What is network forensics?

Network forensics is capture, recording and analysis of network packets in order to determine the
source of network security attacks. The major goal of network forensics is to collect evidence. It tries
to analyze network traffic data, which is collected from different sites and different network
equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and
analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns,
focusing on attacker activity.

A generic network forensic examination includes the following steps:

Identification, preservation, collection, examination, analysis, presentation and Incident Response.

The following is a brief overview of each step:

Identification: recognizing and determining an incident based on network indicators. This step is
significant since it has an impact in the following steps.
Preservation: securing and isolating the state of physical and logical evidences from being altered,
such as, for example, protection from electromagnetic damage or interference.
Collection: Recording the physical scene and duplicating digital evidence using standardized
methods and procedures.
Examination: in-depth systematic search of evidence relating to the network attack. This focuses on
identifying and discovering potential evidence and building detailed documentation for analysis.
Analysis: determine significance, reconstruct packets of network traffic data and draw conclusions
based on evidence found.
Presentation: summarize and provide explanation of drawn conclusions.
Incident Response: The response to attack or intrusion detected is initiated based on the information
gathered to validate and assess the incident.
Network forensics analysis, like any other forensic investigation presents many challenges. The first
challenge is related to traffic data sniffing. Depending on the network configuration and security
measures where the sniffer is deployed, the tool may not capture all desired traffic data. To solve this
issue, the network administrator should use a span port on network devices in multiple places of the
network.
One tedious task in the network forensic is the data correlation. Data correlation can be either causal
or temporal. For the latter case, timestamps should be logged as well.
An attacker may encrypt the traffic, usually using an SSL VPN connection. For a network
investigator, the address and port are still visible; however, the data stream is not available. More
logging and additional sleuthing should be performed in order to determine the infiltrated data.
Another additional challenge is determining the source of an attack, since an attacker may use a
zombie machine, an intermediate host to perform an attack, or simply uses a remote proxy server.
This makes it difficult for a network investigator to follow the attackers’ original address.
Taking into consideration these concerns, the main task of a network forensics investigator is to
analyze network packet capture, known as PCAP files. Items present in network traffic which should
be examined include but are not not limited to: Protocols used, IP addresses, port numbers,
timestamps, malicious packets, transferred Files, User-agents, application servers versions, and
operating system versions. This information can be extracted from different types of traffic.

What traffic protocols and network layers are analyzed in

network forensics?
This section shows where digital forensic methods can be applied within the different network
protocols or layers.

Data-link and physical layer examined (Ethernet)

Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This
can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture
traffic data from a network card interface configured in promiscuous mode. Those tools allow
investigator to filter traffic and reconstruct attachments transmitted over the network. In addition,
protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any
higher level protocols. However, this can be averted with encryption. Encryption might indicate that
the host is suspicious since the attacker uses encryption to secure his connection and bypass
eavesdropping. The disadvantage of this method is that it requires a large storage capacity.

Transport and network layer Examined (TCP/IP)

Apply forensics methods on the network layer. The network layer provides router information based
on the routing table present on all routers and also provides authentication log evidence. Investigating
this information helps determine compromised packets, identifying source, and reverse routing and
tracking data. Network device logs provide detailed information about network activities. Multiple
logs recorded from different network devices can be correlated together to reconstruct the attack
scenario. Network devices have a limited storage capacity. Network administrators configure the
devices to send logs to a server and store them for a period of time.

Traffic examined based on the use case (Internet)

The internet provides numerous services such as WWW, email, chat, file transfer, etc. which makes
it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the
internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of
traffic and communication. These servers collect useful log information, such as browsing history,
email accounts (except when email headers are faked), user account information, etc.

