UNIT 4

Discuss in detail about intrusion detection systems and its types.

Intrusion Detection Systems (IDS)

An Intrusion Detection System (IDS) is a security tool designed to monitor
network traffic or system activities for suspicious behavior or policy violations.
It serves as an early warning system by detecting potential intrusions and
alerting administrators to investigate or take preventive action. IDS helps in
safeguarding systems and networks from unauthorized access, malicious
activities, and cyberattacks.

Functions of IDS
 Monitoring: Continuously monitors network or system activities for
anomalies or suspicious patterns.
 Detection: Identifies known attack signatures or unusual behavior
indicative of potential threats.
 Alerting: Generates alerts or notifications for system administrators when
potential intrusions are detected.
 Reporting: Logs activities and events to provide details for further
analysis.
 Response: While traditional IDS focuses on detection, modern IDS
solutions may also include limited automated responses like blocking
traffic.

Types of Intrusion Detection Systems

IDS can be broadly classified based on the detection approach and deployment
location.
1. Based on Detection Approach
IDS systems detect intrusions using either signature-based or anomaly-based
methods:

a) Signature-Based IDS (SIDS)

  Definition: Detects intrusions by comparing incoming traffic or activities
against a database of known attack patterns (signatures).
 Strengths:
o Accurate for known threats.
o Minimal false positives when up-to-date.
 Weaknesses:
o Cannot detect unknown attacks or zero-day exploits.
o Requires regular updates to the signature database.
 Examples:
o Detecting known malware or exploits using specific patterns.

b) Anomaly-Based IDS (AIDS)

 Definition: Detects intrusions by identifying deviations from normal
behavior or baseline patterns established through machine learning or
statistical analysis.
 Strengths:
o Can detect unknown or zero-day attacks.
o Identifies unusual activities in real-time.
 Weaknesses:
o Higher false positive rates due to legitimate variations in behavior.
o Requires robust training and tuning to establish accurate baselines.
 Examples:
o Detecting unusual login times or unexpected spikes in network
traffic.

2. Based on Deployment Location

IDS can also be categorized by where they are deployed:

a) Host-Based Intrusion Detection System (HIDS)

  Definition: Monitors activity on a specific host or device, including file
integrity, system logs, and process activity.
 Strengths:
o Provides detailed monitoring of the host's internal activities.
o Detects insider threats and attacks targeting individual systems.
 Weaknesses:
o Cannot monitor network-wide activities.
o Consumes host resources and may impact performance.
 Examples:
o Detecting unauthorized file modifications or privilege escalation on
a server.

b) Network-Based Intrusion Detection System (NIDS)

 Definition: Monitors network traffic to detect suspicious activities, such
as unauthorized access or malicious payloads.
 Strengths:
o Provides a broad view of network activities.
o Detects threats like DDoS, port scanning, and malware
propagation.
 Weaknesses:
o Cannot analyze encrypted traffic effectively.
o May miss host-level intrusions.
 Examples:
o Detecting abnormal data flows or unauthorized protocol usage.

c) Hybrid Intrusion Detection System

 Definition: Combines the features of both HIDS and NIDS to provide
comprehensive protection at both host and network levels.
 Strengths:
 o Broader coverage by monitoring both network and host-level
activities.
o Reduces blind spots in detection.
 Weaknesses:
o More complex to implement and manage.
o Higher resource requirements.
 Examples:
o An integrated system monitoring both internal server logs and
network traffic anomalies.

3. Specialized IDS Types

In addition to the above classifications, there are specialized IDS for specific
environments:

a) Protocol-Based IDS (PIDS)

 Definition: Monitors and analyzes protocol-specific traffic (e.g., HTTP,
DNS) for violations or suspicious activities.
 Example: Detecting abnormal queries in DNS traffic.

b) Application-Based IDS (AIDS)

 Definition: Focuses on monitoring specific applications for suspicious
behavior.
 Example: Monitoring web applications for SQL injection attempts or
unauthorized access.

c) Wireless IDS (WIDS)

 Definition: Monitors wireless networks to detect unauthorized devices,
rogue access points, or malicious activities.
 Example: Detecting spoofed Wi-Fi networks or unusual connections.
d) Behavioral IDS (BIDS)
 Definition: Monitors and identifies behavioral changes in network
activities or user actions.
 Example: Detecting unusual login patterns or data transfers.

Advantages of IDS
1. Early detection of suspicious activities.
2. Improves the security posture of networks and systems.
3. Logs events for forensic investigations.
4. Helps in compliance with regulations such as GDPR or PCI-DSS.

