Intrusion Prevention Systems: Architectures and Tools

摘要

Cyber security is an ever-heated topic as the rate of cyber-crime has increased significantly in the last few years. According to a report released by the University of Maryland in 2018 that cyber-attacks are happening on a “near constant time”. The study stated that there is approximately one attack every 39 seconds on every computer in the world. The estimated total cost of cyber-crime is over $1 trillion dollars in 2018 and is expected to exceed $2 trillion in 2019 [2]. These facts have exerted an enormous pressure on governments, organizations and individuals worldwide to pacify, detect, and prevent those attacks. Intrusion prevention Systems (IPS) are central to computer and network cyber security. Despite the use of firewalls and virus scans, many attacks make it to the network largely due to human errors [3]. IPSs work on real-time to detect and take a defensive measure before the malware makes its way through the computer or the network. The way IPSs work is that they scan the incoming and the outgoing packets to/from computers or networks on real-time. If a suspicious packet is detected its either dropped or the entire connection is terminated. There are various ways/techniques used by IPSs to scan the data. In this work we will discuss the signature, the profile, and the stateful protocol methods. We will also discuss the deployment of those prevention methods, weather on a host, on a network or as wireless IPS. At the end of this work we will be reviewing the available systems for IPSs including the open-source ones. Examples of such systems include Snort, OSSEC, and Suricata. A comparison of those systems and their pros and cons will be included.