An intrusion detection system (IDS) is a device or software application that monitors network traffic for suspicious activities and alerts when such activities are discovered.
While detecting and reporting malicious threats and abnormalities are the basic functions of an IDS, some intrusion detection systems can also take action when malicious activities or abnormal traffic is detected. The actions such IDS can carry out include blocking traffic sent from suspicious Internet Protocol (IP) addresses.
An IDS is quite different from an intrusion prevention system (IPS), which monitors network packets for potentially damaging network traffic, like an IDS, but its major goal is to prevent threats once detected, compared to an IDS whose primary role is to detect and record threats.
How do intrusion detection systems work?
Intrusion detection systems are used to discover any abnormalities with the primary goal of catching malicious users before they can wreak havoc to a network. Intrusion detection systems can be either network-based or host-based.
The major difference between the Host-based and Network-based IDS is that a host-based intrusion detection system is installed on the client’s computer, while a network-based intrusion detection system is installed on the network.
Intrusion detection systems work by either searching for signatures of known attacks or any abnormal change to normal activity. These anomalies are pushed up the stack and examined at the protocol and application layer. Intrusion Detection systems can effectively detect events such as Christmas tree scans and Domain Name System (DNS) poisonings.
An IDS can either be installed as a software application running on customer hardware or as a network security appliance. Cloud-based intrusion detection systems protect data and systems in cloud deployments are now available and easily accessible.
Different types of intrusion detection systems
Intrusion Detection System are made available in different types and they discover abnormalities using different methods, some of which includes the following:
To monitor inbound and outbound traffic to and fro across all the devices on the network, a network intrusion detection system is used at strategic points within the network.
A host intrusion detection system (HISD) runs on all computers or devices within the network with direct access to the internet and the enterprise’s internal network.
A Host Intrusion Detection System (HISD) may be able to detect malicious network packets that are coming from within the organization or malicious traffic that a Network Intrusion Detection System (NIDS) has failed to detect.
A Host Intrusion Detection System (HISD) may also be able to identify abnormal traffic that is created by the host itself, a good example is when the host has been infected with malware and is attempting to spread it to other systems.
A signature-based intrusion detection system monitors all the packets going in and out of the network and checks them against a database of attack signatures or attributes of known malicious threats, much like an antivirus software.
An anomaly-based intrusion detection system (AIDS) monitors network traffic and checks it against a predefined benchmark to determine what is considered normal for the network with respect to bandwidth, protocols, ports, and other devices. AIDS uses machine learning to establish a baseline and accompanying security policy. It then alerts IT teams to suspicious activity and policy violations. By detecting threats using a broad model instead of specific signatures and attributes, the anomaly-based detection method improves upon the limitations of signature-based methods, especially in the detection of novel threats.
Intrusion detection systems are categorized as passive or active:
- A passive IDS that discovers a malicious activity would generate an alert or log entries but would not take action.
- An active IDS sometimes called an intrusion detection and prevention system (IDPS), would generate alerts and log entries but could also be configured to take preventive actions, like blocking the IP addresses or shutting down access to restricted resources.
The following are functions of the IDS
Intrusion detection systems constantly check the network traffic in order to detect when an attack is being carried out by unauthorized personnel.
- Monitoring the operation of routers, firewalls, key management servers, and files that are used by other security controls with the aim of detecting, mitigating, or recovering from cyberattacks;
- Provides an organized and fine-tuned means for administrators to carry out Operating System audits.
- Provides a user-friendly interface so the non-technical staff members can also help with managing system security; including a checklist of extensive attack signatures against which information from the system can be matched
- Discovering and giving alerts when the IDS detects that data files have been tampered with.
- Quick reaction to intruders by blocking them or blocking the server.
Benefits of intrusion detection systems
Intrusion detection systems offer organizations a lot of benefits, ranging from the ability to identify and record security incidents. An IDS can also be used to analyze the quantity and types of attacks. Organizations can use this information to restructure their security systems and ensure more effective controls. An intrusion detection system also helps companies identify bugs or problems within their network device configurations. These are metrics that can then be used to assess future risks.
Intrusion detection systems also help enterprises achieve regulatory compliance. An IDS gives companies the ability to efficiently check across their networks, making it easier to meet up with security regulations. Additionally, businesses can use their IDS logs as part of the evidence to show they are meeting certain compliance requirements.
IDS vendors
Disclaimer: This list is based on reviews not advert
- AlienVault Usm: AlienVault Unified Security Management (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises.
- Cloud Strike Falcon: CrowdStrike offers the Falcon Endpoint Protection suite, an antivirus and endpoint protection system emphasizing threat detection, machine learning malware detection, and signature-free updating. Additionally, the available Falcon Spotlight module delivers vulnerability assessment.
- Zscaler Internet Access: Zscaler Internet Access is delivered as a security stack as a service from the cloud, and is designed to eliminate the cost and complexity of traditional secure web gateway approaches, and provide easily scaled protection to all offices or users, regardless of location, and minimize.
- AlienVault OSSIM: OSSIM leverages the power of the AlienVault Open Threat Exchange by allowing users to both contribute and receive real-time information about malicious hosts. AlienVault OSSIM is an open-source Security Information and Event Management (SIEM) product.
- Juniper SRX: Juniper SRX is a firewall offering. It provides a variety of modular features, scaled for enterprise-level use, based on a 3-in-1 OS that enables routing, switching, and security in each product