Intrusion Detection -Who's Knocking at My Door
Article by Rick Leinecker, March 3, 2008

Have you ever wondered how the network security guys know when someone got in? Of course it's obvious when a Web site's main page has a picture of Dolly Parton. It's also pretty obvious when files on a server are missing or corrupted. But how can you tell if someone is lurking in the shadows who hasn't left any obvious physical clues? One of the primary techniques is known as intrusion detection, and that's what I want to talk about today.

Let's start with a layman's primer on network communications. Relax - I'll keep it easy to understand. All network communications are done by sending chunks of information in what's called a packet. Packets are similar to packages that you send through the mail. Let's say for instance that you need to just send a sweater to Aunt Sally. You'd pack it up in a single box and mail it at the Post Office. For small network communications it's a similar idea. The network takes a small message such as a short email and sends it all out at once.

But let's say you need to send your cousin Jim's entire winter wardrobe. You'd have to use multiple packages. You box each item up and then send each package to Jim. When networks need to send larger sets of information, they're broken up into smaller, more manageable chunks.

Now let's talk about how you can tell if any of these network packets are unwelcome or malicious. Let me use the Post Office analogy to make it easier. Let's say that the Post Office checks each package for Anthrax because of the Anthrax scare from several years ago. They would use a special machine which can detect Anthrax from a predetermined detection pattern. The Post Office then could add extra capabilities to the machine that can check for nuclear waste, dynamite, and anything else that shouldn't be transported through the Post Office. So now we have a machine that can look at a package and alert Postal officials to a potential threat.

Remember that networks have packets that are similar to the packages in the Post Office. If we could figure out a machine similar to the one in the Post Office, we could check each packet for dangerous content. As it turns out it's fairly easy to create just such a machine. It comes in the form of specialized programs known as intrusion detection software. It looks at all of the packets on the network. It is preloaded with signatures from all of the known intrusions. It examines each packet, looks for a match in its database, and sounds the alarm if a match is found. Intrusion detection goes a long way to keep networks safe.

In recent years, intrusion detection software has been extended to intrusion prevention software (although there are still quite a few intrusion detection programs still in use). The addition of intrusion prevention allows the software to take preventative measures if an alarm goes off. In the past, the alarm would let a network administrator know that there was something amiss, and the network administrator would then have to respond. The prevention piece of the software can thwart an attack before any damage is done.

Intrusion detection is one of the most powerful anti-hacker techniques in use today; and you can rest assured that it continues to evolve.