Wireless
This is achieved by collecting and analyzing traffic from wireless networks and devices, such as
mobile phones. This extends normal traffic data to include voice communications. Phone location can
be also determined. The Analysis methods of wireless traffic are similar to wired network traffic but
different security issues should be taken into consideration.
What types of systems are used to collect network data/traffic?
What are some pros and cons each of the above systems?
Network traffic data collections systems can be of two kinds “stop, look and listen” or “Catch-it-as-
you-can”
“Catch-it-as-you-can”: All packets are sent through a traffic point where they are stored in a
database. After that, analysis is performed on stored data. Analysis data is also stored in the database.
The saved data can be saved for future analysis. It should be noted, though, that this type of system
requires a large storage capacity
The “stop, look and listen” system is different from the “Catch-it-as-you-can” system, since only
data required for analysis is saved into database. The incoming traffic is filtered and analyzed in real-
time in memory, which means this system requires less storage but a much faster processor.
While the 2 systems require generous storage capacity, privacy concerns with the “catch-it-as-you-
can” system should be weighed and considered. User data is also captured using this system; however,
ISPs are forbidden from intercepting or disclosing content without user permission.

What are some popular network forensics tools & resources?

Network Forensic Analysis Tools (aka NFATs) allow network investigators and network
administrators to monitor networks and gather all information about anomalous or malicious traffic.
These tools synergize with network systems and network devices, such as firewalls and IDS, to make
preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns
identified by network security equipments.

The following are a few functions of a Network Forensic Analysis Tool:

• Network traffic capturing and analysis
• Evaluation of network performance
• Detection of anomalies and misuse of resources
• Determination of network protocols in use
• Aggregating data from multiple sources
• Security investigations and incident response
• Protection of intellectual property
Network forensics tools can be classified based on many criteria, for example host based or network-
wide-based forensics tools. In this article, we classify those tools as either general purpose tools,
specific tasks tools, or libraries/framework.

General purpose tools

This category include Packet collectors (sniffers), protocol analyzers and Network Forensic
Analyzers
dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets from the
network and store them on files.
tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to inspect
recorded traffic. They can be either packet-centric or session-centric.
Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-centric
which analyze the traffic content.

Specific Tasks Tools

These are often small programs written to do just one thing.
Intrusion detection (snort, suricata, bro)
Match regular expressions (ngrep)
Extract files (nfex) or pictures (driftnet)
Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)
Extract emails (mailsnarf, smtpcat)
Print network/packet statistics (ntop, tcpstat, tstat)
Extract SSL information (ssldump)
Reconstruct TCP flows (tcpflow, tcpick)
Fingerprinting (p0f, prads)

Libraries and Frameworks

Python libraries(Libpcap, Scapy)

Conclusion
Network forensics ensures a faster incident response to an attack. It provides the ability to investigate
the attacks by tracing the attack back to the source and discovering the nature of the attacker if it is a
person, host or a network. In addition, network forensics provides methods to predict future attacks
by correlating attack patterns from previous records of intrusion traffic data. This facilitates the
presentation of admissible evidence in a court of law. This article was quick survey of network
forensics, the different traffic data types and the different types of systems used to collect them.
Finally, it enumerated the popular tools existing today in the market. We hope you enjoyed reading,
and check out Infosec’s 5-Day Forensics Boot Camp training if you want to take your learning to the
next level. We also encourage you to check out the rest of the Computer Forensics series.
https://resources.infosecinstitute.com/topic/computer-forensics-network-forensics-analysis-
examination-steps/

Sources of evidence
Depending on the type of attack being investigated, a complex network may have several places
where evidence can be collected from. Let us discuss some of the common sources where we may
find evidence during an investigation.
Application and OS logs
There are various logs that will be generated in different locations depending on the events occurring.
Application logs such as access logs and database logs, event logs generated by the operating systems
in use(Windows event logs and Linux syslog), logs from network devices such as firewalls and routers
are some examples of various log locations to look at.
When it comes to Windows event logs, there are three major categories of logs that can be found in
Windows event logs.
Application: The Application logs contain the logs of the events generated by the applications
running on the Operating System.
Security: As the name indicates, security logs contain events related to security. This includes logs
such as valid and invalid logon attempts.
System: System logs contain events logged by system components. This includes events such as
operating system reboot due to a system failure or crash.
When it comes to event logs on Linux based systems such as Ubuntu, most of the events can be seen
in a single location and the location may vary depending on the Linux flavor. In case of Ubuntu,
authentication logs, kernel logs, system logs and even some application specific logs such as Apache
logs will be available in /var/log/ directory.

