Scribd
Upload
1 views

9. Intrusion Detection System

An Intrusion Detection System (IDS) monitors networks for malicious activities and policy violations, with types including Host-Based IDS (HIDS) and Network-Based IDS (NIDS). IDS can utilize signature-based and anomaly-based detection methods, while Intrusion Prevention Systems (IPS) actively block threats. The document also contrasts IDS with firewalls, emphasizing that IDS is a passive monitoring tool, whereas firewalls and IPS actively protect networks.

Uploaded by

RCM For all
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1 views

9. Intrusion Detection System

An Intrusion Detection System (IDS) monitors networks for malicious activities and policy violations, with types including Host-Based IDS (HIDS) and Network-Based IDS (NIDS). IDS can utilize signature-based and anomaly-based detection methods, while Intrusion Prevention Systems (IPS) actively block threats. The document also contrasts IDS with firewalls, emphasizing that IDS is a passive monitoring tool, whereas firewalls and IPS actively protect networks.

Uploaded by

RCM For all
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

INFORMATION SECURITY BSCS 8TH

What is Intrusion Detection System?


An intrusion detection system (IDS) is a device or software application that monitors a network
for malicious activity or policy violations. Any malicious activity or violation is typically
reported or collected centrally using a security information and event management system. Some
IDS’s are capable of responding to detected intrusion upon discovery. These are classified as
intrusion prevention systems (IPS).

Classification of Intrusion Detection Systems


Intrusion detection systems are designed to be deployed in different environments. And like
many cybersecurity solutions, an IDS can either be host-based or network-based.
 Host-Based IDS (HIDS): A host-based IDS is deployed on a particular endpoint and
designed to protect it against internal and external threats. Such an IDS may have the
ability to monitor network traffic to and from the machine, observe running processes,
and inspect the system’s logs. A host-based IDS’s visibility is limited to its host machine,
decreasing the available context for decision-making, but has deep visibility into the host
computer’s internals.
 Network-Based IDS (NIDS): A network-based IDS solution is designed to monitor an
entire protected network. It has visibility into all traffic flowing through the network and
makes determinations based upon packet metadata and contents. This wider viewpoint
provides more context and the ability to detect widespread threats; however, these
systems lack visibility into the internals of the endpoints that they protect.
The best intrusion detection systems are built to collect network traffic from all devices via
NIDS and HIDS, thus increasing the chances of intrusion detection across your IT infrastructure.

Key features of intrusion detection system

1
NAQIB ULLAH KHAN | Lecturer Computer Science GPGC Bannu
INFORMATION SECURITY BSCS 8TH

How Does an Intrusion Detection System Work?


Today’s businesses rely on technology for everything, from hosting applications on servers to
communication. As technology evolves, the attack surface that cybercriminals have access to
also widens. A 2021 Check Point research reported that there had been 50% more attacks per
week on corporate networks in 2021 as compared to 2020. As such, organizations of all industry
verticals and sizes are ramping up their security posture, aiming to protect every layer of their
digital infrastructure from cyber attacks.
After data collection, an IDS is designed to observe network traffic and match traffic patterns to
known attacks. Through this method, sometimes called pattern correlation, an intrusion
prevention system could determine if unusual activity is a cyberattack. Once suspicious or
malicious activity is discovered, an intrusion detection system will send an alarm to specified
technicians or IT administrators. IDS alarms enable you to quickly begin troubleshooting and
identify root sources of issues, or discover and stop harmful agents in their tracks.

Intrusion detection systems primarily use two key intrusion detection methods: signature-based
intrusion detection and anomaly-based intrusion detection.
1. Signature-based intrusion detection: Signature-based IDS solutions use fingerprints
of known threats to identify them. Once malware or other malicious content has been
identified, a signature is generated and added to the list used by the IDS solution to test
incoming content. This enables an IDS to achieve a high threat detection rate with no
false positives because all alerts are generated based upon detection of known-malicious
content. However, a signature-based IDS is limited to detecting known threats and is
blind to zero-day vulnerabilities.
2. Anomaly-based intrusion detection: It is the opposite—it’s designed to pinpoint
unknown attacks, such as new malware, and adapt to them on the fly using machine
learning. Machine learning techniques enable an intrusion detection system (IDS) to
create baselines of trustworthy activity—known as a trust model—then compare new
behavior to verified trust models. False alarms can occur when using an anomaly-based
IDS, since previously unknown yet legitimate network traffic could be falsely identified
as malicious activity.
3. Hybrid intrusion detection systems use signature-based and anomaly-based intrusion
detection to increase the scope of your intrusion prevention system. This enables you to

2
NAQIB ULLAH KHAN | Lecturer Computer Science GPGC Bannu
INFORMATION SECURITY BSCS 8TH

identify as many threats as possible. A comprehensive intrusion detection system (IDS)


can understand the evasion techniques cybercriminals use to trick an intrusion prevention
system into thinking there isn’t an attack taking place. These techniques could include
fragmentation, low-bandwidth attacks, pattern change evasion, address spoofing or
proxying, and more.

IDS vs Firewalls
Intrusion Detection Systems and firewalls are both cybersecurity solutions that can be deployed
to protect an endpoint or network. However, they differ significantly in their purposes.
An IDS is a passive monitoring device that detects potential threats and generates alerts,
enabling security operations center (SOC) analysts or incident responders to investigate and
respond to the potential incident. An IDS provides no actual protection to the endpoint or
network. A firewall, on the other hand, is designed to act as a protective system. It performs
analysis of the metadata of network packets and allows or blocks traffic based upon predefined
rules. This creates a boundary over which certain types of traffic or protocols cannot pass.
Since a firewall is an active protective device, it is more like an Intrusion Prevention System
(IPS) than an IDS. An IPS is like an IDS but actively blocks identified threats instead of simply
raising an alert. This complements the functionality of a firewall, and many next-generation
firewalls (NGFWs) have integrated IDS/IPS functionality. This enables them to both enforce
the predefined filtering rules (firewalls) and detect and respond to more sophisticated cyber
threats (IDS/IPS). Learn more about the IPS vs IDS debate here.

What is an Intrusion Prevention System (IPS)?


An Intrusion Prevention System (IPS) is network security and threat prevention technology that
analyzes network traffic to uncover and prevent attacks. IPS seeks to prevent bad actors from
gaining control of vital applications or systems, causing distributed denial of service (DDoS)
attacks, or obtaining access to the rights and permissions of applications.
An IPS is generally placed behind the firewall. Instead of being a passive monitoring system,
such as IDS, IPS sits directly in the middle of the communication path between source and
destination and actively prevents attacks by dropping suspect packets, blocking traffic from
malicious sources, and reestablishing connections automatically.

3
NAQIB ULLAH KHAN | Lecturer Computer Science GPGC Bannu
INFORMATION SECURITY BSCS 8TH

Recommended Intrusion Detection System (IDS) Tools

4
NAQIB ULLAH KHAN | Lecturer Computer Science GPGC Bannu

You might also like