IDS

Purpose

The IDS object is used to represent an Intrusion Detection System used to prevent unauthorized or malicious use of resources. Intrusions are detected by matching characteristics of activities to known malicious patterns. Depending on what connections are used, the IDS will act as a Host Intrusion Detection System, HIDS or as a Network Intrusion Detection System, NIDS.

Connections

Object

Connection

Description

Function

Host

HIDS Execution

Connection to a Host denotes that the Host is equipped with a host-based IDS (HIDS).

A missing IDS on a Host enables direct bypass of the IDS via exploits or USB.

Router

NIDS Execution

Connection to a Router denotes that the traffic passing through the Router is inspected by an IDS on a network level (NIDS).

A missing Router will not activate the NIDS.

Dataflow

Protection

Connection to a Dataflow denotes that the traffic in that Dataflow is inspected by a network based IDS NIDS (given that it is not encrypted).

A missing Dataflow will reduce the time needed to attack through the Dataflow (given that there is no explicit association between the Dataflow and the IDS’s Router).

Attack Steps and Defenses

Attack Step

Description

No attack steps

There are no attack steps directly to an IDS in SecuriLang.

Defense

Description

Impact

Default

Enabled

An Enabled IDS denotes that it is installed, configured and works properly and as expected.

Reduces the probability of BypassIDS.

On

Tuned

A Tuned IDS decreases the number of false negatives, increases the false positives and improves detection accuracy, usability and effectiveness.

Reduces the probability of BypassIDS.

0.5

Updated

Signature based IDSs needs to have their ruleset updated regularly to be able to respond appropriately to new attacks and vulnerabilities. An Updated IDS denotes that it is completely updated and contains all known signatures.

Reduces the probability of BypassIDS.

0.5


What’s Next