Challenges and Limitations

1. False Positives and Negatives: An IDS may generate false positives
(benign activities flagged as malicious) or false negatives (missed
attacks).
2. Encrypted Traffic: Struggles to analyze encrypted data effectively.
3. Scalability: Requires significant resources for large networks.
4. Proactive Defense: Traditional IDS only detects and alerts but does not
take active measures to stop attacks.

Conclusion
Intrusion Detection Systems (IDS) are a crucial component of a cybersecurity
framework. They provide valuable insights into potential threats, allowing
organizations to take proactive measures against intrusions. By combining
various types of IDS, such as HIDS, NIDS, and anomaly-based systems,
organizations can enhance their security posture and reduce vulnerabilities.
However, regular updates, proper configuration, and integration with other
security tools like firewalls and Intrusion Prevention Systems (IPS) are
necessary to maximize IDS effectiveness.
2, Describe about host based intrusion detection with an example.

Host-Based Intrusion Detection System (HIDS)

A Host-Based Intrusion Detection System (HIDS) is a security solution that
runs on a single host or device (like a server, workstation, or endpoint) to
monitor and analyze the activities happening on that particular machine. Unlike
network-based intrusion detection systems (NIDS), which examine traffic
flowing across the network, HIDS focuses exclusively on the host's internal
activity. It is an essential component for ensuring system security by identifying
unauthorized actions or policy violations within the host.

Key Functions of HIDS

1. Monitoring File Integrity: Tracks changes to sensitive files,
configuration settings, or system directories to detect unauthorized
modifications.
2. System Log Analysis: Analyzes logs generated by the operating system
or applications for unusual or malicious patterns.
3. User Activity Monitoring: Detects suspicious user actions, such as
repeated failed login attempts or privilege escalation.
4. Application Behavior Tracking: Observes installed applications for
unexpected behaviors like opening unauthorized ports or accessing
restricted files.
5. Real-Time Alerts: Provides immediate alerts when it detects abnormal
activities or potential threats.
6. Compliance Support: Helps meet compliance standards by ensuring
critical files and logs are not altered without authorization.

How HIDS Works

1. Baseline Creation:
o The HIDS sets a baseline of normal activity, such as typical file
states, network activity, or user behavior.
2. Continuous Monitoring:
 o It continuously observes system activities like file access, process
execution, log events, and user behavior.
3. Detection Mechanisms:
o Signature-Based: Matches activities against known threat patterns
or signatures.
o Anomaly-Based: Identifies deviations from the established
baseline that may indicate malicious activity.
4. Alert Generation:
o Once suspicious behavior is detected, the HIDS generates an alert,
providing details like the affected file, process, or user.

Example of HIDS in Action

Scenario: Monitoring for Unauthorized File Modifications
 A hospital's database server has a HIDS tool, such as Tripwire, installed
to protect patient data.
 The HIDS monitors key files (e.g., medical records, configuration
settings) for any unauthorized changes.
 An attacker gains access to the server using stolen credentials and
attempts to modify the patient records.
 The HIDS detects the unauthorized modification by comparing the
current state of the file to its previously recorded baseline.
 It sends an alert to the system administrator, detailing the file changed,
the user account used, and the time of modification.
 The administrator investigates the issue, restores the original file from
backup, and revokes access for the compromised account.

Types of Threats Detected by HIDS

1. File Tampering: Unauthorized changes to system or application files.
2. Unauthorized Logins: Repeated failed login attempts or login from
unusual locations.
 3. Privilege Escalation: Unauthorized actions to gain higher privileges on
the host.
4. Malware Activity: Suspicious processes or applications running on the
host.
5. Insider Threats: Detecting malicious or unintentional actions by
legitimate users.

Advantages of HIDS
1. Detailed Host Visibility: Provides comprehensive monitoring and
detection at the system level.
2. File Integrity Protection: Detects any unauthorized modifications to
critical files and directories.
3. Insider Threat Detection: Monitors user actions, making it useful for
identifying suspicious behavior by legitimate users.
4. Encrypted Traffic Inspection: Since it operates on the host, it can
monitor activities within encrypted sessions (e.g., SSL/TLS
communications).
5. Customizable Rules: Administrators can configure the HIDS to monitor
specific files, directories, or processes critical to the organization.

