Intrusion Detection System (IDS)

Intrusion prevention systems also monitor network packets inbound the system to check the malicious activities involved in it and at once send the warning notifications. 

Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. It is a software application that scans a network or a system for the harmful activity or policy breaching. Any malicious venture or violation is normally reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate malicious activity from false alarms.

While monitoring networks for potentially harmful behavior, intrusion detection systems are also prone to raising false alarms. Consequently, enterprises must adjust their IDS products after initial installation. It entails correctly configuring intrusion detection systems to distinguish between legitimate network traffic and malicious activities.

Intrusion prevention systems also monitor network packets inbound the system to check the malicious activities involved in it and at once send the warning notifications. 

Classification of Intrusion Detection System:  

IDS are classified into 5 types: 

  1. Network Intrusion Detection System (NIDS):
    Network intrusion detection systems (NIDS) are installed at a predetermined location within the network to monitor all network traffic coming from all connected devices. It carries out an observation of all subnet traffic passing through and compares that traffic to a database of known attacks. The alert can be delivered to the administrator as soon as an attack is detected or unusual behavior is noticed. Installing an NIDS on the subnet where firewalls are to check for attempts to breach the firewall is an example of an NIDS in action.
  2. Host Intrusion Detection System (HIDS):
    Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission-critical machines, which are not expected to change their layout.
  3. Protocol-based Intrusion Detection System (PIDS):
    A system or agent that consistently resides at the front end of a server, regulating and interpreting the protocol between a user/device and the server, makes up a protocol-based intrusion detection system (PIDS). By continuously monitoring the HTTPS protocol stream and accepting the associated HTTP protocol, it tries to secure the web server. Since HTTPS isn't encrypted and doesn't immediately enter the web presentation layer, the system would need to be located within this interface in order to use HTTPS.
  4. Application Protocol-based Intrusion Detection System (APIDS):
    Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on application-specific protocols. For example, this would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server.
  5. Hybrid Intrusion Detection System :
    Hybrid intrusion detection system is made by the combination of two or more approaches of the intrusion detection system. In the hybrid intrusion detection system, host agent or system data is combined with network information to develop a complete view of the network system. Hybrid intrusion detection system is more effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS. 

Detection Method of IDS Deployment

Beyond their deployment location, IDS solutions also differ in how they identify potential intrusions:

  • Signature Detection: Signature-based IDS solutions use fingerprints of known threats to identify them. Once malware or other malicious content has been identified, a signature is generated and added to the list used by the IDS solution to test incoming content. This enables an IDS to achieve a high threat detection rate with no false positives because all alerts are generated based upon detection of known-malicious content. However, a signature-based IDS is limited to detecting known threats and is blind to zero-day vulnerabilities.
  • Anomaly Detection: Anomaly-based IDS solutions build a model of the “normal” behavior of the protected system. All future behavior is compared to this model, and any anomalies are labeled as potential threats and generate alerts. While this approach can detect novel or zero-day threats, the difficulty of building an accurate model of “normal” behavior means that these systems must balance false positives (incorrect alerts) with false negatives (missed detections).
  • Hybrid Detection: A hybrid IDS uses both signature-based and anomaly-based detection. This enables it to detect more potential attacks with a lower error rate than using either system in isolation.  

IDS vs Firewalls 

Intrusion Detection Systems and firewalls are both cybersecurity solutions that can be deployed to protect an endpoint or network. However, they differ significantly in their purposes.

IDSs are passive monitoring tools that identify possible threats and send out notifications to incident responders or analysts in security operations centers (SOCs) so they may look into and address the potential event. An IDS offers no real endpoint or network protection. On the other hand, a firewall is intended to serve as a defense mechanism. It analyzes the metadata contained in network packets and decides whether to let or prohibit traffic based on pre-established rules. This establishes a barrier that prevents some traffic or protocol types from crossing.

Since a firewall is an active protective device, it is more like an Intrusion Prevention System (IPS) than an IDS. An IPS is like an IDS but actively blocks identified threats instead of simply raising an alert. This complements the functionality of a firewall, and many next-generation firewalls (NGFWs) have integrated IDS/IPS functionality. This enables them to both enforce the predefined filtering rules (firewalls) and detect and respond to more sophisticated cyber threats (IDS/IPS). Learn more about the IPS vs IDS debate here.