Intrusion detection system (IDS) are devices that monitor any intrusions in the network traffic. When any malicious activity is detected, an alert is generated by the IDS thereby notifying the system administrators of a possible attack to the system.
The earlier editions of the IDS could only detect known threats and attacks, but the newer versions can detect any new behavioural patterns in the network that could pose as a threat to the system.
Intrusion detection system is also known as the logical component to network firewalls.
Also read: What are Cyber-Physical Systems and the technologies that enable it
Benefits of IDS
- Report generation on detection of any malicious activity
- Record any alteration in data files caused due to suspicious activity detected
- Blocking intruders on detection of suspicious activity on the network
- Analyzes the type of attacks and records its patterns which help strategize better security protocols
3 Types of intrusion detection system
Host intrusion detection system
Host intrusion detection system (HIDS) was the earliest type of IDS that was developed. These are installed on individual devices in the network.
All of the incoming and outgoing packets from that particular device are analysed. This analysis can be done locally or on a central machine.
With the use of the HIDS, when unauthorized users log in successfully, they can be easily tracked.
Check out this in-built HIDS as part of the AlienVault USM (Unified Security Management) to secure your devices and cloud systems.
Also read: 9 different types of hackers you must know
Network intrusion detection system
This IDS is responsible for analysing the passing network traffic. Tools like packet sniffers are used to pull data from the packets and then it is analysed.
The packets are compared to practical data sets to verify whether the data is malicious or acceptable within the network.
The main benefit of using the NIDS is that unauthorised users can be caught before they try to log on to the system. Snort is the most widely used NIDS and can be downloaded here.
https://www.youtube.com/watch?v=41qJIbL2nt4
Stack intrusion detection system
Stack IDS is the newest type of IDS technology and its functions may differ from vendor to vendor.
Mainly, they integrate closely with the TCP/IP stack, making it possible to analyze packets as they go through all of the other OSI Layers.
Being able to keep a watch on the packets before they are passed to the OS makes it possible to pull the packets from the stack in case of detection of suspicious behavioural patterns in those packets.
To know how stack based technology can better improve NIDS, read this IEEE paper.
Also read: What is a Honeypot attack? How to deploy it
IDS operation modes
All types of the Intrusion detection system operate in the following two modes:
Signature-based detection
This method analyzes the checksums and message authentication.
- HIDS: Will check for unexpected rewrites in the log
- NIDS: Looks for the integrity of the checksums in the packets and message authenticity
Anomaly-based detection
By this method, all the unexpected or unusual patterns are checked for.
- HIDS: Generates an anomaly upon detection of repeated failed login attempts.
- NIDS: Establishes a standard by which all the data must comply. If any changes are found, an anomaly is generated and reported.
You might also like: 4 critical security threats the IoT boom poses and 9 IoT Security Solutions to safeguard your network