IDS

Purpose

The IDS object is used to represent an Intrusion Detection System used to prevent unauthorized or malicious use of resources. Intrusions are detected by matching characteristics of activities to known malicious patterns. Depending on what connections are used, the IDS will act as a Host Intrusion Detection System, HIDS or as a Network Intrusion Detection System, NIDS.

Connections

IDS and Neighboring Objects
IDS and Neighboring Objects

 

ObjectConnectionDescriptionFunction
HostHIDS ExecutionConnection to a Host denotes that the Host is equipped with a host-based IDS (HIDS).A missing IDS on a Host enables direct bypass of the IDS via exploits or USB.
RouterNIDS ExecutionConnection to a Router denotes that the traffic passing through the Router is inspected by an IDS on a network level (NIDS).A missing Router will not activate the NIDS.
DataflowProtectionConnection to a Dataflow denotes that the traffic in that Dataflow is inspected by a network based IDS NIDS (given that it is not encrypted).A missing Dataflow will reduce the time needed to attack through the Dataflow (given that there is no explicit association between the Dataflow and the IDS’s Router).

Attack Steps and Defenses

IDS Attack Steps and Defenses
IDS Attack Steps and Defenses

 

Attack StepDescription
No attack stepsThere are no attack steps directly to an IDS in SecuriLang.

 

DefenseDescriptionImpactDefault
EnabledAn Enabled IDS denotes that it is installed, configured and works properly and as expected.Reduces the probability of BypassIDS.On
TunedA Tuned IDS decreases the number of false negatives, increases the false positives and improves detection accuracy, usability and effectiveness.Reduces the probability of BypassIDS.0.5
UpdatedSignature based IDSs needs to have their ruleset updated regularly to be able to respond appropriately to new attacks and vulnerabilities. An Updated IDS denotes that it is completely updated and contains all known signatures.Reduces the probability of BypassIDS.0.5