What is Intrusion Detection System Ids?

Questions and answers about computer security.

Intrusion detection system is a hardware device or a software capable to examining inbound as well as outbound connections and traffic and based on the traffic patter or behavior or other statistical means detect any violation in the policy set by the administrator or attacks based on predefined rules and based on that generate reports and alters to notify the administrator of such violations or attacks.

Two types of intrusion detection systems exists:
•    Host based intrusion detection system or HIDS in short
•    Network based intrusion detection system or NIDS in short

As the name suggest the first type of intrusion detection systems are meant for detection intrusion on single hosts while the 2nd type i.e. network based intrusion detection systems are used to detection intrusion at the network level.

Network based intrusion detection systems are often located at places in the network which are often called the choke points. Placing the NIDS at the choke points allow the system to scan all the traffic that flows in or out of the network and precisely identifies traffic that flows across.

HIDS often take the form of software agents being installed on systems that need to be monitored and these agents will in turn talk to a central system which analyses the data and produces the necessary alerts and reports.

The intrusion detection systems are also often known as detective or passive system as they are only responsible for monitoring and detecting any anomalies and reporting them. They do not take any actions on the traffic that has been detected.

There are two methods of detection that are normally employed:
•    Signature based detection
The IDS which uses signature based detection would compare the traffic patterns to pre-determined and pre-configured set of rules which are known as signatures. If signature in the traffic matches one or more of the existing signatures, alerts are generated.

•    Statistical anomaly based detection
Statistical anomaly based detection also known as behavior based detection techniques would identify bandwidth usages, protocol usages, ports, etc. and based on that the decision will be made as to whether the  traffic fits the criteria.