Intrusion Detection Systems
Image

An Intrusion Detection System (IDS) is a cybersecurity tool that monitors a network or system for malicious activity, policy violations, or other security breaches. If such activity is detected, the IDS can alert the system administrator or take predefined actions, such as logging the event or blocking access. IDS is categorized into two main types:

  1. Network-based Intrusion Detection System (NIDS): Monitors network traffic for suspicious activity. It examines data packets moving across the network, looking for patterns that indicate an attack, such as scanning, unauthorized access, or abnormal traffic flow.

  2. Host-based Intrusion Detection System (HIDS): Monitors activity on a single host or device. It tracks changes to critical files, system logs, and configurations, alerting administrators to any unauthorized activity on that specific host.

Key Functions 

  • Signature-based Detection: Identifies known threats by matching traffic patterns to a database of attack signatures. While it's effective against known threats, it cannot detect new or unknown attacks.

  • Anomaly-based Detection: Establishes a baseline of normal network behavior and then detects deviations from this baseline, which might indicate suspicious activity. This method can identify unknown threats but may also generate false positives.

Common IDS Examples:

  • Snort: A popular open-source NIDS, which can analyze network traffic in real time.
  • OSSEC: A host-based IDS that provides log analysis, file integrity checking, and alerting.

Differences between IDS and IPS:

  • Intrusion Detection System (IDS): Detects and alerts but doesn't take action to stop the attack.
  • Intrusion Prevention System (IPS): Detects and actively prevents or blocks the attack in real-time.