Network Based Intrusion Detection and Intrusion Prevention Systems

by Saman Abbad
Sept. 26, 2017 2 comments 5 minute read belen_caty Detection & Response firewall
Download PDF


This paper explains the intrusion detection and Intrusion prevention systems (IDS/IPS), one of the most essential mechanisms implemented to secure our networks. The threat of cyber attacks has increased many folds in the last few years and there is news of data breaches every other month. Network based IDS/IPS is not a new technique but the ways it can be implemented considering the latest trends in technological growth is an area that needs to be understood. In this paper we will go from soup to nuts on IDS/IPS and will also provide high level design ideas to implement them in different IT environments. The paper includes the following topics:

  • What is network based IDS and IPS
  • What is host based IPS/IDS and its pros and cons
  • Design of IDS/IPS for an enterprise.
  • Device based
  • Router based
  • Firewall based
  • IDS/IPS design for a Cloud based implementations
  • IDS/IPS design for Smart IOT Devices
  • Using Machine Learning to implement Intrusion detection

What is IDS and IPS

Intrusion detection system (IDS) as the name indicates is a software that is used to locate and identify malicious traffic by monitoring network traffic in real time. Its important to use the right tool for the right job. The location of IDS in the network is very a key design characteristic. IDS generally are placed behind the firewall, however its critical to understand the traffic flow and complete network design before deciding where to place the IDS system. Also more than one IDS systems may be recommended to secure the entire network. There are various methods of detecting the intrusion detection, some of the most common are:-

  • Using Signature: A vendor can give 2000 signatures that are implemented in the IDS system to match the incoming patters. Signature is essentially a pattern of known attacks and those patterns are saved in a database in an IDS system. Whenever a new packet comes to the network its analyzed for similarities with existing signatures in the database. If a match is discovered, the alert is generated.

  • Looking for Anomalies: A baseline is achieved for certain use cases of a customer. For e.g. if 30 people open a connection at the same time in an organization, and we have a clipping of x5 which means that if there is an abnormal request of opening more than 30x5=150 connections simultaneously, an alert is generated.

  • Protocol Anomalies: There could be protocol based anomalies like if the effective protocol is HTTP in the system, however there are requests of some other protocols or some unknown commands are detected in the network which violates the regular protocol then an alert is generated.

Intrusion Prevention Systems (IPS)

Intrusion Detection System does not prevent the attack but creates alerts. There are Intrusion Prevention Systems (IPS), that effectively makes sure that attack is prevented as it is placed inline in the network and all the traffic has to pass through the IPS before reaching the server. So malware is not allowed to reach the server.

A proposed Design for IDS in an Enterprise

Design Considerations

  • IDS is generally placed behind a firewall.
  • In the above design, IDS location 1 is to protect the Web Server.
  • IDS location 2 is to protect the rest of the network from malware.
  • This a network IDS and not a host based IDS, which means it may not detect the malware that may be generated between the two peer hosts. For e.g if a malware is generated between DNS and Exchange server, the packet may not pass through the IDS system and may not be undetected.

A proposed Design for IPS in an enterprise

Host based IDS/IPS

Host based IDS monitors a single system. It runs on the host you need to secure. It reads the logs on the host and find anomalies. The host based IDS systems detect the anomalies after the fact the attack has been done. Network based IPS detect the packets in the network segment. If the network based IPS design is accurately designed it may eliminate the need for a Host based IPS. Another drawback of host based IDS systems are that they might be required on all the hosts in the network; imagine if there are 5000 hosts then licensing would be required for all the hosts and may incur lot of expense for the organizations.

Device based IDS/IPS

You can install an Intrusion based Detection system on a Physical server or a virtual server. You need two interfaces for incoming and outgoing network traffic. You can also install IDS software like Snort on an Ubuntu server in a virtual machine.

Router based IDS/IPS

Router is one device in the network where most of network traffic passes. Specially routers that are gateway to the external world have direct connection to the internet. This gives these routers are a special place in the network security design where IDS and IPS systems can be positioned. There are third party software that are available that can be integrated with the routers and can act as first line of defense for external threats

IDS/IPS on Firewall

Difference between firewall and IDS is that Firewall looks outwardly for intrusions and stops them from entering the network, however it does not monitor the attacks that might be generated by some one in the network. Many vendors have integrated in IPS and IDS in the firewall and that is an extra layer of protection over Firewall functionality. Palo Alto Networks provides such firewall.

IDS/IPS design for a Cloud based implementations

For customers hosting their applications totally on public cloud may want to consider IDS implementations over the top of what is provided by a cloud provider. For e.g Amazon may provide a security layer but there is a community image of Snort IDS that is available which can be utilized for monitoring and sensing the threats. Sourcefire also supports the Snort IDS on amazon and can provide valuable assistance to implement the solution. A California based company MetaFLow Inc also provides malware detection services and products that can be applied both to amazon and VMware hypervisor. This is particularly helpful for Hybrid cloud environments that host applications on Private and Public Clouds.

IDS/IPS design for Smart IOT Devices

With the Internet of Thing revolution all around, its very important that IOT devices and sensors have some kind of protection from the external malware attacks. Since the size and nature of these sensors or devices are different, the IDS for these will also be customized based on the capacity (CPU, RAM) of the device. This is relatively a new domain and has maximum vulnerability for attacks.

CUJO is one device that can be used to give business level security to our Home automation systems. It’s a pre-built firewall/IDS system that not only analyzes the threats but also prevents them. Another feature of CUJO is that it is connected to a cloud based repository where it intelligently consults and checks behavior anomalies of packets. This repository keeps on updating itself with signatures or patterns from the other protected homes and so that wealth of information is shared through this cloud repository with all the connected CUJO devices.

Design to protect smart device at Home

Using Machine Learning to implement Intrusion detection

There are Machine Learning Algorithms that can detect anomalies and generate alert. For e.g what is the probability of getting an email from a specific person at 4:00am, or how many emails a person A sends to Person B per day. Machine Learning Algorithm learns the behavior and if there is a change in behavior it immediately generates an alert. Also its uses Markov Models, where it can detect a url request that is sent by a BOT. Human can miss spell a website name but bot randomly writes a website name and Machine Learning Algorithm can pick that up. Clustering groups data based on similarities. For e.g traffic from internal network to the companies’ web server may have a pattern. There is an empirical research that 90% of the time only 10% of the data is accessed. However, if there is a malware attack, it may try to search a data which was not accessed for years. This will create an Alert.

Machine Learning Approaches that can be used for IDS/IPS


Key factor that need to be considered while preparing a network security design is to locate where your IDS/IPS would reside. Based on the network and customer environment various design methodologies can be implemented. With the IOT revolution and smart devices flooding the environment, the importance of a proper IDS system has increased manifold. Most of the Cyber attacks we come across these days were successful due to lack adequate Intrusion Detection System in place.

Published with the express permission of the author.

Mitchell Rowton moderator 5 months, 3 weeks ago

Years ago SNORT was the de-facto IDS. Now most people have moved onto Suricata, which is multi threaded. I also suggest you subscribe to the Emerging Technologies rule feed. They have both free and paid plans.

2flash 5 months, 2 weeks ago

Really a great guide! Thanks for the author in paying time to write this. Will definitely help a lot of cyber security enthusiasts!