|
ID stands for Intrusion Detection, which is the art of
detecting inappropriate, incorrect, or anomalous activity.
ID systems that operate on a host to detect malicious
activity on that host are called host-based ID systems, and
ID systems that operate on network data flows are called
network-based ID systems.
Sometimes, a distinction is made between misuse and
intrusion detection. The term intrusion is used to describe
attacks from the outside; whereas, misuse is used to
describe an attack that originates from the internal
network. However, most people don't draw such
distinctions. The most common approaches to ID are
statistical anomaly detection and pattern-matching
detection.
Usually unauthorized access is gained by exploiting
operating system vulnerabilities (flaws in installed
software). This can be done a number of ways. When an
attacker chooses a target, he/she will execute software to
determine the remote operating system, search various
underground websites for flaws in that particular operating
system, and then execute scripts that exploit the victim
system. Virtually all server attacks progress in this
manner. Intrusion detection tools help system administrators
stop network attacks and aid in tracking down the attackers.
An Intrusion Detection System (IDS) tries to detect
attempted intrusions into a system or network and alert
users. An IDS constantly works away in the background in
your system, notifying you only when it detects something it
considers suspicious or illegal. However, whether that
notification will be of any use to you will depend entirely
on how well you've configured your IDS and the IDS system
you use.
|
