 In these set of slides, we will have a look at the high level functioning of an IDS and then examine the most important design characteristics of IDSs. In the introduction, we have mentioned that an intrusion detection system has two main tasks, inspecting traffic and taking action when malicious traffic is identified. Typically this means raising an alert, although other actions are also possible. Let's now have a look at the internal functioning of an IDS. The main component of an IDS is the detection engine. The detection engine can be considered the brain of the IDS. Its task is to identify malicious traffic. We will see later how this can be done. After a sample of malicious traffic has been identified, the IDS will lock this for later use and decide on a possible action. An IDS can be described based on several characteristics which we will define at taxonomy. The one we use in this course is based on the following. First, the detection method. This category describes how the detection engine works. Second, the behavior on detection that is defined by what kind of action is taken after an attack is detected. Third, the odd source, namely which data the IDS is analyzing. Fourth, the usage frequency, which tell us when an IDS run its analysis. Finally, the location of an IDS, being this network-based or host-based. We will dig deeper into these aspects in the remaining of this lecture. An IDS can be anomaly-based or misuse-based. For sake of terminology, misuse-based IDS are also known as knowledge-based or signature-based IDSes. And anomaly-based IDSes are also known as behavioral-based IDSes. This category refers to the internal functioning of the detection engine. The detection engine's basis is decision on a model of reality, that is a model that describes either how an attack looks like or how normal traffic looks like. We have an anomaly-based IDS if the internal model describes how normal traffic looks like. We have instead of misuse-based IDS if the internal model of the detection engine describes how an attack looks like. In this case, an IDS works similarly to a virus scanner, with signature of known attacks. The advantages of a misuse-based IDS is that since there is a clear description of the attack, it rarely raises false positives. On the other hand, new attacks for which no signature is yet available will not be detected. An anomaly-based IDS assumes that all traffic that deviates from the model of normality will be an attack. The advantage here is that the new attacks can be detected. However, building a model of normal traffic might be complex. And of course, not all anomalies are attacks. An IDS can take different actions once an attack has been detected. The type of action will determine the impact an IDS has on the network. Let's see why. Typically, taking actions means raising an alert. In this case, the IDS has a passive role and it differs the decision on how to treat an attack to a third party, like a security officer or a network administrator. This is quite a safe way of implementing an IDS. Since, as we will see later, there might be cases in which the IDS will make errors in judgment, it is considered good practice to keep the men in the loop. In other words, if you cannot fully trust your IDS, you might want to have somebody that checks on alerts before acting on it. Of course, this can easily become a time-costly operation. An IDS can also take other types of actions, things at actions like dropping malicious traffic or reconfiguring their security appliances. For example, an IDS might instruct the firewall to block traffic from a certain malicious host. If the IDS takes action when it detects malicious traffic, it is then often called an intrusion prevention system, or IPS. The advantage of IPS is that several security decisions can become automatic. However, this is the drawbacks. Imagine, for example, the case in which the IPS incorrectly classifies some traffic as malicious and block legitimate users from accessing a service. When considering the audit source of an IDS, network packets are a possible source of information. Traffic analysis that uses single packets and that accesses the payload of those packets is called deep packet inspection, or DPI. DPI has the advantage that detection algorithms can run directly on the packet payload. However, DPI might not scale at high traffic rates, for example in core networks. In addition, the increased use of encrypted protocols has, in many cases, limited the applicability of DPI. An alternative audit source that should be added to the taxonomy we presented is network flows. We have seen that a network flow is defined as a set of packets passing the same vantage point that share a set of common characteristics. For example, packets from a client to a certain server from a pair of specific ports will all be aggregated in the same flow. In the scope of intrusion detection and in comparison to DPI, flows have the disadvantage that no payload is available. On the other hand, flows are not affected by encryption and they are already often in use for network monitoring in core networks, which indicates that they are quite scalable. Flow-based intrusion detection has risen in recent years to be an alternative to DPI. Let's now look at when an IDS analyzes traffic. An IDS can perform online, always on monitoring, or run periodic batch offline analysis on historical data. Always on detection, possibly close to real-time, is often considered one of the most important aspects of an IDS. This is because timely detection can positively impact the security level of a network. There might be other situations in which fast detection is not a requirement and an offline analysis is an adequate solution. This could be a characteristic use for testing purposes, for example. Let's end with the differences between network-based IDS and OS-based IDS. A network-based IDS analyzes traffic pertaining an entire network. It will be therefore placed in a strategic vantage point, for example, at the entrance of the network we want to protect. The advantage is that a single system will protect an entire network. The disadvantage is that it might not have access to more detailed information, as, for example, logs of a specific host. A host-based IDS runs instead on a specific host. The advantage is that such a system might have access to local log files or system information, for example. It knows if a system files are tampered with. The disadvantage are that host-based IDS have a only local view of attack, unless they are deployed in a distributed fashion. However, in this second case, the complexity of managing this system will increase.