The term intrusion detection means many things to many people; however, for the sake of clarity we're going to define it as the act of detecting a hostile user or intruder who is attempting to gain unauthorized access. Assuming this definition, a number of popular methods are used to detect intruders—for example, inspecting system, Web, application, firewall, and router logs for hostile or unusual activity. Some system administrators will implement binary integrity checkers such as AIDE or Tripwire, in hopes of catching successful attackers when they deposit Trojan code on compromised servers. Other administrators will simply monitor event logs looking for failed user login attempts.

Although all these methods are helpful, they become difficult, if not impossible, to perform on a daily basis. Introduce a few hundred machines, and the task becomes downright overwhelming. Enter: the intrusion detection system.

The roots of modern-day intrusion detection systems lie in the Intrusion Detection Expert System (IDES) and Distributed Intrusion Detection System (DIDS) models that were developed by the U.S. Department of Defense (DOD) back in the late '80s and early '90s. These were some of the first automated systems to be deployed. Today, most intrusion detection (ID) systems are de signed with the same goal in mind: to help automate the process of looking for intruders. This can be as simple as the real-time parsing of firewall logs looking for port scans, or as complex as applying inspection routines to raw network traffic looking for buffer overflow attempts.

Traditional IDS classification schemes put most systems into two distinct camps: misuse detection models and anomaly-based detection models. There are two implementations of the misuse detection model: network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Readers should note that many other intrusion detection models do exist, but are less popular. However, most modern-day IDS implementations can be grouped into one of these categories:

· Network-based IDS. In their current form, NIDS devices are raw packet-parsing engines—glorified sniffers on steroids. They capture network traffic and compare the traffic with a set of known attack patterns or signatures. NIDS devices compare these signatures every single packet that they see, in hopes of catching intruders in the act. NIDS devices can be deployed passively, without requiring major modifications to systems or networks.

· Host-based IDS. These systems vary from vendor to vendor, but they are usually system centric in their analysis. Most host-based IDSs will have components that parse system logs and watch user logins and processes. Some of the more advanced systems will even have built-in capabilities to catch Trojan code deployments. Host-based systems are agent-based—that is, they require the installation of a program on the systems they protect. This allows them to be more thorough on some levels, but also more of a headache to deploy and administer.

· Anomaly-based IDS. Anomaly-based systems are a bit more obscure, and are often times referred to as more of a "concept" than an actual model. The philosophy behind anomaly-based approaches is to understand the patterns of users and traffic on the network, and find deviations in those patterns. For example, a user who normally logs in Monday through Friday but is now logging in at 3 a.m. on a Sunday might be flagged as a potential problem by an anomaly IDS. In theory, an anomaly-based IDS could detect that something was wrong without knowing specifically what the source of the problem was.

The most common IDS types, both commercial and deployed, are HIDS and NIDS models. Although working models of anomaly-based IDSs exist, they are rarely deployed outside of government and academic circles.

Note

Many people unfamiliar with the intrusion detection system field confuse the technology with access control devices such as firewalls. Intrusion detection systems, in their current form, do not serve as a method of access control. While a number of them can be config ured to interact with firewalls, this is not their primary purpose. Beginners should think of intrusion detection systems as a type of burglar alarm, and not as a lock or door.