What is Intrusion Detection System(IDS)?
An Intrusion Detection System(IDS) is a software application that scans a network or a system for malicious activities or policy violations.
Any malicious activity or violation is reported either to the network administrator or collected using a SIEM system(security information and event management).
A SIEM system combines output from multiple sources and uses alarm filtering techniques to differentiate between malicious activities from false alarms.
The overall purpose of IDS is to inform IT personnel that a network intrusion may be taking place by alerting them with information about the source address of intrusion, the target address, and the type of attack that is suspected.
[Also read: Firewall and its Types]
Types of IDS(Intrusion Detection System)
IDS are classified into the following types:
Network intrusion detection system(NIDS):
A network intrusion detection system(NIDS) operates at the network level and examine traffic from all the devices going in and out of the network.
It performs analysis on the passing traffic for patterns and abnormal behaviors upon which an alarm is sent to the network administrator.
A warning is also flagged if a NIDS detects a change in the predetermined conditions such as standard packet size.
Advantages of NIDS are:
Maybe undetectable by attackers and immune to direct attacks.
Monitors entire network’s traffic if placed correctly.
Has no impact on network performance.
Disadvantages of NIDS are:
NIDS analyzes a large amount of traffic, therefore may fail to recognize an attack during high traffic.
Cannot analyze encrypted data.
Host intrusion detection system(HIDS):
Host intrusion detection system(HIDS) monitors the entire network, and analyzes system data, and looks for malicious activity on an individual host.
It looks at snapshots of the existing system files and compares them with previous snapshots. A HIDS analyzes the change management in the operating system files, logs, as well as software, and many more.
Advantages of HIDS:
Unlike NIDS, HIDS can access encrypted data packets.
Provides system-level protection.
Disadvantages of HIDS:
If the system doesn’t generate logs, HIDS may not function properly.
Being on the host level, HIDS has a very limited view of the network.
Application protocol-based intrusion detection system(APIDS):
An APIDS is a system or an agent that generally resides between a process, group of servers. It monitors the application protocol between two connected devices.
An APIDS is extremely accurate in detecting malicious activity for the application it protects. One of its unique advantages is that it monitors the interaction between users and applications which traces the activity to individual users.
Detection Method of IDS:
Signature-based IDS detects attacks by searching for a particular pattern or signature such as byte sequences in network traffic or any known malicious intrusion sequences. It needs regular updates to ensure that there is no new type of attack which is not known by the IDS.
The disadvantage of Signature-based IDS is that it can only detect known attacks and is unable to detect new attacks for which pattern is not known.
Unlike signature-based IDS, Anomaly-based IDS detects unknown malware attacks, which signature-based IDS find hard to detect. The anomaly-based detection is also based on defining the network behavior.
This IDS uses machine learning approaches to compare models of trustworthy behavior with new behavior, therefore any unusual or strange-looking behavior will be flagged.
One of the major drawbacks of anomaly-based detection is defining its ruleset. The efficiency of an IDS depends on how well it is configured and tested on all protocols.
IDS vs Firewalls
A firewall is a software or a hardware device that blocks unauthorized access while permits authorized traffic. On the other hand, IDS is a software or hardware device that is installed on the network or host reports any intrusion attempts to the network.
If the firewall finds any unauthorized connection it can block the connection but an IDS(Intrusion Detection System) cannot block the connection.
A firewall can be considered as the security personnel at the gate and an IDS can be considered as the security camera after the gate.
However, an IDPS(Intrusion Detection and Prevention System) is essentially an IDS with modifications such as a response or control system. An IDPS can block any threat to the system while an IDS can’t.
Difference between HIDS and NIDS:
HIDS examines host-based actions such as what applications and which files are being accessed while a NIDS analyzes the network traffic.
HIDS depends on historical data for comparison with existing system files while NIDS works on real-time data and flags issues as they are found.
Security Information and Event Management(SIEM)
SIEM is a software solution that collects security data from servers, network devices, domains, etc. It detects threats and creates security alerts and it collects logs and event data from various organizations and host systems bringing it together in a centralized platform.
Research based article: Inventory management using QR