol attack, and Application-based attack.
How does a DoS attack or DDoS attack work?
As the server is flooded with more Transmission Control Protocol/User Datagram Protocol
(TCP/UDP) packets than it can process, it may crash, the data may become corrupted, and
resources may be misdirected or even exhausted to the point of paralyzing the system.
A DDoS attack aims to overwhelm the devices, services, and network of its intended target
with fake internet traffic, rendering them inaccessible to or useless for legitimate users.
(Availability)
2. MITM Attacks
A man-in-the-middle (MITM) attack is a cyber attack in which a threat actor puts themselves
in the middle of two parties, typically a user and an application, to intercept their
communications and data exchanges and use them for malicious purposes like making
unauthorized purchases or hacking.
By secretly standing between the user and a trusted system, such as a website or application,
a cybercriminal can easily obtain sensitive data. The user assumes they're interacting exclusively
with a trustworthy site and willingly relinquishes login credentials, financial information, or
other compromising data.
Cybercriminals either listen in on the interactions by inserting themselves between a line of
internet communications or directly impersonate a party through website spoofing for man-in-
the-middle attacks. As logins and data entries occur, a hacker can obtain the information to steal
someone's identity, access or control a user's account, make purchases or fund transfers, or
breach a perimeter into an organization's network.
Man-in-the-middle attack is to steal confidential information or modify the data shared.
(Confidentiality, Integrity)
4. Phishing Attacks
A phishing attack occurs when a malicious actor sends emails that seem to be coming
from trusted, legitimate sources in an attempt to grab sensitive information from the target.
Phishing attacks combine social engineering and technology and are so-called because the
attacker is, in effect, “fishing” for access to a forbidden area by using the “bait” of a
seemingly trustworthy sender.
To execute the attack, the bad actor may send a link that brings you to a website that
then fools you into downloading malware such as viruses, or giving the attacker your private
information. In many cases, the target may not realize they have been compromised, which
allows the attacker to go after others in the same organization without anyone suspecting
malicious activity.
You can prevent phishing attacks from achieving their objectives by thinking
carefully about the kinds of emails you open and the links you click on. Pay close attention to
email headers, and do not click on anything that looks suspicious. Check the parameters for
“Reply-to” and “Return-path.” They need to connect to the same domain presented in the
email. (Confidentiality)
6. Ransomware
With Ransomware, the victim’s system is held hostage until they agree to pay a
ransom to the attacker. After the payment has been sent, the attacker then provides
instructions regarding how the target can regain control of their computer. The name
"ransomware” is appropriate because the malware demands a ransom from the victim.
In a ransomware attack, the target downloads ransomware, either from a website or
from within an email attachment. The malware is written to exploit vulnerabilities that have
not been addressed by either the system’s manufacturer or the IT team. The ransomware then
encrypts the target's workstation. At times, ransomware can be used to attack multiple parties
by denying access to either several computers or a central server essential to business
operations.
Affecting multiple computers is often accomplished by not initiating systems
captivation until days or even weeks after the malware's initial penetration. The malware can
 send AUTORUN files that go from one system to another via the internal network or
Universal Serial Bus (USB) drives that connect to multiple computers. Then, when the
attacker initiates the encryption, it works on all the infected systems simultaneously.
In some cases, ransomware authors design the code to evade traditional antivirus
software. It is therefore important for users to remain vigilant regarding which sites they visit
and which links they click. You can also prevent many ransomware attacks by using a next-
generation firewall (NGFW) that can perform deep data packet inspections using artificial
intelligence (AI) that looks for the characteristics of ransomware.(Availability)
7. SQL Injection Attack
Structured Query Language (SQL) injection is a common method of taking advantage
of websites that depend on databases to serve their users. Clients are computers that get
information from servers, and an SQL attack uses an SQL query sent from the client to a
database on the server. The command is inserted, or “injected”, into a data plane in place of
