An intrusion detection system (IDS) is a software product or device that detects unauthorized and malicious activity in a computer network or on a separate host.
An IDS’s purpose is to detect cybercriminal attempts to penetrate the infrastructure and to generate security alerts (it has no response functions such as blocking unwanted activity), which it then passes to a SIEM system for further processing.
Intrusion detection systems differ from classic firewalls in that the latter rely on a set of static rules and simply restrict traffic between devices or network segments without sending notifications. A further development of the IDS concept is the intrusion prevention system (IPS), which not only logs but also blocks threats.
Intrusion detection systems are usually classified by their scope of application:
- A network intrusion detection system (NIDS) analyzes network traffic for malicious activity. Unlike firewalls, a NIDS monitors both incoming and internal network traffic.
- A host intrusion detection systems (HIDS) monitors the operation of individual devices. Typically, the HIDS tracks the status of all files on an endpoint and informs the administrator of any deleted or modified system objects. This type of IDS additionally scans all data packets sent to or from the device.
- A protocol-based intrusion detection system (PIDS) scans data transmitted over HTTP/HTTPS. Such systems are usually deployed to protect Web servers and monitor traffic flowing between user devices and online resources.
- An application protocol-based intrusion detection system (APIDS) monitors packets transmitted over a specific application-layer protocol, for example, accessing a SQL database.
- A hybrid intrusion detection system combines two or more of the above types (for example, NIDS and HIDS) for all-around detection of malicious activity.
How intrusion detection systems work
An IDS detects malicious activity using at least one of two methods:
- Signature-based detection, a technique that compares the data it tracks against known patterns of attack signatures and generates a security alert if they match. This method helps identify intrusions that rely on previously known penetration methods.
- Anomaly-based detection, or the matching of activity in the network or on the host against a model of proper and trusted behavior of monitored elements. The system logs deviations to identify new threats.