Intrusion Detection System (IDS) a true security software guard for our laptops
b"
hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 14 today we are discussing about What is an IDS?Well, an IDS stands for the Intrusion Detection System.This is a device or a piece of software that's installed on a system or a network,and it will analyze all of the data that passes through it.It does this so that it can try to identify any incidents or attacks.Intrusion Detection Systems come in two different varieties,the host-based Intrusion Detection System and the network-based Intrusion Detection System.The first one we're going to talk about is a host-based Intrusion Detection System,also called an H-I-D-S.This usually takes the form as a piece of software that's installed on your computer or on a server and it will protect it.Now, the host-based Intrusion Detection System will sit there and log everything that it thinks is suspicious.We'll talk about what might be suspicious in just a moment.The second type is what's known as a network-based Intrusion Detection System,or a NIDS, N-I-D-S.This is a piece of hardware that's installed on your network.And all the traffic goes through that switch,and then it will get a copy of that sent down to the Network Intrusion Detection System.If it's suspicious, it'll log it and it'll alert on it.Now, how do we know what these systems will alert on?Well, they're going to use one of three different methods.They're either going to use signature-based,policy-based, or anomaly-based detection.Signature-based detection is where the system is looking for a specific string of bytes that'll trigger the alert.This works like any other signature-based product.This computer is going to continually search over and over for a known specific key.And any time it sees that combination of letters or bytes,it knows that it's malicious.It'll flag it and it will alert on it.The next type is what's known as policy-based detection.This is going to rely on a specific declaration of the security policy.For example, if your company has a policy that no one is allowed to use Telnet,any time this system sees somebody trying to connect on port 23, which is the port for Telnet,it's going to flag it,log it, and alert on it The third type is statistical anomaly-based detection. Often, this is referred to as just anomaly-based detection or statistical-based detection.This is going to analyze all of the current traffic patterns against an established baseline,and anytime it sees something that goes outside the statistical norm,it's going to alert on it.So if I've been watching your network for a while and I know what normal looks like,and everybody always works from nine in the morning until five in the afternoon,and now I start seeing somebody downloading large amounts of data around two o'clock in the morning,that's outside our normal baseline and we would flag that and alert on that.Now, speaking of alerts,let's talk about what these alerts me There are four different types of alerts.They're either true positive, true negative,false positive, or false negative.Now, a true positive means something bad happened and the system flagged it and alerted on it.That's good because it means our system is tuned properly.A true negative means something good or normal happened and the system didn't flag it.Again, that's good,because our system's working like it should.But when we get into something like false positives,this is where some legitimate activity is being as identified as an attack.For example, if you log on the computer and you start up Microsoft Word, that's authorized.But if the system thought that was malicious and flagged it and alerted on it,that's considered a false positive.Now, next we have what's called a false negative.This is when something bad happens but it's identified as legitimate activity.In other words, it isn't flagged and it wasn't alerted on.
"