What is an intrusion detection system (IDS)?

Modern intrusion detection systems complement traditional firewalls effectively. They continuously analyze and monitor systems and entire networks in real-time, identifying potential threats and promptly notifying administrators. The actual defense against attacks is subsequently executed using additional software.

What’s behind an IDS (intrusion detection system)?

While modern computer and network security systems are advanced, cyberattacks are also growing cleverer. To protect sensitive infrastructure effectively, consider using multiple security measures. In this context, an intrusion detection system (IDS) is a first-class complement to the firewall. An IDS excels at early detection of attacks and potential threats, instantly alerting administrators who can then take swift defensive actions. Importantly, an intrusion detection system can also identify attacks that may have breached the firewall’s defenses.

Unlike an intrusion prevention system, for example, an IDS does not defend against attacks itself. Instead, the intrusion detection system analyzes all activity on a network and matches it against specific patterns. When unusual activities are detected, the system alerts the user and provides detailed information about the attack’s origin and nature.

Tip

For more information on the differences between intrusion detection and intrusion prevention systems, see our separate article on this topic.

What types of intrusion detection systems are there?

Intrusion detection systems are categorized into three types: host-based (HIDS), network-based (NIDS), or hybrid systems that combine HIDS and NIDS principles.

HIDS: Host-based intrusion detection systems

The host-based intrusion detection system is the oldest form of security system. Here, the IDS is installed directly on the corresponding system. It analyzes data at both the log and kernel levels, examining other system files as well. To accommodate the use of standalone workstations, the host-based intrusion detection system relies on monitoring agents, that pre-filter traffic and send findings to a central server. While highly accurate and comprehensive, it can be vulnerable to attacks like DoS and DDoS. Furthermore, it is dependent on the specific operating system.

NIDS: Network-based intrusion detection systems

A network-based intrusion detection system examines data packets exchanged within a network, promptly identifying unusual or abnormal patterns for reporting. However, handling a large volume of data can be challenging, potentially overwhelming the intrusion detection system and hindering seamless monitoring.

Hybrid intrusion detection systems

Today, many vendors opt for hybrid intrusion detection systems that integrate both approaches. These systems consist of host-based sensors, network-based sensors, and a central management layer where results converge for in-depth analysis and control.

Purpose and advantages of an IDS

An intrusion detection system should never be considered or used as a replacement for a firewall. Instead, it’s a first-class supplement that, in conjunction with the firewall, identifies threats more effective. Since the intrusion detection system can analyze even the highest layer of the OSI model, it’s capable of uncovering new and previously unknown sources of danger, even if the firewall’s defenses have been breached.

MyDefender
Easy cyber security
  • Ransomware attack protection
  • Regular virus and malware scans
  • Automatic backups and simple file recovery

How an intrusion detection system works

The hybrid model is the most prevalent type of intrusion detection system, employing both host and network-based approaches. Information gathered is assessed in the central management system, utilizing three distinct components.

Data monitor

The data monitor collects all pertinent data via sensors and filters it based on its relevance. This encompasses data from the host side, including log files and system details, as well as data packets transmitted over the network. Among other things, the IDS gathers and organizes source and destination addresses and other critical attributes. A crucial requirement is that the collected data originates from a trustworthy source or directly from the intrusion detection system to ensure data integrity and prevent prior manipulation.

Analyzer

The second component of the intrusion detection system is the analyzer, responsible for assessing all received and pre-filtered data using various patterns. This evaluation is conducted in real-time, which can be particularly demanding on the CPU and main memory. Adequate capacities are essential for a swift and accurate analysis. The analyzer employs two distinct methods for this purpose:

  • Misuse Detection: In misuse detection, the analyzer scrutinizes the incoming data for recognized attack patterns stored in a dedicated database, which is regularly updated. When an attack aligns with a previously recorded signature, it can be identified at an early stage. However, this method is ineffective for detecting attacks that are not yet known to the system.

  • Anomaly Detection: Anomaly detection involves assessing the entire system. When one or more processes deviate from the established norms, such anomalies are flagged. For instance, if the CPU load surpasses a specified threshold or if there is an unusual spike in page accesses, it triggers an alert. The intrusion detection system can also analyze the chronological order of various events to identify unknown attack patterns. However, it’s important to note that in some cases, harmless anomalies may also be reported.

Note

Typical anomalies that a good IDS detects include increased traffic and increased access to login and authentication mechanisms. This makes the security technology a first-class solution against brute force attacks. To increase the hit rate, many modern intrusion detection systems use AI for anomaly detection.

Alerting

The third and final component of the intrusion detection system is the actual alerting. If an attack or at least anomalies are detected, the system informs the administrator. This notification can be made by email, via a local alarm or via a message on the smartphone or tablet.

What are the disadvantages of an intrusion detection system?

While intrusion detection systems enhance security, they are not without drawbacks, as mentioned earlier. Host-based IDSs can be vulnerable to DDoS attacks, and network-based systems may struggle in larger network setups, potentially missing data packets. Anomaly detection, depending on the configuration, can trigger false alarms. Moreover, all IDSs are solely designed for threat detection, requiring additional software for effective attack defense.

Intrusion detection system and the example of Snort

One of the best known and most popular intrusion detection systems is Snort. The security tool, developed by Martin Roesch back in 1998, is not only cross-platform and open-source, but also provides users with extensive prevention measures as an intrusion prevention system. The program is available free of charge and in a paid version for which, for example, updates are provided more quickly.

Was this article helpful?
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.