Cyber

Security
Dr. Uddipana
Dowerah
Intrusion Detection and Prevention
Systems
Intrusion Detection/Prevention Systems (IDS/IPS)

• Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)

monitor network traffic to detect and prevent malicious activities

• These systems are either implemented on a dedicated hardware or

implemented as applications on a general-purpose server

• IDS and IPS are placed at strategic points in the network to be able to
monitor traffic from all devices

• Intrusion Detection and Intrusion Prevention System (IDPS)

Intrusion Detection

• Security Intrusion: A security event, or a combination of multiple security

events, that constitutes a security incident in which an intruder gains, or
attempts to gain, access to a system (or system resource) without having
authorization to do so.

• Intrusion Detection : A security service that monitors and analyzes system

events for the purpose of finding, and providing real-time or near real-time
warning of, attempts to access system resources in an unauthorized
manner
Intrusion Detection System (IDS)
• An IDS monitors the traffic of a network passively
➢ i.e., the IDS is not deployed inline in the topology
• Instead, a network device (e.g., switch, router) duplicates and forwards the
traffic to the IDS
• The IDS then analyzes the traffic offline (promiscuous mode) and matches
the traffic stream with known malicious signatures
Advantages of IDS:
• It does not negatively impact the performance of the network
• It does not affect the network if a problem or misconfiguration of the IDS
occurs
Disadvantages of IDS:
• It cannot stop malicious single-packet attacks from reaching the target
• It requires assistance from other networking devices to respond to the
attack
Intrusion Prevention System (IPS)
• An intrusion prevention system (IPS) is software that has all the capabilities
of an intrusion detection system and can also attempt to stop possible
incidents.
• An IPS device monitors the network traffic actively
➢ i.e., the IPS is deployed inline in the topology
• The IPS analyzes traffic online, thus, all ingress and egress traffic must flow
through the IPS for processing

Advantages of IPS:
• It can stop single packet attacks

Disadvantages of IPS:
• It can negatively affect the performance of the network
• It can disrupt the network if a problem or misconfiguration of the IPS occurs
Key Features of IDPS
• Recording information related to observed events
• Records details of detected events locally
• May transmit them to centralized systems like security information and
event management (SIEM) solutions.

• Notifying security administrators of important observed events

• Notifies security teams of critical events via emails, UI messages, SNMP
traps, syslog, or custom scripts, providing basic event details.
• Administrators need to access the IDPS for additional information.

• Producing reports
• Produces summaries of monitored events or detailed insights into specific
security incidents.
IPS vs. IDS
• IPS are differentiated from IDS by one characteristic: IPS can respond to a
detected threat by attempting to prevent it from succeeding

• The IPS stops the attack itself.

• Terminate the network connection or user session that is being used for
the attack
• Block all access to the targeted host, service, application, or other
resource.

• The IPS changes the security environment

• IPS can modify firewall, router, or switch settings to block attackers or
protect targets.
• It may also update host-based firewalls or apply patches to vulnerable
systems.
IPS vs. IDS
• IPS are differentiated from IDS by one characteristic: IPS can respond to a
detected threat by attempting to prevent it from succeeding

• The IPS changes the attack’s content

• Some IPS technologies can remove or replace malicious portions of an
attack to make it benign
• A simple example is an IPS removing an infected file attachment from an
e-mail and then permitting the cleaned email to reach its recipient.
Why use an IDPS?

• Acts as a Deterrent – Knowing an IDPS is in place discourages attackers,

just like a burglar alarm deters criminals.

• Compensates for Security Gaps – Helps protect networks when they are
vulnerable or unable to respond quickly to emerging threats.

• Supports Security Administrators – Complements scanning tools and

helps detect vulnerabilities that may be missed or not addressed in time.

• Provides Continuous Monitoring – Detects and responds to attacks even

when administrators are unable to patch or update systems immediately.
 Why use an IDPS?

• Defends Critical Services – Protects essential services that cannot be

disabled despite known vulnerabilities.

• Enhances Defense in Depth – Acts as an additional security layer to

identify and block attacks before they cause damage.

• Detects Attack Preambles – Identifies early signs of an attack, allowing for

a proactive response
Types of IDPS

• Network-based IDPS – monitors the characteristics of a single host for

suspicious activity

➢ Wireless IDPS - focuses on wireless networks

➢ Network Behavior Analysis (NBA) IDPS - examines traffic flow on a
network in an attempt to recognize abnormal patterns like DDoS,
malware, and policy violations.

