What is Intrusion Detection System (IDS)
Intrusion Detection Systems (IDSs) are designed to analyze network data or host activity in real-time and identify and respond to unauthorized activities when they are detected.
Intrusion detection systems come in different flavors and detect suspicious activities using different methods, including the following:
- Network-based Intrusion Detection - This type of IDS monitors the flow of data packets on a network and identifies packets which have slipped through the firewall. Packets are compared against databases of known attack signatures and the communication blocked if a match is found. Network based IDS has a couple of shortcomings. Firstly, an IDS can only monitor one segment of a network, raising the possibility that unauthorized traffic may be missed by the system. To avoid this problem Network based IDSs are typically placed at the point of entry to a network such as just inside or just outside the firewall. A second problem is that an IDS is only as good as the signature database on which it relies. Unfortunately, not all threats can be identified by a specific signature leading to the possibility of attacks being missed.
- Host-based Intrusion Detection - Host based intrusion detection involves running agents on all servers on a network which serve to gather usage and performance data such as disk and file access, CPU utilization and user activities. This data is transferred to the IDS where it is gathered and analyzed to identify activity patterns that are known to be associated with unauthorized activity. Such systems can also detect when activity deviates considerably from the normal baseline activity levels. When a problem is detected an administrator is alerted so that it may be investigated. Host based IDSs work well on small networks but generally have difficulty scaling up to larger enterprises.
- Signature-based intrusion detection systems monitor all the packets traversing the network and compares them against a database of signatures or attributes of known malicious threats, much like antivirus software.
- Anomaly-based intrusion detection systems monitor network traffic and compare it against an established baseline, to determine what is considered normal for the network with respect to bandwidth, protocols, ports and other devices. This type of IDS alerts administrators to potentially malicious activity.
Historically, intrusion detection systems were categorized as passive or active; a passive IDS that detected malicious activity would generate alert or log entries, but would take no actions. An active IDS, sometimes called an intrusion detection and prevention system, would generate alerts and log entries, but could also be configured to take actions, like blocking IP addresses or shutting down access to restricted resources.
Intrusion detection systems offer organizations a number of benefits, starting with the ability to identify security incidents. An IDS can be used to help analyze the quantity and types of attacks, and organizations can use this information to change their security systems or implement more effective controls.
An intrusion prevention system (IPS) is similar to an intrusion detection system, but differs in that an IPS can be configured to block potential threats. Like intrusion detection systems, an IPS can be used to monitor, log and report activities, but it can also be configured to stop threats without the involvement of a system administrator. However, organizations should be careful with IPSes because they can also deny legitimate traffic if not tuned accurately.
Did you find this tutorial helpful? Don’t forget to share your views with us.