Intrusion Detection Systems and a detection software program you can use

There are many intrusion detection systems in market. This article gives their details. The article also has a software program for intrusion detection that users can work out for their network.

Intrusion Detection Systems (IDS) are software systems that detect intrusions to a network. They block the attacks or respond with countermeasures or at least alert administrators while the attack progresses. This article gives details about the utility of some effective Intrusion Detection Systems.

Inspection Based Intrusion Detectors

These detectors are very common and observe the activity on a host or network. They make judgements about whether an intrusion is in process or has already occurred based on either programmed rules or on historical indications of normal use. The detectors built into firewalls and operating systems are inspection based. These detectors rely upon some of the following indicators.

  • Network traffic such as port scans, ICMP scans or attachment to unauthorized ports.

  • Resource utilization like RAM, CPU and Network I/O surges at unexpected times.

  • File activity which includes modifications to system files, user files or security permissions.

  • The detectors monitor combinations of these signs and create log entries. The body of these entries which is called audit trail is monitored to determine when the intrusions occurred. Intrusions detection systems can be rule based (detect intrusion on sequences of user activities), statistical (detect intrusion by comparing existing base of valid audit trails with new trails) or hybrid (combination of rule and statistical). Rule based systems can detect only known intrusion vectors. Statistical ones have a better chance of detecting more vectors but are not completely fool proof. Thus, IDS systems require regular monitoring by human security administrators which can be expensive.

    Suck Sever Decoy Intrusion Detectors

    Suck Sever is an example of Decoy Intrusion Detectors. It works by creating TCP/IP service on ports that are otherwise unused on the computer. Decoy Intrusion Detectors operate by mimicking the behavior of a target system and alarm the administrator on any intrusion. When a hacker attacks a network, he performs a methodical series of common attacks like port scans to determine the available hosts. By providing decoy hosts or services, one can encourage the hacker into attacking a host or service that isn't very important to the user and which is especially designed to alert on any use at all. Decoys may operate as a single service on operative host or as an entire network. When a hacker performs a port scan, the attachment to such unused ports is logged and can be used to pass an alert. This will give you time to respond to the attack. You can create a bogus cleaned copy of your website on the decoy server to maintain the illusion that the hacker is successful and utilize the time to take an action. The best part is that Decoy Intrusion Detectors are extremely cheap and can be easily afforded. Suck Sever allows the port suckers to be established on unused TCP/IP ports on the public internet servers. Port servers are server programs that record the data sent to ports along with IP address of the client which had sent it. When a hacker tries to establish a connection, the service doesn't respond and it looks like a slow or broken routing connection. It also automatically drops connections after 60 seconds so that the hacker can't flood your network. This detector requires 5MB RAM.

    Windows NT System

    It has a strong operating system support for reporting object use. It has very strong support for security auditing and file system. This helps in the performance monitoring and auditing capabilities. The file system can be updated with date time stamps whenever an access occurs. Windows NT System can be configured using the User Manager's Policies Audit menu to create log entries in the security log whenever any of the following events are successful or failures.

  • Logon attempts

  • File or object access such as opening or copying a file

  • Use of special rights such as backing up system

  • User or group management activities such as adding user account

  • Change in security policy

  • This means that one can create his own intrusion detection software by configuring Windows NT to audit any behavior that indicates an intrusion. If you suspect an intrusion, you can use the following batch file to compare the file that you want to inspect with any text editor or notepad.

    @echo off
    REM compare. bat
    REM Use the batch file for comparison
    REM files for file system changes and to generate
    REM compared output
    Echo Checking for system changes
    Dir c:/*.* /TW >comp1.txt
    Dir c:/winnt/*.* /TW >comp2.txt
    Dir c:/winnt/system/*.* /S /TW >comp3.txt
    Dir c:/winnt/system32/*.* /S /TW >comp4.txt
    FC base1. txt comp1. txt > root.txt
    FC base2. txt comp2. txt > winnt.txt
    FC base3. txt comp3. txt > system.txt
    FC base4. txt comp4. txt > system32.txt
    Del comp? . txt
    Echo Finished finding changes. Changes are
    Echo stored in following files :
    Echo root. Txt stores changes to c:/
    Echo winnt. Txt stores changes to c:/ winnt
    Echo system. Txt stores changes to c:/ winnt/ system
    Echo system32. Txt stores changes to c:/ winnt/ system32

    Performance Monitor

    It can be used to alert on unexpected changes in resource utilization and attack indicators like high number of logon attempts. Performance Monitor can be configured to run programs to send network alerts or emails. It works only when the user is logged on. The user can monitor the computers remotely.

    NAI CyberCop

    It is a suite of tools for intrusion protection outside simple firewalling. The tools are available for UNIX and Windows NT. You can download them from NAI's official website for free. By integrating the tools with NAI's gauntlet firewall, you can create a strong network security posture which is capable of automatically block and responding to the threats.


    It scans files and directories on UNIX systems. A snapshot record of the size, date and signature hash of the files can be created. If you suspect an intrusion, you can make Tripwire re-scan the server. Any changed files will be reported upon comparison of the file signatures with the stored record. The open source version of this detector is available on the official website of Tripwire.

    Read SpyAgent, a top rated and award winning monitoring software review and installation guide


    No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: