What Is Intrusion Detection System (IDS)?

An Intrusion Detection System or IDS is a security solution which, when deployed in a network, monitors the network traffic for malicious and suspicious activities, and alerts the security administrators by triggering the alarm. It analyzes all the inbound and outbound network traffic for potential security threats such as malwares, viruses, Trojans, etc. within the intranet, and while communicating with an external network, usually the Internet.

An Intrusion Detection System (IDS) is also referred to as Passive security solution. This is because, it only detects the malicious activities on the network, logs the event, and alerts the administrators about the intrusion. The IDS does not respond or react to any security breach or intrusion.

Importance of Intrusion Detection System

Even though the next and more secure form of IDS known as Intrusion Prevention System or IPS has been introduced in the world of network security, many administrators still prefer using IDS. Security administrators do so when they do not want to block the entire communication between the networks as soon as the security breach is detected in order to avoid the latency that the production of the business may face when the communication is blocked..

Sometimes administrators may also want to allow the intruders to enter into the network in order to study their mechanism of intrusion. Moreover, administrators may also deploy honeypots to attract the intruders, and they use the IDS to get informed as soon as an intrusion event takes place. This helps them learn the new ways of intrusions that the attackers may come up with.

Types of Intrusion Detection System (IDS)

There are two types of Intrusion Detection Systems that can be used to inspect the network traffic:

Network-Based Intrusion Detection System (NIDS)

A Network-Based Intrusion Detection System or NIDS is typically a standalone hardware appliance that is placed at the network perimeter along with the firewall. It monitors all the network traffic that enters leaves the network. An NIDS contains hardware sensors located at various points within the network, which inspect the data packets from all devices reside inside the local area network. This type of Intrusion Detection System has proactive detection capabilities.

Host-Based Intrusion Detection System (HIDS)

On the other hand, Host-Based Intrusion Detection System or HIDS is a software application that is installed on every host and device that resides in the internal network. HIDS analyzes the inbound and outbound network traffic only from the specific device on which it is installed, and alerts the administrators once the security breach or intrusion even occurs. Host-Based Intrusion Detection System enables administrators to specify the well-known attacks which then makes it easier for them to monitor the intrusion events if they occur. Moreover, HIDS also prevents the Trojans, backdoors, etc. from getting installed into the specific host, and monitors the key system files as well. If configured correctly, it can also provide real-time detection of suspicious activities.

How Intrusion Detection System Works?

To determine an attack, Intrusion Detection System follows one of the two detection methods discussed as below:

Signature-Based Intrusion Detection System

A Signature-Based Intrusion Detection System checks the signatures or patterns of data packets, and compares them against the well-known network attack patterns that are stored in its database. As the pattern matches to any one of the patterns, the Signature-Based Intrusion Detection System generates a report and sends it to administrators via email, SMS or any other communication medium. A Signature-Based IDS is also referred to as Knowledge-based IDS.

Anomaly-Based Intrusion Detection System

An Anomaly-Based Intrusion Detection System monitors the network traffic, and compares it against the security baseline established by administrators. The security baseline defines the criteria such as used bandwidth, protocols, ports, and the types of devices that can be connected to each-other. If the network traffic is detected anomalous or different from the criteria defined in the baseline, Anomaly-Based Intrusion Detection System immediately alerts the administrators about the even. Administrators can then take appropriate action according to the type and severity of the breach or intrusion. An Anomaly-Based IDS is also known as Behavior-based IDS.

What are False Positives and Negatives in Intrusion Detection System?

False Positive – A false positive is a legitimate request that an IDS detects and considers it a spam or security threat. An alert that is sent to the administrators due to false positive is sometimes referred to as False Alarm.

False Negative – False negative takes place when an Intrusion Detection System fails to detect any malicious or suspicious activities on the network.

Intrusion Detection System vs. Firewall

There is a misconception that an Intrusion Detection System is a firewall. Although both IDS and firewall are network security appliances, they differ in their functionality and the approach they take to monitor the network traffic.

An IDS monitors the inbound and outbound network traffic for potential security breaches, generates a log of the occurred event, and signals an alarm to administrators about the event. Administrators can then take appropriate action to resolve the issue.

A firewall, on the other hand, isolates the internal network from the external one, typically the Internet according to its default behavior. Administrators are then required to manually configure the firewall rules to allow or deny the network traffic on the basis of port numbers, protocols, source or destination IP address ranges, source or destination domains, etc.