Intrusion detection and prevention systems (IDS, IPS)

The intrusion detection systems (IDS) and intrusion prevention systems (IPS) functioning at the network level monitor the traffic and its attributes. The purpose of IDS systems is to detect possible attempts of intrusion and to act in accordance with instructions agreed upon in advance to avoid any further damage. If the intrusion is detected early enough, the attacker can be recognised and removed from the system immediately. Generally it can be said that the earlier the attack is detected the less damage will happen. The IDS systems also enable collecting information on attack techniques. This information is useful for developing new better mechanisms for prevention of intrusion.

The detection of intrusion is based on the assumption that the network traffic produced by an intruder or malicious software considerably deviates from the normal traffic. However, it cannot be supposed that the difference between normal traffic and the intruder’s or malicious software traffic in the network would be great. A broad interpretation results in detection of more intruders but also in more false alerts. Similarly, a strict interpretation leads to fewer false alerts, but more intruders remain undetected.

Statistical and regulatory detection are the two methods of detection that are most often used. Statistical detection requires a database, where sampling of normal network traffic has been saved. The traffic to be analysed is compared with statistical methods to this database, from which it can be made conclusion if there is an intruder, malicious software or normal traffic in the network. Rule based detection is based on a number of predetermined rules by means of which it is sought to recognise fingerprints of certain malicious software or an intruder’s behaviour.