• Host-based IDPS – monitors network traffic and analyzes network,

transport, and application protocols to identify suspicious activity.
Network-based IDPS (NIDPS)

• NIDPS monitors inbound and outbound traffic to devices across the network.

• NIDPS are placed at strategic points in the network, often immediately

behind firewalls at the network perimeter so that they can flag any malicious
traffic breaking through.

• NIDPS may also be placed inside the network to catch insider threats or
hackers who hijacked user accounts.

• For example, NIDPS might be placed behind each internal firewall in a

segmented network to monitor traffic flowing between subnets.
Network-based IDS (NIDS)
Network-based IDS (NIDS)

• To avoid impeding the flow of legitimate traffic, a NIDS is often placed “out-
of-band,” meaning that traffic doesn’t pass directly through it.

• A NIDS analyzes copies of network packets rather than the packets

themselves.

• That way, legitimate traffic doesn’t have to wait for analysis, but the NIDS can
still catch and flag malicious traffic.
How NIDPS works?
• Monitors Network Traffic – A NIDPS is installed on a computer or appliance
connected to a network segment to analyze traffic for signs of attacks.

• Detects Attack Patterns – It identifies unusual network activity, such as large

amounts of similar data (possible denial-of-service attacks) or sequences of packets
that suggest a port scan.

• Sends Alerts – If an attack is detected, the system notifies administrators for further
action.

• Strategic Deployment – Placed at key network points, such as inside an edge router,
to monitor specific network segments or the entire network.

• More Effective Than Host-Based IDPS – It can detect a wider range of threats but
requires a more complex setup and maintenance.
Advantages of NIDPS
➢ Broad Network Coverage
• Monitors traffic across multiple hosts without requiring installation on
each system.
• Can protect an entire network segment from attacks.

➢ Early Attack Detection

• Identifies suspicious traffic before it reaches target systems.
• Helps detect reconnaissance scans, DoS attacks, and network-based
exploits.

➢ Minimal Impact on Endpoints

• Does not require software installation on individual machines.
• Reduces system overhead on user devices compared to Host-Based
IDPS (HIDPS).
Advantages of NIDPS
➢ Real-Time Alerts and Automated Response
• Can detect and block attacks in real-time.
• Logs attack patterns for forensic analysis.

➢ Detects a Wide Range of Attacks

• Can identify port scanning, denial-of-service (DoS), malware spreading,
and brute force attacks.

➢ Centralized Monitoring & Management

• Easier to deploy and manage in large-scale enterprise networks.
• Reduces the administrative burden of monitoring multiple devices
separately..
 Host-based IDPS (HIDPS)

• HIDPSs are installed on a specific endpoint, like a laptop, router, or server.

• The HIDPS only monitors activity on that device, including traffic to and from
it.

• An HIDPS monitors traffic flowing in and out of a host by observing running

processes, network activity, system logs, application activity, and/or
configuration changes.

• If the HIDPS notices a change, such as log files being edited or

configurations being altered, it alerts the security team.
Advantages of HIDPS

• HIDPS can detect attacks that bypass network defenses (e.g., insider
threats, encrypted malware).

• Since it operates on the host system, it can inspect traffic after decryption.

• Can identify Trojan horses and inconsistencies in system program usage by

analyzing audit logs.
Disadvantages of HIDPS

• Requires installation and configuration on each host, making it more complex

to manage.

• Cannot detect multi-host scanning or attacks on non-host devices like routers

and switches.

• Can be disabled by certain types of denial-of-service attacks.

IDS Detection Techniques

• Signature-based detection

• Anomaly-based detection

• Policy-based detection
IDS Detection Techniques

• Signature-based detection

• Anomaly-based detection

• Policy-based detection
Signature Based Detection
• Signature-based detection analyzes network packets for attack
signatures

• A signature-based IDPS maintains a database of attack

signatures against which it compares network packets

• If a packet triggers a match to one of the signatures, the IDPS

responds.

• However, brand-new attacks that are not yet analyzed for

signatures can evade a signature-based IDPS.
IDS Detection Techniques

• Signature-based detection

• Anomaly-based detection

• Policy-based detection
Anomaly Based Detection
• Collects statistical summaries by observing traffic that is known to be
normal.