something else that normally goes there, such as a password or login. The server that holds
the database then runs the command and the system is penetrated.
If an SQL injection succeeds, several things can happen, including the release of
sensitive data or the modification or deletion of important data. Also, an attacker can execute
administrator operations like a shutdown command, which can interrupt the function of the
database.
To shield yourself from an SQL injection attack, take advantage of the least-
privileged model. With least-privileged architecture, only those who absolutely need to
access key databases are allowed in. Even if a user has power or influence within the
organization, they may not be allowed to access specific areas of the network if their job does
not depend on it.
For example, the CEO can be kept from accessing areas of the network even if they
have the right to know what is inside. Applying a least-privileged policy can prevent not just
bad actors from accessing sensitive areas but also those who mean well but accidentally leave
their login credentials vulnerable to attackers or leave their workstations running while away
from their computers.(Confidentiality, Integrity)
8. DNS Spoofing
With Domain Name System (DNS) spoofing, a hacker alters DNS records to send
traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter
sensitive information that can be used or sold by the hacker. The hacker may also construct a
 poor-quality site with derogatory or inflammatory content to make a competitor company
look bad.
In a DNS spoofing attack, the attacker takes advantage of the fact that the user thinks
the site they are visiting is legitimate. This gives the attacker the ability to commit crimes in
the name of an innocent company, at least from the perspective of the visitor.
To prevent DNS spoofing, make sure your DNS servers are kept up-to-date. Attackers
aim to exploit vulnerabilities in DNS servers, and the most recent software versions often
contain fixes that close known vulnerabilities.
9. Session Hijacking
Session hijacking is one of multiple types of MITM attacks. The attacker takes over a
session between a client and the server. The computer being used in the attack substitutes its
Internet Protocol (IP) address for that of the client computer, and the server continues the
session without suspecting it is communicating with the attacker instead of the client. This
kind of attack is effective because the server uses the client's IP address to verify its identity.
If the attacker's IP address is inserted partway through the session, the server may not suspect
a breach because it is already engaged in a trusted connection.
To prevent session hijacking, use a VPN to access business-critical servers. This way,
all communication is encrypted, and an attacker cannot gain access to the secure tunnel
created by the VPN.
10. Brute force attack
A brute-force attack gets its name from the “brutish” or simple methodology
employed by the attack. The attacker simply tries to guess the login credentials of someone
with access to the target system. Once they get it right, they are in.
While this may sound time-consuming and difficult, attackers often use bots to crack
the credentials. The attacker provides the bot with a list of credentials that they think may
give them access to the secure area. The bot then tries each one while the attacker sits back
and waits. Once the correct credentials have been entered, the criminal gains access.
To prevent brute-force attacks, have lock-out policies in place as part of your
authorization security architecture. After a certain number of attempts, the user attempting to
enter the credentials gets locked out. This typically involves “freezing” the account so even if
someone else tries from a different device with a different IP address, they cannot bypass the
lockout.
 It is also wise to use random passwords without regular words, dates, or sequences of
numbers in them. This is effective because, for example, even if an attacker uses software to
try to guess a 10-digit password, it will take many years of non-stop attempts to get it right.

Reference:
https://www.cs.clemson.edu/course/cpsc420/material/Security%20Practice/Intrusion
%20Detection/Architecture.pdf
https://www.researchgate.net/publication/232623012_Intrusion_Detection_A_Survey
https://www.researchgate.net/figure/General-IDS-Architecture_fig1_329467494
https://ebrary.net/26724/computer_science/idsips_system_architecture_framework

PPT LINKS FOR REFERENCE

https://www.slideshare.net/gauravkoriya1989/intrusion-detection-system-8270180
https://www.slideshare.net/King8117/intrusion-detection-systems-15218543
https://www.researchgate.net/publication/228589845_An_Introduction_to_Intrusion-
Detection_Systems
https://phoenixnap.com/blog/intrusion-detection-system
Link for data threats and its counter measures
https://www.datasunrise.com/potential-db-threats/top-db-threats/