An Intrusion Detection System (IDS) is software or hardware capable of inspecting incoming and outgoing traffic and, based on traffic patterns, detecting attacks and alerting network administrators of such attacks.
Two types of intrusion detection systems exist:
• Host-based intrusion detection system or HIDS in short
• Network-based intrusion detection system or NIDS in short
As the name suggests, the first type of intrusion detection system is meant for detecting intrusion on single hosts. In contrast, the 2nd type, i.e., network-based intrusion detection systems, are used to detect intrusion at the network level.
Network Intrusion Detection Systems are often located at network bottlenecks. Placing NIDS in bottlenecks allows the system to scan all traffic entering or leaving the network and accurately identify the traffic.
HIDS often takes the form of software agents being installed on systems that need to be monitored. These agents will, in turn, talk to a central system that analyses the data and produces the necessary alerts and reports.
The intrusion detection systems are also often known as detective or passive systems as they are only responsible for monitoring and detecting any anomalies and reporting them. They do not take any action on the traffic that has been seen.
There are two methods of detection that are usually employed:
• Signature-based detection
The IDS, which uses signature-based detection, would compare the traffic patterns to a pre-determined and pre-configured set of rules known as signatures. If a signature in the traffic matches one or more of the existing signatures, alerts are generated.
• Statistical anomaly-based detection
Statistical anomaly detection, also known as behavior-based detection methods, will determine bandwidth usage, protocol usage, port usage, etc. Based on this, a decision will be made as to whether the traffic matches the criteria.
Unlike IDS, IPS (Intrusion Prevention System) can also prevent intrusion into your network.