What is an intrusion detection system (IDS)?

IONOS editorial team06/11/20245 mins

Modern intrusion detection systems complement traditional firewalls effectively. They continuously analyse and monitor systems and entire networks in real-time, identifying potential threats and promptly notifying administrators. The actual defense against attacks is subsequently executed using additional software.

What’s behind an IDS (intrusion detection system)?

While modern computer and network security systems are advanced, cyberattacks are also growing cleverer. To protect sensitive infrastructure effectively, consider using multiple security measures. In this context, an intrusion detection system (IDS) is a first-class complement to the firewall. An IDS excels at early detection of attacks and potential threats, instantly alerting administrators who can then take swift defensive actions. Importantly, an intrusion detection system can also identify attacks that may have breached the firewall’s defenses.

Unlike an intrusion prevention system, for example, an IDS does not defend against attacks itself. Instead, the intrusion detection system analyses all activity on a network and matches it against specific patterns. When unusual activities are detected, the system alerts the user and provides detailed information about the attack’s origin and nature.

Tip

For more information on the differences between intrusion detection and intrusion prevention systems, see our separate article on this topic.

What types of intrusion detection systems are there?

Intrusion detection systems are categorised into three types: host-based (HIDS), network-based (NIDS), or hybrid systems that combine HIDS and NIDS principles.

HIDS: Host-based intrusion detection systems

The host-based intrusion detection system is the oldest form of security system. Here, the IDS is installed directly on the corresponding system. It analyses data at both the log and kernel levels, examining other system files as well. To accommodate the use of standalone workstations, the host-based intrusion detection system relies on monitoring agents, that pre-filter traffic and send findings to a central server. While highly accurate and comprehensive, it can be vulnerable to attacks like DoS and DDoS. Furthermore, it is dependent on the specific operating system.

NIDS: Network-based intrusion detection systems

A network-based intrusion detection system examines data packets exchanged within a network, promptly identifying unusual or abnormal patterns for reporting. However, handling a large volume of data can be challenging, potentially overwhelming the intrusion detection system and hindering seamless monitoring.

Hybrid intrusion detection systems

Today, many vendors opt for hybrid intrusion detection systems that integrate both approaches. These systems consist of host-based sensors, network-based sensors, and a central management layer where results converge for in-depth analysis and control.

Purpose and advantages of an IDS

An intrusion detection system should never be considered or used as a replacement for a firewall. Instead, it’s a first-class supplement that, in conjunction with the firewall, identifies threats more effective. Since the intrusion detection system can analyse even the highest layer of the OSI model, it’s capable of uncovering new and previously unknown sources of danger, even if the firewall’s defenses have been breached.

MyDefender

Safeguard your data with easy cyber security

Protection against ransomware attacks
Regular virus scans
Automatic backups and simple file recovery

How an intrusion detection system works

The hybrid model is the most prevalent type of intrusion detection system, employing both host and network-based approaches. Information gathered is assessed in the central management system, utilising three distinct components.

Data monitor

The data monitor collects all pertinent data via sensors and filters it based on its relevance. This encompasses data from the host side, including log files and system details, as well as data packets transmitted over the network. Among other things, the IDS gathers and organises source and destination addresses and other critical attributes. A crucial requirement is that the collected data originates from a trustworthy source or directly from the intrusion detection system to ensure data integrity and prevent prior manipulation.

Analyzer

The second component of the intrusion detection system is the analyzer, responsible for assessing all received and pre-filtered data using various patterns. This evaluation is conducted in real-time, which can be particularly demanding on the CPU and main memory. Adequate capacities are essential for a swift and accurate analysis. The analyzer employs two distinct methods for this purpose:

Misuse Detection: In misuse detection, the analyzer scrutinises the incoming data for recognised attack patterns stored in a dedicated database, which is regularly updated. When an attack aligns with a previously recorded signature, it can be identified at an early stage. However, this method is ineffective for detecting attacks that are not yet known to the system.
Anomaly Detection: Anomaly detection involves assessing the entire system. When one or more processes deviate from the established norms, such anomalies are flagged. For instance, if the CPU load surpasses a specified threshold or if there is an unusual spike in page accesses, it triggers an alert. The intrusion detection system can also analyse the chronological order of various events to identify unknown attack patterns. However, it’s important to note that in some cases, harmless anomalies may also be reported.

Note

Typical anomalies that a good IDS detects include increased traffic and increased access to login and authentication mechanisms. This makes the security technology a first-class solution against brute force attacks. To increase the hit rate, many modern intrusion detection systems use AI for anomaly detection.

Alerting

The third and final component of the intrusion detection system is the actual alerting. If an attack or at least anomalies are detected, the system informs the administrator. This notification can be made by email, via a local alarm or via a message on the smartphone or tablet.

What are the disadvantages of an intrusion detection system?

While intrusion detection systems enhance security, they are not without drawbacks, as mentioned earlier. Host-based IDSs can be vulnerable to DDoS attacks, and network-based systems may struggle in larger network setups, potentially missing data packets. Anomaly detection, depending on the configuration, can trigger false alarms. Moreover, all IDSs are solely designed for threat detection, requiring additional software for effective attack defense.

Intrusion detection system and the example of Snort

One of the best known and most popular intrusion detection systems is Snort. The security tool, developed by Martin Roesch back in 1998, is not only cross-platform and open-source, but also provides users with extensive prevention measures as an intrusion prevention system. The program is available free of charge and in a paid version for which, for example, updates are provided more quickly.

Was this article helpful?

What is a Cyberattack and how to prevent it?

Cyberattacks threaten individuals, companies, and public authorities alike. Criminals are always coming up with new techniques to cause as much damage as possible. The motives behind their actions vary from greed to political goals. So how can you protect yourself against…

Data Protection
Security
Encryption

Man-in-the-middle attack

A man-in-the-middle attack is a deceitful espionage attack which aims to listen, record, or manipulate sensitive data being sent between unsuspecting internet users. To do this, hackers rely on methods that enable them to position themselves, unnoticed, between two or more…

Security
Encryption

What are Trojans and how can you protect yourself from them?

Trojans disguise themselves as useful programs to get onto a computer or smartphone unnoticed. Once installed, a Trojan can perform malicious activities like collect data, steal passwords, or remotely control the device. Unlike viruses, Trojans don’t spread by themselves, but…

Security

What is skimming fraud and how to protect yourself

Skimming happens when criminals tamper with cash machines in order to read information from credit or debit cards that have been placed in them. Although there have been major improvements in security, this type of fraud poses a real danger when withdrawing money and making…