• This normal period of evaluation establishes a performance baseline.

• Once the baseline is established, the IDPS periodically samples network

activity and, using statistical methods, compares the sampled network
activity to this baseline.

• When the measured activity is outside the baseline parameters—the IDPS

sends an alert to the administrator.

• The baseline data can include variables such as host memory or CPU
usage, network packet types, and packet quantities
Anomaly Based Detection
• Advantage:
• can detect new types of attacks, since it looks for abnormal activity of
any type.

• Disadvantages:
• require much more overhead and processing capacity than signature-
based IDPSs, because they must constantly compare patterns of activity
against the baseline.
• systems may not detect minor changes to system variables and may
generate many false positives.
IDS Detection Techniques

• Signature-based detection

• Anomaly-based detection

• Policy-based detection
 Policy Based Detection

• Policy-based detection methods are based on security policies set by the

security team.

• Whenever a policy-based IDPS detects an action that violates a security

policy, it blocks the attempt.

• For example, a SOC might set access control policies dictating which users
and devices can access a host. If an unauthorized user tries connecting to
the host, a policy-based IPS stops them.
 IDPS Response Behavior

• When an IDPS detects a threat, it logs the event and reports it to the SOC

• Additionally an IPS automatically takes action against the threat by using

techniques such as:
IDPS Response Behavior
Evasion Techniques
Some common IDS evasion tactics include:

Distributed denial-of-service (DDoS) attacks

• taking IDSs offline by flooding them with obviously malicious traffic from
multiple sources.
• When the IDS’s resources are overwhelmed by the threats, the hackers
sneak in.

Spoofing
• faking IP addresses and DNS records to make it look like their traffic is
coming from a trustworthy source.
Evasion Techniques

Fragmentation
• splitting malware or other malicious payloads into small packets,
obscuring the signature and avoiding detection.
• By strategically delaying packets or sending them out of order, hackers
can prevent the IDS from reassembling them and noticing the attack.

Encryption
• using encrypted protocols to bypass an IDS if the IDS doesn’t have the
corresponding decryption key.

Operator fatigue
• generating large number of IDS alerts on purpose to distract the incident
response team from their real activity.
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 1: Behind each external firewall, in the network DMZ
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 1: Behind each external firewall, in the network DMZ

• Advantages:
• IDPS sees attacks that originate from the outside that may penetrate the
network’s perimeter defenses.
• IDPS can identify problems with the network firewall policy or
performance
• Even if the incoming attack is not detected, the IDPS can sometimes
recognize, in the outgoing traffic, patterns that suggest that the server
has been compromised.
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 2: Outside an external firewall
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 2: Outside an external firewall

• Advantages:
• IDPS documents the number of attacks originating on the Internet that
target the network.
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 3: On major network backbones
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 3: On major network backbones

• Advantages:
• IDPS monitors a large amount of a network’s traffic, thus increasing its
chances of spotting attacks.
• IDPS detects unauthorized activity by authorized users within the
organization’s security perimeter.
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 4: On critical subnets
NIDPS Deployment
NIST recommends the following four locations for NIDPS sensors:
• Location 4: On critical subnets

• Advantages:
• IDPS detects attacks targeting critical systems and resources.
• This location allows organizations with limited resources to focus these
resources on the most valuable network assets
Examples of IDPS
Open Source
• SNORT (IDS/IPS)
• Prelude (IDS)
• HoneyNet (Honey Pot/IDS)

Commercial
• TippingPoint
• Internet Security Systems
• Juniper
• RadWare
• Mirage Networks
Honeypots
• A honeypot is a decoy system or network designed
to attract cyber attackers and detect malicious
activities.

• It appears as a real system but has no legitimate

users, so any interaction with it is considered
suspicious.

• It is an intrusion detection technique used to study

hacker movements
Honeypots: Key Purposes
• Threat Detection: Identifies and analyzes new
hacking techniques, malware, and attack trends.

• Intrusion Prevention: Helps improve security

measures by understanding how attackers operate.

• Deception & Distraction: Misleads attackers and

diverts them from real systems.

• Security Research: Gathers intelligence on cyber

threats for improving defenses.
Homework: Self Study
• Scanning Tools

• Port Scanners
• Vulnerability Scanners
• Packet Sniffers

• Wireless IDPS

• NBA IDPS