Intrusion Detection System/Intrusion Prevention System

(IDS/IPS) alerts
Many investigations begin from an alert from IDS or IPS. These logs from IDS or IPS usually include
alert data such as an identifier that has caused the alert and the description of the alert. In addition to
it, we may find packet headers and payload in the alert. Depending on the tool being used, these logs
may be extracted from various locations such as a file on the disk, web gui or email. The following
figure shows alerts from Snort IDS being run in pfSense.

Routers, Firewalls and proxy logs

Routers are used to route the traffic from one network to another and they are the most commonly
used devices in enterprise networks and they often contain many features that are of interest during a
network forensic investigation.
Firewalls perform packet filtering based on a predefined ruleset. For example, let us assume that a
rule has been defined to block any incoming traffic on port 3389. Any firewall will be able to do this
as specified in the firewall rules. Modern firewalls can do much more than just packet filtering. They
are often termed as Next Generation Firewalls and come with additional features such as VPN,
Intrusion Prevention Systems, Intrusion Detection Systems, Anti Virus, Web Application Firewalls
and more. Often, the goal of these modern firewalls is to effectively monitor the content within the
packets and determine whether to allow the packets or not and thus they contain logs of our interest.
In addition to the routers and firewalls, web proxies in enterprise environments contain interesting
logs at a large scale. Web traffic constitutes the major share of an enterprise’s network traffic.
Employees browsing activities in an enterprise environment almost always get recorded in web
proxies. So, Web proxies can be a goldmine for investigators.

https://resources.infosecinstitute.com/topic/sources-of-network-forensic-evidence/

Network Forensics Tools

Tcpdump is a popular command line tool available for capturing and analyzing network traffic
primarily on Unix based systems. Using tcpdump, we can capture the traffic and store the results in a
file that is compatible with tools like Wireshark for further analysis. Tcpdump can either be used to
do a quick packet capture for troubleshooting or for capturing traffic continuously in large volumes
for future analysis. It is worth noting that tcpdump can be used to capture both layer 2 and layer 3
data. The latter may cause disk space problems as the size of the resulting capture file can grow
depending on the volume of the network traffic. In addition to the ability to capture large amounts of
traffic, tcpdump also supports the use of filters to avoid capturing unnecessary traffic or to capture
only the traffic we are interested in. One should be extra cautious with this feature, as applying filters
can lead to missing potential evidence. So, it is recommended to capture as much traffic as possible
and filter out the unnecessary traffic during analysis later.

Wireshark
It would be a surprise if someone worked in the Cyber Security field and not heard of the tool
Wireshark. Wireshark is an open-source tool available for capturing and analyzing traffic with support
for applying filters using the graphical user interface. On the system, where Wireshark is running one
can choose the interface on which traffic needs to be captured.

Network Miner
According to the official website netresec.com, “NetworkMiner is an open source Network Forensic
Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner
can be used as a passive network sniffer/packet capturing tool in order to detect operating systems,
sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can
also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and
certificates from PCAP files.
NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing
extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis
simpler, it also saves valuable time for the analyst or forensic investigator.
NetworkMiner has, since the first release in 2007, become a popular tool among incident response
teams as well as law enforcement. NetworkMiner is today used by companies and organizations all
over the world”.
NetworkMiner also comes as a professional version.
Splunk
Splunk is a proprietary, portable, highly extensible log aggregation and analysis tool. Splunk performs
capturing, indexing, and correlating the real time data in a searchable container and produces graphs,
alerts, dashboards and visualizations. When it comes to network forensics, splunk plays a crucial role
in providing evidence from various sources. While Splunk is a popular commercial tool, a free version
is offered with limited features. It comes with an easy to use Graphical User Interface.

Snort
Snort is one of the most popular network Intrusion Detection Systems available for free. There is a
commercial version of Snort available, which is currently offered by Cisco. Snort is highly
configurable, which allows the users to add custom plugins called preprocessors. In addition to it, it
comes with a great set of output options. At its core, Snort provides alerts based on rulesets provided
to it. The Snort administrator needs to feed the rules as the default installation doesn’t come with any
rules by default. However, Snort website provides rulesets that can be fed into Snort. In addition to
these rules, one can write custom alert rules.