Disadvantages of HIDS
1. Host Resource Usage: Consumes system resources like CPU and
memory, which may impact host performance.
2. Limited Scope: Only monitors the host it is installed on and does not
provide network-wide visibility.
3. False Positives: May flag legitimate changes as suspicious, requiring
manual investigation.
4. Reactive: Focuses on detecting threats after they occur rather than
preventing them.
5. Maintenance: Requires regular updates to rules, baselines, and
configurations to remain effective.
Common Tools for HIDS
1. Tripwire: A popular HIDS tool for file integrity monitoring and system
change detection.
2. OSSEC: An open-source HIDS that monitors logs, file integrity, and user
activities.
3. AIDE (Advanced Intrusion Detection Environment): Focuses on file
integrity checking and rootkit detection.
4. Samhain: A HIDS solution that detects changes to files and logs
activities.

Conclusion
Host-Based Intrusion Detection Systems (HIDS) play a critical role in
identifying and mitigating host-specific threats. They are particularly useful in
monitoring file integrity, user actions, and internal system behaviors. However,
they are most effective when combined with Network-Based Intrusion
Detection Systems (NIDS) for a holistic security approach. By employing tools
like Tripwire or OSSEC and continuously updating the detection rules,
organizations can improve their resilience against cyberattacks and insider
threats.
3, Describe about Honeypots.

Honeypots: An Overview
A honeypot is a cybersecurity tool designed to act as a decoy system or
resource to lure attackers, study their behavior, and improve security defenses. It
mimics a legitimate system, such as a server, network, or application, but is
deliberately designed to attract malicious activities. Honeypots are an effective
way to detect and understand emerging cyber threats, especially those targeting
specific vulnerabilities or systems.

Purpose of a Honeypot
1. Threat Detection: Identifies malicious activities and attack patterns.
2. Threat Intelligence: Collects valuable data about attackers' tactics and
techniques.
3. Vulnerability Assessment: Identifies weaknesses in the system by
monitoring how attackers exploit the honeypot.
4. Deception and Diversion: Distracts attackers from real systems,
protecting critical infrastructure.

Types of Honeypots
1. Based on Deployment Purpose:
o Research Honeypots: Study attack methodologies and collect
intelligence.
o Production Honeypots: Deployed in live environments to detect
and mitigate threats.
2. Based on Level of Interaction:
o Low-Interaction Honeypots: Simulate basic services or systems
with minimal attacker interaction.
o High-Interaction Honeypots: Fully functional systems that allow
detailed attacker engagement and data collection.
o Medium-Interaction Honeypots: Balance between low and high
interaction with limited functionality to reduce risks.
 3. Specialized Honeypots:
o Email Honeypots: Trap spammers and phishing attempts.
o Database Honeypots: Simulate databases to attract SQL injection
attacks.
o IoT Honeypots: Mimic Internet of Things (IoT) devices to detect
threats targeting connected devices.

How Honeypots Work

1. Deployment: A honeypot is placed in a network to mimic a legitimate
resource.
2. Attracting Attackers: It exposes fake vulnerabilities or credentials to
draw attackers.
3. Data Collection: Logs and monitors all activities, such as attempted
exploits or malware injections.
4. Analysis: Provides insights into attack methods and helps improve
defenses.
5. Isolation: Ensures attackers cannot use the honeypot to compromise real
systems.

Advantages of Honeypots
1. Early Threat Detection: Identifies malicious activities that traditional
security systems may miss.
2. Low False Positives: Alerts generated by honeypots are reliable since
legitimate users should not interact with them.
3. Cost-Effective: Requires fewer resources compared to comprehensive
security systems.
4. Supports Vulnerability Testing: Identifies system or application
weaknesses.

Disadvantages of Honeypots
1. Limited Scope: Only detects threats targeting the honeypot itself.
 2. Risk of Exploitation: If not isolated properly, attackers could use a high-
interaction honeypot as a launchpad for attacks.
3. Complexity: High-interaction honeypots require expertise to deploy and
manage.

Real-World Applications of Honeypots

1. Tracking Botnets: Observe botnet activities and command-and-control
(C2) communications.
2. Detecting Ransomware: Analyze ransomware behavior and propagation.
3. Combating Phishing: Collect phishing emails and improve anti-phishing
tools.
4. IoT Security: Secure connected devices by studying threats targeting IoT
systems.

Examples of Honeypot Tools

1. Kippo: A medium-interaction SSH honeypot.
2. Dionaea: Captures malware samples.
3. Cowrie: SSH and Telnet honeypot for logging attacks.
4. Honeyd: Lightweight tool for virtual honeypots.

Conclusion
Honeypots are a powerful tool in cybersecurity, enabling organizations to detect
and study threats while improving their defenses. Though not a standalone
solution, they complement traditional security measures and provide valuable
insights into attackers' tactics, ensuring better preparedness against evolving
threats.