What is an Intrusion Detection System?
An Intrusion Detection System (IDS) is a technology that monitors and analyzes the network and system for suspicious or malicious activities. The malicious activities may include unauthorized access attempts, atypical behavior, and unauthorized connection requests. An Intrusion Detection System generates alerts whenever an intrusion is detected. However, an Intrusion Detection System doesn’t take any mitigation steps to mitigate the intrusions detected.
Let’s explore IDS working, detection techniques, and its comparison against other security technologies.
How does an IDS work?
An IDS has certain components, and data flows within the components in a systematic order.
Components of IDS
These are the crucial components of the Intrusion Detection System:
Sensors: Sensors are data collectors of IDS. These data collectors monitor the network traffic and system activities for irregularities in the form of logs, packets, events, and incidents. The sensors are network-based, monitoring the network, and host-based, monitoring the activities on devices or hosts.
Analyzers: The analyzers try to deduce specific patterns out of the data generated through the sensors. They group multiple logs for behavior analysis and pattern detection to identify known or predefined signatures. The analyzers also detect anomalies in the network or hosts to identify new and undefined attack patterns.
Managers: The managers define the working patterns for sensors and analyzers and how data flows between them. They define how alerts are generated and coordinated, how configuration settings are defined, and how the reports are generated.
Data Flow in IDS
An Intrusion Detection System workflow is a systematic approach to data flow between the components identified in the previous steps.
Data collection: The sensor components deployed on the host and network perform the data collection in the Intrusion Detection System. NIDS discovers network packets and HIDS monitors the host for activities. Once the data is collected, it’s passed on to the analyzers.
Data analysis: The analyzer component of the Intrusion Detection System performs analysis of the data collected through the data collection phase. The data is compared against known signatures and patterns. Once common patterns and abnormal behaviors are identified, they are passed on to the alerting phase.
Alerting: The analyzers generate alerts on the detected malicious activity on the system. The alerts contain information about the threat detected, its severity, and its type. The alerts may trigger other responses, like sending notifications, logging as incidents, and sometimes triggering the response tool in the system.
It’s also an important factor to prioritize the alerts generated. Some alerts may point to high-risk attacks and should be dealt with immediately, while others may indicate minor threats. The low-priority alerts shouldn’t be left unattended but must be dealt with after all the high-priority alerts have been resolved.
Detection techniques of IDS
The detection techniques used in an Intrusion Detection System can be of different types. Some of the common detection techniques used in IDS are as follows:
Signature-based detection: This type of detection is called static detection. The signature of the detected pattern is compared against a list of known patterns to find if the intrusion can be identified into a category. If identified, the alert is generated with priority set according to the category it has been identified as part of.
Anomaly-based detection: This type of detection performs behavior analysis on the logs generated and tries to identify unusual behavior. This kind of behavior may include any attempt to misuse the assigned privileges or attempt to gain unauthorized privileges.
Heuristic-based detection: This type of detection uses algorithms to identify malicious behaviors in the network or the host system.
It’s important to note that the results may include many false positive responses. Therefore, the dynamic detection techniques, anomaly, and heuristics must be reviewed and tuned to generate minimal false positives. Combining different detection techniques can help minimize false positives, minimize the chances of bypassing security, detect zero-day attacks. It can also devise a more comprehensive network and system security analysis.
IDS vs. IPS
Intrusion Detection System IDS and Intrusion Prevention System IPS are often confused. However, these two are fairly different.
Properties | IDS | IPS |
Purpose | Monitors network and host to generate alerts if suspicious activity is detected. | Not only monitors networks and systems for threats but also takes action to prevent damages from the attack. |
Deployment | It has minimum impact on network performance because it actively does no work to block network activity. | It affects the network performance because it actively blocks malicious traffic. |
Response | Doesn’t have built-in response capabilities. It can alert the response mechanism attached to take action. | Has built-in response capabilities. It actively blocks malicious traffic and activities. |
Mode | Passive monitoring and alerting | Active threat prevention |
Considering the purpose and performance of the IDS and IPS, we can decide what tools and techniques we need in our monitoring system. Some organizations also have hybrid solutions that have both IDS and IPS capabilities.
Test your understanding
To test your comprehension of the topic, solve the following task.
Intrusion Detection System
What is not true about IDS?
Active alerting
Passive monitoring
None of the above
Passive alerting
Free Resources