https://resources.infosecinstitute.com/topic/network-forensics-tools/

Challenges in Network Forensics

A challenge in the forensic analysis of the network is to first ensure that the network is adequate to
the forensic needs. For a successful investigation of the network, it must be equipped with an
infrastructure that allows the research to be fully supported [4,5,9,10,19]. The infrastructure must
ensure that there is the necessary data for a full investigation. Designing a network forensic
infrastructure is a complex task due to the many possibilities that exist in how the design is done in
the various spaces. The following is a brief description of some of these challenges:

Data sources
A typical network is made up of several data sources that include unprocessed network packets and
records of network devices and services. Although it is desirable to collect data from all sources, this
option is not always feasible, especially in those ecosystems consisting of large network
infrastructure. Therefore, an important decision is to select a subset of data sources that provide good
network coverage and make the collection processes practical.

Granularity in the data

A problem related to the selection of data sources is to decide how many details should be maintained.
For example, when packets are collected on the network, full packages, packet headers, connection
information, for example, IP addresses, port numbers, etc. can be collected. Similarly, maintaining
extensive data details is not practical in large and complex networks.
Data integrity
It is essential to ensure the integrity of the data collected. The result of the forensic process may be
adversely affected if the data collected is accidentally altered. However, measures must be
implemented to ensure data integrity during and after data collection and analysis.

Data as legal evidence

The use of data collected internally within an organization is quite different from how the data is
presented in a court of law. In the latter case, the data collected must pass written legal procedures to
qualify as evidence in a court of law. The data must go through an admissibility test and a selection
process by the court .

Privacy issues
The data collected is expected to include confidential information, such as emails and files. However,
proper handling of this data is crucial. The data must be protected by access control measures, so only
authorized personnel have access .

Data analysis
An important challenge is the analysis of the data collected to produce useful information that can be
used in a decision-making process. Such an analysis process is in many ways challenging due to the
complexity of a typical network environment and the amount and diversity of data involved.
Innovative tools are needed to help researchers analyze the data. These tools allow the use of field
tools such as data mining and information visualization.
https://juniperpublishers.com/jfsci/JFSCI.MS.ID.555853.php

How to do a Wi-Fi Forensics Analysis

Wi-Fi forensics is a discipline of the general digital computer forensic science. Its scope is to provide
the tools and methodology to collect data in a wireless traffic environment, analyze them, and create
valid evidence that is admissible in a court of law.
With today’s expansion of Wi-Fi hotspots, it is a common practice when someone wants to access the
internet to use these facilities to cut down costs. It is inevitable, though those laptops using this facility
are subject to can be subjected to a hacker’s criminal activity of gaining access to PDAs and laptop
computers, stealing valuable data, bank accounts, and other personal information stored.
Attackers are trying to find vulnerabilities of the protocol in the Wi-Fi network, so it is the
responsibility of the forensic team to monitor the Wi-Fi traffic and determine whether any
abnormality is an attack.
With Wi-Fi forensics, we can perform benchmarking of the network, troubleshoot it, do a
transactional and a security attack analysis, and following general principles applied to all computer
forensics.
To perform proper Wireless forensics, we must first collect and analyze Wi-Fi traffic. Next, we
evaluate the network performance to detect anomalies and misuse of resources, network protocols
used, aggregating data from multiple sources, and incident responses.

The process, according to the CIA forensics triangle, consists of three parts.
1. Capture. We must capture packets in a random mode in switched port analyzer (SPAN), sending a
copy of all network packets from one port to another port for the packets to be analyzed. We can also
use a network terminal access point (TAP) with a dedicated hardware device to a different system
that monitors the system to help the forensic team analyze the network.
2. Identify. The packets must be identified and adequately filtered according to time and date.
3. Analyze. The packets are reconstructed and classified according to their type and header.
The first forensic examination step is to perform the identification of the incident based on network
indicators. This is crucial for the following steps
The data must be preserved and not altered from interference or electromagnetic damage. The second
step is to collect the evidence, record the physical scene, and duplicate the data.
The examination comes next with a systematic in-depth search of the evidence of the hacker’s attack,
and then we build detailed documentation for further analysis. The analysis determines the
significance by reconstructing the packets of the Wi-Fi traffic and coming to a conclusion, according
to the evidence found.
Wireless Forensics consists of two methods: The live forensic analysis and after the event analysis.
The method chosen depends on the circumstances.
In the live forensic analysis, we must first determine the existing access points in the area since some
of them may not be near, and signal distribution is not Gaussian. Every single device may hold
information that will help in the forensic analysis. The gathered data includes wireless channels, SSID
and MAC address, and signal strength of the access points since criminals with an active approach
can de-authenticate a user in a weak signal environment with the user trying to connect multiple times
using his secret key which the attacker can intercept.

