An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. There are two main categories of IDS:
- Signature-based detection (malware recognition)
- Detection by anomalies (detecting deviations from a model representing the correct behaviors)
- Hybrid detection (uses both signature-based and anomaly-based detection)
IDS are classified into 5 types:
Network Intrusion Detection System (NIDS)
Network Intrusion Detection Systems (NIDS) are the most common IDS. A network-based IDS solution is designed to monitor an entire protected network. It has visibility into all traffic flowing through the network and makes decisions based on packet metadata and content. This broader view provides more context and the ability to detect widespread threats; however, these systems lack visibility into the internals of the endpoints they protect.
When a NIDS is positioned upstream of a firewall (Fig 1), it will be able to generate alerts for the firewall which will be able to filter the network.
Fig 1 : Placement of a NIDS upstream of a firewall. - copyright @ wikipedia
Placed downstream of the firewall (Fig 2), the NIDS will produce fewer false positives, because the network traffic it analyzes will already have been filtered by the firewall.
Fig 2 : Placement of a NIDS downstream of a firewall. - copyright @ wikipedia
Host Intrusion Detection System (HIDS)
Host Intrusion Detection Systems (HIDS) run on independent hosts or devices on the network. A HIDS monitors only incoming and outgoing packets from the device and alerts the administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous snapshot. If the files in the scanning system have been modified or deleted, an alert is sent to the administrator for investigation.
Protocol-based Intrusion Detection System (PIDS)
The protocol-based intrusion detection system (PIDS) includes a system or agent that would constantly reside at the front end of a server, monitoring and interpreting the protocol between a user/device and the server.
Application Protocol-based Intrusion Detection System (APIDS)
Application Protocol Based Intrusion Detection System (APIDS) is a system or agent that typically resides in a group of servers. It identifies intrusions by monitoring and interpreting communication over application-specific protocols.
Hybrid Intrusion Detection System
Hybrid Intrusion Detection System is realized by combining two or more approaches of intrusion detection system. In the hybrid intrusion detection system, the host agent or system data is combined with the network information to develop a complete view of the network system.
Comparison between IDS and firewalls
IDSs and firewalls are both related to network security, but an IDS differs from a firewall in that the latter looks for intrusions to the outside world to prevent them from occurring. Firewalls restrict access between networks to prevent intrusions, and if an attack comes from inside the network, it is not reported. An IDS describes a suspected intrusion once it has occurred and then reports an alarm.
Top 10 Intrusion Detection Systems (IDS) [Ranking 2022]
- SolarWinds Security Event Manager
- Security Onion
- Open WIPS-NG
- McAfee Network Security Platform
- Palo Alto Networks
An IDS is a valuable part of any organization's cybersecurity deployment. A simple firewall provides the foundation for network security, but many advanced threats can bypass it. An IDS adds an extra line of defense, making it more difficult for an attacker to gain access to an organization's network without being detected.