Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is an Intrusion Detection System?

Intrusion Detection System

An Intrusion Detection System (IDS) is a network monitoring solution that detects and alerts suspicious network traffic. The relevant personnel can investigate the alerts to determine whether they need further attention. An Intrusion Detection System can be either host-based or network-based.

Host-Based IDS (HIDS)

A host-based Intrusion Detection System is installed on endpoints, as opposed to being installed on the network perimeter. A HIDS serves to protect the endpoints from internal and external threats, by monitoring the traffic flowing to and from them, as well as monitoring internal processes and event logs. With a HIDS, visibility is limited to the device it is installed on.

Network-Based IDS (NIDS)

A network-based Intrusion Detection System is designed to monitor the traffic flowing through the entire network and is usually installed just behind the firewall, on a dedicated machine somewhere in the network. A NIDS has visibility into all network traffic, although it has limited visibility into the activity that takes place on the endpoints. A NIDS will analyze the contents and metadata of the traffic using deep packet inspection (DPI), in order to determine whether the traffic is malicious or not. NIDS provides more context than HIDS and is thus able to detect more sophisticated threats.

Naturally, the best option would be to use both a HIDS and NIDS solution in tandem, or use even use a unified threat management solution that integrates multiple threat management solutions into one system.

How Do Intrusion Detection Systems Detect Threats?

There are essentially three methods that IDS solutions use to detect potential threats, which are as follows:

Signature Detection

This method identifies threats according to their signature, which is similar to a fingerprint. Each time a new threat has been identified, a signature is generated and added to a list of threats, which the IDS will use as a reference. Given that signature detection is based on known threats, it doesn’t produce any false positives, although the downside is that it can’t detect zero-day vulnerabilities.

Anomaly Detection

This method uses machine learning algorithms to establish a baseline of what would be considered “normal” behavior. Using this baseline the IDS can alert on traffic patterns that deviate from this baseline, beyond a certain threshold. Unlike signature detection, anomaly detection is able to detect unknown (zero-day) threats. The downside of this approach is that it not particularly accurate, and thus tends to produce a lot of false positives/negatives.

Hybrid Detection

This method is essentially the best of both worlds, in that it uses both signature-based and anomaly-based detection to identify a broader range of threats, with fewer false positives/negatives.

Intrusion Detection Systems vs Firewalls

Both intrusion detection systems and firewalls are designed to protect your network from malicious traffic, however, an IDS solution doesn’t actually do anything after a threat has been identified. Essentially, it is up to the administrator to investigate the potential incident and respond accordingly. A firewall, on the other hand, can block traffic based upon predefined rules.

Intrusion Detection Systems vs Intrusion Prevention Systems

An Intrusion Prevention System (IPS) is very similar to an IDS, only, as with a firewall, an IPS is able to actively block identified threats. In fact, next-generation firewalls (NGFWs) go a step further and integrate IDS and IPS functionality into one system.

It’s likely that we will see such integrations becoming the norm in future threat management solutions. However, it should be noted that perimeter security is not as relevant as it once was. These days, with IT environments becoming increasingly more distributed, organizations are shifting their focus to more data-centric methods of keeping their network secure, which includes monitoring access to privileged accounts and sensitive data, in real-time.

If you’d like to see how the Lepide Data Security Platform can help you detect threats to sensitive data, schedule a demo with one of our engineers.