https://www.grin.com/document/512779

Router Forensics

Hacking Routers

Full control of a router can often lead to full control of the network.This is whymany attackers
will target routers and launch attacks against them.These attacks mayfocus on configuration
errors, known vulnerabilities, or even weak passwords.

Router Attacks

Routers can be attacked by either gaining access to the router and changing the con-figuration
file, launching DoS attacks, flooding the bandwidth, or routing table poi-soning.These attacks
can be either hit-and-run or persistent. Denial of Serviceattacks are targeted at routers. If an
attacker can force a router to stop forwardingpackets, then all hosts behind the router are
effectively disabled.

Router Attack Topology

The router attack topology is the same as all attack topologies.

The steps include:
1. Reconnaissance
2. Scanning and enumeration
3. Gaining access
4. Escalation of privilege
5. Maintaining access
6. Covering tracks and placing backdoors

DoS attacks may target a user or an entire organization and can affect the avail-ability of target
systems or the entire network.The impact of DoS is the disruptionof normal operations and the
disruption of normal communications. It’s much easierfor an attacker to accomplish this than
it is to gain access to the network in mostinstances. Smurf is an example of a common DoS
attack.

Routing Table Poisoning

Routers running RIPv1 are particularly vulnerable to routing table poisoningattacks.This type
of attack sends fake routing updates or modifies genuine routeupdate packets to other nodes
with which the attacker attempts to cause a denial ofservice. Routing table poisoning may cause
a complete denial of service or result insuboptimal routing, or congestion in portions of the
network

Hit-and-Run Attacks and Persistent Attacks

Attackers can launch one of two types of attacks, either-hit and-run or persistent. Ahit-and-run
attack is hard to detect and isolate as the attacker injects only one or afew malformed packets.
With this approach, the attacker must craft the attacks so thatthe results have some lasting
damaging effect. A persistent attack increases the possi-bility for identification of the attacker
as there is an ongoing stream of packets toanalyze. However this attack lowers the level of
complexity needed by the attacker asthey can use much less sophisticated attacks. Link state
routing protocols such asOSPF are more resilient to routing attacks than RIP

Damage & Defense...Forensic Analysis of Routing Attacks

During a forensic investigation the analyst should examine log files for evi-dence such as IP
address and the protocol. It is a good idea to redirect logs tothe syslog server. This can be
accomplished as follows:#config terminalLogging 192.168.1.1

Investigating Routers

When investigating routers there are a series of built-in commands that can be usedfor analysis.
It is unadvisable to reset the router as this may destroy evidence that wascreated by the
attacker.The following show commands can be used to gather basicinformation and record
hacker activity:
■Show access list
■Show clock
■Show ip route
■Show startup con iguration
■Show users
■Show version

Chain of Custody

The chain of custody is used to prove the integrity of evidence.The chain of custodyshould be
able to answer the following questions:

■Who collected the evidence?

■How and where is the evidence stored?
■Who took possession of the evidence?
■How was the evidence stored and how was it protected during storage?
■Who took the evidence out of storage and why?

There is no such thing as too much documentation. One good approach is tohave two people
work on a case. While one person performs the computer analysis,the other documents these
actions. At the beginning of an investigation, a forensicanalyst should prepare a log to document
the systematic process of the investigation.This is required to establish the chain of custody.This
chain of custody will docu-ment how the evidence is handled, how it is protected, what process
is used to verifyit remains unchanged, and how it is duplicated. Next, the log must address how
themedia is examined, what actions are taken, and what tools are used. Automated toolssuch as
EnCase and The Forensic Toolkit compile much of this information for theinvestigator.

