Intrusion Detection and Firewalls: Key Concepts

Leave a Comment / Computer Systems Security / By /

1. Firewalls (Gollmann, Chapter 17.3)

What Are Firewalls?

Firewalls act as network security barriers that monitor and control incoming and outgoing traffic based on predefined security rules.

Types of Firewalls

  1. Packet Filtering Firewalls
    • Operate at the network layer (Layer 3).
    • Inspect packet headers (source/destination IP, port, protocol).
    • Fast but lacks deep inspection capabilities.
  2. Stateful Inspection Firewalls
    • Track active connections and maintain session state.
    • More secure than packet filtering but higher resource usage.
  3. Proxy Firewalls
    • Act as an intermediary between users and the internet.
    • Inspects entire packets (Layer 7, Application Layer).
    • Slower but provides deep security analysis.
  4. Next-Generation Firewalls (NGFWs)
    • Combine traditional firewalls with IDS/IPS and deep packet inspection (DPI).
    • Can block malware, detect anomalies, and enforce security policies.

2. Intrusion Detection Systems (IDS) (Gollmann, Chapter 17.4)

What Is Intrusion Detection?

Intrusion Detection Systems (IDS) monitor system and network activity to detect potential attacks or security violations.

Types of IDS

  1. Host-Based IDS (HIDS)
    • Monitors activity on individual devices (e.g., login attempts, file changes).
    • Can detect insider threats but consumes system resources.
  2. Network-Based IDS (NIDS)
    • Monitors network traffic for malicious activity.
    • Cannot detect host-level anomalies (e.g., unauthorized file access).

Detection Mechanisms

  • Signature-Based Detection
    • Uses known attack patterns (e.g., malware signatures).
    • High accuracy for known threats but fails against zero-day attacks.
  • Anomaly-Based Detection
    • Uses machine learning/statistical models to detect unusual behavior.
    • Can detect new attacks but often has high false positive rates.

3. ROC Analysis in Intrusion Detection (Fawcett, 2006)

What Is ROC Analysis?

Receiver Operating Characteristic (ROC) analysis is used to evaluate binary classification models, including IDS performance.

Key Terms in ROC Analysis

  • True Positives (TP): Correctly detected attacks.
  • False Positives (FP): Normal activity incorrectly flagged as an attack.
  • True Negatives (TN): Normal activity correctly identified as safe.
  • False Negatives (FN): Missed attacks (failed detection).

ROC Curve in IDS

  • Plots True Positive Rate (TPR) vs. False Positive Rate (FPR).
  • Ideal IDS: High TPR, Low FPR.
  • AUC (Area Under Curve): Measures overall IDS performance (higher = better).

Balancing Detection Accuracy

  • Lowering False Positives: Improves efficiency but risks missing attacks.
  • Lowering False Negatives: Improves security but increases alert fatigue.

Conclusion

  1. Firewalls provide first-line defense by controlling network traffic.
  2. IDS monitors network and system behavior for signs of intrusion.
  3. ROC analysis helps assess IDS effectiveness by balancing accuracy vs. false alarms.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *