Created by Akanksha

Confusion Matrix causing confusion 🤔 while Risk Identification in Security Surveillance of Organizational Network

Technology is meant to make human life easy but security breach happen at high rate in bait of money and some personal glitches many crackers enter Organization's network to insert malicious software patches which results in damaged system and Leaking of confidential information.

  • From false site with some software sometimes these malware program and harmful software also get downloaded at unknown location.
  • Obtain and transmit data from the hard drive this is called Spyware.
  • Malware with disguised intention is popularly known as Trojans or Trojan horses. Apart from attacking the system, Trojans can create a backdoor for the attackers to stealthily get into the system.
  • Bots (or Internet bots) are software programs developed to automate a repetitive task. While bad bots are self-propagating malware that infects the host and reports back to the connected central server. These bots are capable of collecting passwords, log keystrokes, personal financial data, and other sensitive data.
  • Adware is one of the most evitable forms of malware. You identify it when you witness one. It advertises malware with uninvited messages, which are automatically generated, clickable advertisements leading you to downloadable malicious software. They usually appear in the form of pop-ups or some random windows that do not close.
Phishing Attack
Man in the middle Attack
Session Hijacking Attack
Denial of Service Attack
SQL injection attack
DNS Tunneling Attack
Zero-Day Exploit Attack
Brute Force Attack
Credential Stuffing Attack
Birthday Attack
XSS Attack
Topology of IDS and IPS

👉 IDS :

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. It is a software application that scans a network or a system for harmful activity or policy breaching. Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms.

  • Host Intrusion Detection System (HIDS):
    Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their layout.
  • Protocol-based Intrusion Detection System (PIDS):
    Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would consistently resides at the front end of a server, controlling and interpreting the protocol between a user/device and the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accept the related HTTP protocol. As HTTPS is un-encrypted and before instantly entering its web presentation layer then this system would need to reside in this interface, between to use the HTTPS.
  • Application Protocol-based Intrusion Detection System (APIDS):
    Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on application specific protocols. For example, this would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server.
  • Hybrid Intrusion Detection System :
    Hybrid intrusion detection system is made by the combination of two or more approaches of the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop a complete view of the network system. Hybrid intrusion detection system is more effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.

👉 IPS :

Intrusion Prevention System (IPS) is also known as Intrusion Detection and Prevention System. It is a network security application that monitors network or system activities for malicious activity. Major functions of intrusion prevention systems are to identify malicious activity, collect information about this activity, report it and attempt to block or stop it.

  • Wireless intrusion prevention system (WIPS):
    It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols.
  • Network behavior analysis (NBA):
    It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware and policy violations.
  • Host-based intrusion prevention system (HIPS):
    It is an inbuilt software package which operates a single host for doubtful activity by scanning events that occur within that host.
Challenges in the IPS & IDS System

😥 Challenge with IDS and IPS System :

An issue about the type of errors likely to occur in the system. These can be neatly categorized as either false positive, false negative, or subversion errors. A false positive occurs when the system classifies an action as anomalous (a possible intrusion) when it is a legitimate action. A false negative occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior. A subversion error occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.

Confusion Matrix

Conclusion :

When we talk about the accuracy index of the IDS and IPS, calculate using following formula. Where TP (True Positive), TN (True Negative), FP (False Positive) and FN (False Negative) come from the confusion metrics created by analysists by taking experience from the system decision and error proportions.

Technology enhancement take a journey of learning and exploring!! On a way to achieve and Follow my own star!!