What are intrusion detection systems?

The term IDS itself refers to the processes used for the detection of unauthorized access to and
intrusive activities on a network. An intrusion detection system, therefore, is a tool that
monitors network traffic for potential intrusions that may indicate malicious activity or
a breach of policies.

Intrusions in this sense can be defined as any type of unauthorized access with the potential to
harm the confidentiality, integrity and availability of data. An IDS issues alerts when such
activity is discovered, which is then either reported to an admin or collected through a security
information and event management system (SIEM).

Types of intrusion detection systems

Network intrusion detection system (NIDS)

• A network intrusion detection system (NIDS) is set up across the network, on tactical
points,
• where it monitors inbound and outbound traffic to and from all devices on a network.
• It examines traffic and matches it with indicators of known attacks.
• When anomalous activity is detected, an alert is generated for the incident to be
examined further.

Host intrusion detection system (HIDS)

• A host intrusion detection system (HIDS) runs on all of a network's hosts and devices
that have access to the internet as well as the internal network.
• It monitors the operations of individual hosts and tracks the status of all files on an
endpoint and detects any activity, such as deletion or modification of system files.
 • An HIDS also scans all data packets that are sent to or from an endpoint, meaning it
can detect suspicious activity that originates inside an organization, an important
capability to aid in the prevention of insider threats.

Protocol-based intrusion detection system (PIDS)

A protocol-based intrusion detection system (PIDS) is typically deployed on a web server and
is used to monitor and analyze communication between devices on a network and online
resources, as it scans data transmitted over HTTP/HTTPS.

¶Application protocol-based intrusion detection system (APIDS)

An application protocol-based intrusion detection system (APIDS) monitors the

communication between users and applications. It monitors the packets transmitted over
application-specific protocols and identifies instructions, tracing it to individual users.

¶Hybrid intrusion detection system

A hybrid intrusion detection system is defined exactly as its name implies: it's a combination
of two or more types of IDSs. In the hybrid type, the capabilities of two systems—host- and
network-based IDSs for example—are combined, rendering it more effective than any single
type of IDS.

Intrusion detection systems are also categorized as active or passive:

• An active IDS is also known as an intrusion detection and prevention system (IDPS).
Not only is it configured to monitor traffic and detect anomalous behavior, it is also
automated to block any suspected attacks with blocking IPs or by restricting access to
sensitive resources without any need for admin involvement.
• A passive IDS only monitors and analyzes network traffic and alerts an admin to a
potential attack. It doesn't have the ability to perform any blocking or preventative
activity on its own.

¶IDS detection methods

An IDS detects suspicious activity by using these two methods:

Signature-based intrusion detection system (SIDS)

A signature-based intrusion detection system (SIDS), also known as a knowledge-based IDS,

identifies active instructions by monitoring packets travelling through the network and
comparing them against a database of known system vulnerabilities and their attributes.
Anomaly-based intrusion detection system (AIDS)

An IDS that is anomaly-based (AIDS)—or behaviour-based—was introduced to fill the gaps

left by SIDS and present a newer technology that detects unknown attacks to keep up with the
speed at which new malware and threats are developed

Benefits of intrusion detection systems

Identify security risks

help you understand the security risks that your organization is facing, as well
as their quantity and level of sophistication.

It can also identify problems with your network device configuration

Improve security controls

Analyzing the quantity and types of attacks your organization faces can help it
implement more effective security controls and prevent future attacks more
efficiently.

Challenges of intrusion detection systems

Fragmentation:

Obscurity:

Low-bandwidth attacks:
Firewalls

A firewall employs rules to filter incoming and outgoing network traffic. It uses IP addresses
and port numbers to filter traffic. It can be set to either Layer 3 or transparent mode. The
firewall should be the first line of defense and installed inline at the network’s perimeter.

Intrusion Prevention System (IPS)

IPS is a device that inspects, detects, classifies, and proactively prevents harmful traffic. It
examines real-time communications for attack patterns or signatures and then blocks attacks
when they have been detected. Placement and configuration in inline mode and generally being
in Layer 2 after the firewall. In inline mode, traffic passes into one of the device’s ethernet
ports and out of the other.

Intrusion Detection System (IDS)

IDS is either a hardware or software program that analyzes incoming network traffic for
malicious activities or policy breaches (network behavior analysis) and issues alerts when they
are detected. It detects real-time traffic and searches for attack signatures or traffic patterns,
then sends out alarms. Unlike IPS, a network Intrusion Detection System is not in line with the
data path, so it can only alert and alarm on detection of anomalies.