Modern intrusion detection systems com­ple­ment tra­di­tion­al firewalls ef­fect­ively. They con­tinu­ously analyse and monitor systems and entire networks in real-time, identi­fy­ing potential threats and promptly notifying ad­min­is­trat­ors. The actual defense against attacks is sub­sequently executed using ad­di­tion­al software.

What’s behind an IDS (intrusion detection system)?

While modern computer and network security systems are advanced, cy­ber­at­tacks are also growing cleverer. To protect sensitive in­fra­struc­ture ef­fect­ively, consider using multiple security measures. In this context, an intrusion detection system (IDS) is a first-class com­ple­ment to the firewall. An IDS excels at early detection of attacks and potential threats, instantly alerting ad­min­is­trat­ors who can then take swift defensive actions. Im­port­antly, an intrusion detection system can also identify attacks that may have breached the firewall’s defenses.

Unlike an intrusion pre­ven­tion system, for example, an IDS does not defend against attacks itself. Instead, the intrusion detection system analyses all activity on a network and matches it against specific patterns. When unusual activ­it­ies are detected, the system alerts the user and provides detailed in­form­a­tion about the attack’s origin and nature.

Tip

For more in­form­a­tion on the dif­fer­ences between intrusion detection and intrusion pre­ven­tion systems, see our separate article on this topic.

What types of intrusion detection systems are there?

Intrusion detection systems are cat­egor­ised into three types: host-based (HIDS), network-based (NIDS), or hybrid systems that combine HIDS and NIDS prin­ciples.

HIDS: Host-based intrusion detection systems

The host-based intrusion detection system is the oldest form of security system. Here, the IDS is installed directly on the cor­res­pond­ing system. It analyses data at both the log and kernel levels, examining other system files as well. To ac­com­mod­ate the use of stan­dalone work­sta­tions, the host-based intrusion detection system relies on mon­it­or­ing agents, that pre-filter traffic and send findings to a central server. While highly accurate and com­pre­hens­ive, it can be vul­ner­able to attacks like DoS and DDoS. Fur­ther­more, it is dependent on the specific operating system.

NIDS: Network-based intrusion detection systems

A network-based intrusion detection system examines data packets exchanged within a network, promptly identi­fy­ing unusual or abnormal patterns for reporting. However, handling a large volume of data can be chal­len­ging, po­ten­tially over­whelm­ing the intrusion detection system and hindering seamless mon­it­or­ing.

Hybrid intrusion detection systems

Today, many vendors opt for hybrid intrusion detection systems that integrate both ap­proaches. These systems consist of host-based sensors, network-based sensors, and a central man­age­ment layer where results converge for in-depth analysis and control.

Purpose and ad­vant­ages of an IDS

An intrusion detection system should never be con­sidered or used as a re­place­ment for a firewall. Instead, it’s a first-class sup­ple­ment that, in con­junc­tion with the firewall, iden­ti­fies threats more effective. Since the intrusion detection system can analyse even the highest layer of the OSI model, it’s capable of un­cov­er­ing new and pre­vi­ously unknown sources of danger, even if the firewall’s defenses have been breached.

MyDe­fend­er
Safeguard your data with easy cyber security
  • Regular virus scans
  • Automatic backups and simple file recovery

How an intrusion detection system works

The hybrid model is the most prevalent type of intrusion detection system, employing both host and network-based ap­proaches. In­form­a­tion gathered is assessed in the central man­age­ment system, utilising three distinct com­pon­ents.

Data monitor

The data monitor collects all pertinent data via sensors and filters it based on its relevance. This en­com­passes data from the host side, including log files and system details, as well as data packets trans­mit­ted over the network. Among other things, the IDS gathers and organises source and des­tin­a­tion addresses and other critical at­trib­utes. A crucial re­quire­ment is that the collected data ori­gin­ates from a trust­worthy source or directly from the intrusion detection system to ensure data integrity and prevent prior ma­nip­u­la­tion.

Analyzer

The second component of the intrusion detection system is the analyzer, re­spons­ible for assessing all received and pre-filtered data using various patterns. This eval­u­ation is conducted in real-time, which can be par­tic­u­larly demanding on the CPU and main memory. Adequate ca­pa­cit­ies are essential for a swift and accurate analysis. The analyzer employs two distinct methods for this purpose:

  • Misuse Detection: In misuse detection, the analyzer scru­tin­ises the incoming data for re­cog­nised attack patterns stored in a dedicated database, which is regularly updated. When an attack aligns with a pre­vi­ously recorded signature, it can be iden­ti­fied at an early stage. However, this method is in­ef­fect­ive for detecting attacks that are not yet known to the system.

  • Anomaly Detection: Anomaly detection involves assessing the entire system. When one or more processes deviate from the es­tab­lished norms, such anomalies are flagged. For instance, if the CPU load surpasses a specified threshold or if there is an unusual spike in page accesses, it triggers an alert. The intrusion detection system can also analyse the chro­no­lo­gic­al order of various events to identify unknown attack patterns. However, it’s important to note that in some cases, harmless anomalies may also be reported.

Note

Typical anomalies that a good IDS detects include increased traffic and increased access to login and au­then­tic­a­tion mech­an­isms. This makes the security tech­no­logy a first-class solution against brute force attacks. To increase the hit rate, many modern intrusion detection systems use AI for anomaly detection.

Alerting

The third and final component of the intrusion detection system is the actual alerting. If an attack or at least anomalies are detected, the system informs the ad­min­is­trat­or. This no­ti­fic­a­tion can be made by email, via a local alarm or via a message on the smart­phone or tablet.

What are the dis­ad­vant­ages of an intrusion detection system?

While intrusion detection systems enhance security, they are not without drawbacks, as mentioned earlier. Host-based IDSs can be vul­ner­able to DDoS attacks, and network-based systems may struggle in larger network setups, po­ten­tially missing data packets. Anomaly detection, depending on the con­fig­ur­a­tion, can trigger false alarms. Moreover, all IDSs are solely designed for threat detection, requiring ad­di­tion­al software for effective attack defense.

Intrusion detection system and the example of Snort

One of the best known and most popular intrusion detection systems is Snort. The security tool, developed by Martin Roesch back in 1998, is not only cross-platform and open-source, but also provides users with extensive pre­ven­tion measures as an intrusion pre­ven­tion system. The program is available free of charge and in a paid version for which, for example, updates are provided more quickly.

Go to Main Menu