Cyber Laws and Security

Intrusion Detection Systems

Unit 3
 What is Intrusion in Cyber Security?
• An illegal entrance into your network or an address in your assigned domain
is referred to as a network intrusion.
• Intrusions might occur from the outside or from within your network
structure (an employee, customer, or business partner).
• Any of the following can be considered an intrusion −
1. Malware, sometimes known as ransomware, is a type of computer virus.
2. Attempts to obtain unauthorized access to a system
3. DDOS (Distributed Denial of Service) attacks
4. Employee security breaches that are unintentional (like moving a secure file
into a shared folder)
5. Untrustworthy users, both within and external to your company
6. Phishing campaigns and other methods of deceiving consumers with
ostensibly genuine communication are examples of social engineering
assaults.
7. Login during non-working hours
8. System logs are deleted
9. System performance decreased drastically
10. System crashes suddenly and reboots without user interventions
11. Identifications of unknown files and program on your system
12. File permission modifications
13. Missing files
14. Sudden increase in network traffic
15. There can also be Policy breaches within the organizations by authorized
employees.
NEED OF INTRUSION DETECTION SYSTEM
• In all types of networks, security is a primary issue especially in big organizations
as they have very important and confidential data which if get hacked will bring
down company’s profile. Generally, we secure our systems by building firewalls
or employ some authentication mechanisms such as passwords or some
encryption techniques which create a protective covering around them.
• All the above techniques provide a level of security but they cannot give
protection against inside attacks.
• We need more security mechanisms such as IDS because firewalls cannot detect
attacks inside the network since they are mostly deployed at the boundary of the
network, and thus only control traffic entering or leaving the network. But a huge
percentage of intrusions may be from within the network and IDS can monitor
and analyse various events in the network and if the system has been misused it
gives immediate report to the administrator.
• IDS keeps a check on all the incoming and outgoing network activity.
It detects any signs of intrusion in the system. Its main function is to
send an alert immediately when it identifies any activity in the
system.
• Two of the most popular and significant tools used to secure
networks are firewalls and intrusion detection systems.
• This is so that if an attacker is able to bypass one layer, another layer
stands in the way to protect the network.
Need of IDS
Firewall IDS

• A firewall is a hardware and/or • IDS is a software or hardware that

software that blocks detects and reports intrusion
unauthorized access from attempts from outside or within
entering a network the network.

• Ex. Watchman standing at gate • Ex. CCTV camera within the

can block a thief premises can alert about
anomalous behavior but can not
stop it
• Firewall does not inspect
content of permitted traffic • It analyses the incoming packets
(Watchman will never suspect and also those packets that
employee of the organization) originated within the organization
Intrusion Detection System (IDS)
• An ID system gathers and analyses information from diverse areas within a
computer or a network to identify possible security breaches which include both
intrusions (attack from outside the organization) and misuse (attack from within
the organization).
• It monitors network traffic for suspicious activity and issues alerts when such
activity is discovered.
• It is a software application that scans a network or a system for harmful activity
or policy breaching.
Detection Method of IDS:
1. Signature-based Method:
The signature-based approach uses predefined signatures of well-known
network threats. When an attack is initiated that matches one of these
signatures or patterns, the system takes necessary action. Similar to
signature-based antivirus, all packets sent across the network are analyzed
for known patterns and compared against a database of malicious
signatures.
• Signature-based IDS refers to the detection of attacks by looking for
specific patterns, or known malicious instruction sequences that can be
used by intruder.
• Signature detection compares network or system information to attacks
already listed in the IDS database.
• We have to add new signatures manually with every update.
• Although signature-based IDS can easily detect known attacks, it is difficult
to detect new attacks, for which no pattern is available.
2. Anomaly-based Method:

• The anomaly-based detection method improves upon the limitations

of signature-based methods, especially in the detection of novel
threats.
• The anomaly-based approach monitors for any abnormal or
unexpected behaviour on the network. If an anomaly is detected, the
system blocks access to the target host immediately. monitors
network traffic and compares it against an established baseline to
determine what is considered normal for the network with respect to
bandwidth, protocols, ports and other devices.
• Anomaly-based intrusion detection systems were primarily
introduced to detect unknown attacks.