Intrusion detection

In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an Intrusion-prevention system.

Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, including network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host-based, if it monitors system calls or logs, or network-based if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems).

When a probable intrusion is discovered by an IDS, typical actions to perform would be logging relevant information to a file or database, generating an email alert, or generating a message to a pager or mobile phone.

Determining what the probable intrusion actually is and taking some form of action to stop it or prevent it from happening again are usually outside the scope of intrusion detection. However, some forms of automatic reaction can be implemented through the interaction of Intrusion Detection Systems and access control systems such as firewalls.

Some authors classify the identification of attack attempts at the source system as extrusion detection (also known as outbound intrusion detection) techniques.

Intrusion prevention is an evolution of intrusion detection.

Theory

Fred Cohen published in 1984 that detection of computer viruses is undecidable and NP-complete. [Cohen, Fred, "Computer Viruses: Theory and Experiments," 7th DOD/NBS Computer Security Conference, Gaithersburg, MD, September 24-26, 1984.] In layman's terms, this means that it is impossible to detect every type of an intrusion in every type of case, and that the resources needed to detect intrusions grows with the amount of network traffic.

Paul Helman, et al, in 1992 used a scale of 0 to 1 to represent normal behavior (0) to misuse (1). [Helman, Paul, Liepins, Gunar, and Richards, Wynette, "Foundations of Intrusion Detection," The IEEE Computer Security Foundations Workshop V, 1992] The purpose of an Intrusion detection system is to provide this rating for computer activities. Helman showed that problems in doing this include imperfect and incomplete information, plus the large number, estimated at 10¹⁰⁰, of potential events. When groupings are done to reduce the number of possible events, this becomes an NP-Hard problem to reduce singleton groups. Helman calls the above a modeling approach. An alternative is non-modeling approaches which include heuristics, clustering algorithms, and statistics.

References

Resources

For more information about intrusion detection and intrusion prevention:

"Network Intrusion Detection", 3rd ed. ISBN 0-7357-1265-4
[http://www.acm.org/crossroads/xrds2-4/intrus.html ACM's Introduction to Intrusion Detection]
[http://www.cert.org/tech_tips/intruder_detection_checklist.html CERT Intruder Detection Checklist]
[http://www.sans.org/resources/idfaq/ SANS Intrusion Detection Systems FAQ]