What is an intrusion detection system (IDS)?
Modern intrusion detection systems complement traditional firewalls effectively. They continuously analyse and monitor systems and entire networks in real-time, identifying potential threats and promptly notifying administrators. The actual defense against attacks is subsequently executed using additional software.
What’s behind an IDS (intrusion detection system)?
While modern computer and network security systems are advanced, cyberattacks are also growing cleverer. To protect sensitive infrastructure effectively, consider using multiple security measures. In this context, an intrusion detection system (IDS) is a first-class complement to the firewall. An IDS excels at early detection of attacks and potential threats, instantly alerting administrators who can then take swift defensive actions. Importantly, an intrusion detection system can also identify attacks that may have breached the firewall’s defenses.
Unlike an intrusion prevention system, for example, an IDS does not defend against attacks itself. Instead, the intrusion detection system analyses all activity on a network and matches it against specific patterns. When unusual activities are detected, the system alerts the user and provides detailed information about the attack’s origin and nature.
For more information on the differences between intrusion detection and intrusion prevention systems, see our separate article on this topic.
What types of intrusion detection systems are there?
Intrusion detection systems are categorised into three types: host-based (HIDS), network-based (NIDS), or hybrid systems that combine HIDS and NIDS principles.
HIDS: Host-based intrusion detection systems
The host-based intrusion detection system is the oldest form of security system. Here, the IDS is installed directly on the corresponding system. It analyses data at both the log and kernel levels, examining other system files as well. To accommodate the use of standalone workstations, the host-based intrusion detection system relies on monitoring agents, that pre-filter traffic and send findings to a central server. While highly accurate and comprehensive, it can be vulnerable to attacks like DoS and DDoS. Furthermore, it is dependent on the specific operating system.
NIDS: Network-based intrusion detection systems
A network-based intrusion detection system examines data packets exchanged within a network, promptly identifying unusual or abnormal patterns for reporting. However, handling a large volume of data can be challenging, potentially overwhelming the intrusion detection system and hindering seamless monitoring.
Hybrid intrusion detection systems
Today, many vendors opt for hybrid intrusion detection systems that integrate both approaches. These systems consist of host-based sensors, network-based sensors, and a central management layer where results converge for in-depth analysis and control.
Purpose and advantages of an IDS
An intrusion detection system should never be considered or used as a replacement for a firewall. Instead, it’s a first-class supplement that, in conjunction with the firewall, identifies threats more effective. Since the intrusion detection system can analyse even the highest layer of the OSI model, it’s capable of uncovering new and previously unknown sources of danger, even if the firewall’s defenses have been breached.
- Protection against ransomware attacks
- Regular virus scans
- Automatic backups and simple file recovery
How an intrusion detection system works
The hybrid model is the most prevalent type of intrusion detection system, employing both host and network-based approaches. Information gathered is assessed in the central management system, utilising three distinct components.
Data monitor
The data monitor collects all pertinent data via sensors and filters it based on its relevance. This encompasses data from the host side, including log files and system details, as well as data packets transmitted over the network. Among other things, the IDS gathers and organises source and destination addresses and other critical attributes. A crucial requirement is that the collected data originates from a trustworthy source or directly from the intrusion detection system to ensure data integrity and prevent prior manipulation.
Analyzer
The second component of the intrusion detection system is the analyzer, responsible for assessing all received and pre-filtered data using various patterns. This evaluation is conducted in real-time, which can be particularly demanding on the CPU and main memory. Adequate capacities are essential for a swift and accurate analysis. The analyzer employs two distinct methods for this purpose:
-
Misuse Detection: In misuse detection, the analyzer scrutinises the incoming data for recognised attack patterns stored in a dedicated database, which is regularly updated. When an attack aligns with a previously recorded signature, it can be identified at an early stage. However, this method is ineffective for detecting attacks that are not yet known to the system.
-
Anomaly Detection: Anomaly detection involves assessing the entire system. When one or more processes deviate from the established norms, such anomalies are flagged. For instance, if the CPU load surpasses a specified threshold or if there is an unusual spike in page accesses, it triggers an alert. The intrusion detection system can also analyse the chronological order of various events to identify unknown attack patterns. However, it’s important to note that in some cases, harmless anomalies may also be reported.
Typical anomalies that a good IDS detects include increased traffic and increased access to login and authentication mechanisms. This makes the security technology a first-class solution against brute force attacks. To increase the hit rate, many modern intrusion detection systems use AI for anomaly detection.
Alerting
The third and final component of the intrusion detection system is the actual alerting. If an attack or at least anomalies are detected, the system informs the administrator. This notification can be made by email, via a local alarm or via a message on the smartphone or tablet.
What are the disadvantages of an intrusion detection system?
While intrusion detection systems enhance security, they are not without drawbacks, as mentioned earlier. Host-based IDSs can be vulnerable to DDoS attacks, and network-based systems may struggle in larger network setups, potentially missing data packets. Anomaly detection, depending on the configuration, can trigger false alarms. Moreover, all IDSs are solely designed for threat detection, requiring additional software for effective attack defense.
Intrusion detection system and the example of Snort
One of the best known and most popular intrusion detection systems is Snort. The security tool, developed by Martin Roesch back in 1998, is not only cross-platform and open-source, but also provides users with extensive prevention measures as an intrusion prevention system. The program is available free of charge and in a paid version for which, for example, updates are provided more quickly.