Volatility of Evidence

When responding to a network attack, obtaining volatile data should be collected assoon as
possible. Although all routers are different, you will most likely be workingwith Cisco products
as Cisco has the majority of the market share. Cisco routersstore the current configuration in
nonvolatile ram (NVRAM).The current configu-ration is considered volatile data and the data is
kept in Random Access Memory(RAM). If the configuration is erased or the router powered
down all information islost. Routers typically are used as a beachhead for an attack.This means
the routermay play an active part in the intrusion.The attacker uses the router as a jumping
offpoint to other network equipment

When starting an investigation you should always move from most volatile toleast volatile.The
first step is to retrieve RAM and NVRAM.To accomplish this youmay use a direct connection to
the console port using RJ-45-RJ-45 rolled cable andan RJ-45-to-DB-9 female DTE adapter. In
instances when a direct connection is notavailable a remoter session is the next preferred
method. Insecure protocols such asFTP should not be used; an encrypted protocol Secure Shell
(SSH) is preferred.Youshould make sure to capture both volatile and nonvolatile configuration
for compar-ison changes and documentation purposes. Cisco routers have multiple modes, so
togain privilege mode the password must be known by the analyst

https://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Router-Forensics.pdf
Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious
activity and issues alerts when such activity is discovered. It is a software application that scans a
network or a system for the harmful activity or policy breaching. Any malicious venture or violation
is normally reported either to an administrator or collected centrally using a security information and
event management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses
alarm filtering techniques to differentiate malicious activity from false alarms.
Although intrusion detection systems monitor networks for potentially malicious activity, they are
also disposed to false alarms. Hence, organizations need to fine-tune their IDS products when they
first install them. It means properly setting up the intrusion detection systems to recognize what
normal traffic on the network looks like as compared to malicious activity.
Intrusion prevention systems also monitor network packets inbound the system to check the malicious
activities involved in it and at once send the warning notifications.
Classification of Intrusion Detection System:
IDS are classified into 5 types:
1. Network Intrusion Detection System (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on the
entire subnet and matches the traffic that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of a NIDS is installing it on the subnet where firewalls are located in order
to see if someone is trying to crack the firewall.
2. Host Intrusion Detection System (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will alert the administrator if
suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares
it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate. An example of HIDS usage can be seen on mission-critical machines,
which are not expected to change their layout.
3. Protocol-based Intrusion Detection System (PIDS):

Protocol-based intrusion detection system (PIDS) comprises a system or agent that would consistently
resides at the front end of a server, controlling and interpreting the protocol between a user/device
and the server. It is trying to secure the web server by regularly monitoring the HTTPS protocol
stream and accept the related HTTP protocol. As HTTPS is un-encrypted and before instantly entering
its web presentation layer then this system would need to reside in this interface, between to use the
HTTPS.

4. Application Protocol-based Intrusion Detection System (APIDS):

Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and interpreting the
communication on application-specific protocols. For example, this would monitor the SQL protocol
explicit to the middleware as it transacts with the database in the web server.

5. Hybrid Intrusion Detection System :

Hybrid intrusion detection system is made by the combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion detection system, host agent or system data is
combined with network information to develop a complete view of the network system. Hybrid
intrusion detection system is more effective in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.
Detection Method of IDS:

1. Signature-based Method:

Signature-based IDS detects the attacks on the basis of the specific patterns such as number of bytes
or number of 1’s or number of 0’s in the network traffic. It also detects on the basis of the already
known malicious instruction sequence that is used by the malware. The detected patterns in the IDS
are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in system
but it is quite difficult to detect the new malware attacks as their pattern (signature) is not known.
2. Anomaly-based Method:

Anomaly-based IDS was introduced to detect unknown malware attacks as new malware are
developed rapidly. In anomaly-based IDS there is use of machine learning to create a trustful activity
model and anything coming is compared with that model and it is declared suspicious if it is not found
in model. Machine learning-based method has a better-generalized property in comparison to
signature-based IDS as these models can be trained according to the applications and hardware
configurations.

Comparison of IDS with Firewalls:

IDS and firewall both are related to network security but an IDS differs from a firewall as a firewall
looks outwardly for intrusions in order to stop them from happening. Firewalls restrict access between
networks to prevent intrusion and if an attack is from inside the network it doesn’t signal. An IDS
describes a suspected intrusion once it has happened and then signals an alarm.
https://www.geeksforgeeks.org/intrusion-detection-system-ids/