An intrusion detection system (IDS) is a software application or hardware device that detects vulnerability exploits, malicious activity, or policy violations. IDSs place sensors on network devices like firewalls, servers, and routers, or at a host level.
Once the IDS detects any cyber threats, the system will either report this information to an administrator or a security information and event management (SIEM) system collects it centrally.
How Does an Intrusion Detection System Work?
Intrusion detection systems identify suspicious network activity by analyzing and monitoring traffic indicators of compromise. IDSs identify security threats by assessing network traffic against known threats, security policy violations, and open port scanning. When an IDS identifies a threat, it will usually send an alert to a security operations center (SOC) or security specialist.
The specific way the IDS detects suspicious activity depends on what type of detection method it uses and the scope of its system network.
Types of Intrusion Detection Systems
Intrusion detection systems can be classified based on their detection method and the range in which they operate.
An IDS will usually use one of the following detection methods:
Signature-based detection looks for specific patterns in network traffic and from attack signatures of known attacks. Attack signatures are malicious instruction sequences - a term also used by antivirus software.
Anomaly-based detection identifies computer/network intrusions and misuses using a classification system run by machine learning that labels activity as either normal or anomalous. The system creates a baseline of trustworthy activity and uses this standard to identify potentially malicious traffic.
Anomaly-based intrusion detection systems are used to detect unknown attacks, as new types of malware are constantly emerging.
Reputation-based detection identifies potential security incidents by assessing network communications based on the reputation score of the network host.
Stateful Protocol Analysis Detection
Stateful protocol analysis detection identifies deviations of protocol states, which are determined by what the IDS solution provider deems as "accepted definitions of benign activity".
IDS systems can be categorized based on where their sensors are placed.
Network Intrusion Detection System (NIDS)
A network intrusion detection system (NIDS) is placed at strategic points within networks to analyze network traffic to and from devices. It then performs an analysis of passing traffic to a library of known attacks, when an attack is identified, an alert is sent to the administrator.
Host Intrusion Detection System (HIDS)
A host intrusion detection system (HIDS) is located on all networked hosts or devices/endpoints to analyze and monitor traffic flow. It tracks critical files through snapshots and alerts the user if these files have been modified or deleted. The system can also identify any suspicious traffic coming from the host itself, e.g. a malware infection that is trying to access other operating systems.
Intrusion Detection System vs Intrusion Prevention System (IPS): What's the Difference?
IDSs are often confused with intrusion prevention systems (IPS) as they both monitor network traffic to identify hackers using similar detection methods. The main differences between intrusion detection and prevention systems are:
- IDS is a monitoring system that reads network packets but doesn't alter them.
- IPS is a control system that reads network packets and can prevent packet delivery based on contents.
- IDS is not placed inline with traffic.
- IPS is placed inline with traffic.
IPSs can also terminate suspicious TCP sessions, reconfigure the firewall to avoid future similar attacks, and remove threatening content from a network following an attack.
Why are Intrusion Detection Systems Important?
Intrusion detection system deployment is vital in any cyber risk management strategy. IDSs allow organizations to instantly detect cyber attacks, such as botnets, Distributed Denial of Service (DDoS), and ransomware, to ensure prompt remediation.
Intrusion detection systems are most effective when implemented as part of a comprehensive cyber security strategy, such as defense in depth. This strategy involves the addition of several security layers that help to reduce an organization's total number of attack vectors.
Security teams should therefore combine IDSs with various technical controls like web application firewalls, configuration management, web scanners, threat intelligence and continuous security monitoring.
Intrusion Detection Systems Benefits
Proactive Monitoring for Actionable Insights
Intrusion detection systems are beneficial to an organization's incident response planning by helping security teams detect cyber attacks in real-time. Analysts can leverage this information to proactively improve system security, such as by implementing stronger access controls.
Intrusion detection systems provide network transparency. This visibility helps organizations measure security metrics which makes monitoring and maintaining compliance more efficient. IDS logs help security teams keep track of compliance to ensure adherence to regulations, such as GDPR, HIPAA, and PCI-DSS.
Helping Security Teams Implement Controls and Automation
Intrusion detection systems can explore network packet data from hosts/devices and other useful information like operating systems. Centralizing this information allows security teams to work much more efficiently than manually collating network information. It also helps them to enforce information security policies at a network level.
Intrusion Detection System Challenges
Intrusion detection systems often identify false positives which are a major hindrance to organizations' time and resources. Security teams must calibrate IDSs during installation to ensure they are configured to identify regular network traffic, which helps distinguish potentially malicious traffic.
False negatives are a more threatening challenge for organizations than false positives. As false negatives mean that an IDS has mistaken malicious network activity for normal behavior, security teams are not alerted to any occurring attacks until well after the fact.
Signature-based detection systems are especially prone to false negatives as new malware is becoming more sophisticated at a rapid pace. Organizations should ensure their IDS is capable of identifying new and irregular network activity and alerting it to administrators.
Cyber threat actors use a variety of evasion techniques to bypass IDS detection and gain unauthorized access into a network. Organizations must remain vigilant in addressing suspicious activity that is not detected by an IDS. Examples of evasion techniques include:
- Obscuring their IP address through a proxy server
- Changing network patterns
- Switching ports or using various different ports
- Sending fragmented network packets
Best Intrusion Detection System Tools
Snort is a popular free open-source NIDS that operates on Windows, Linux, and Unix operating systems.
The system analyzes traffic in real-time, through three different modes: packet sniffer, packet logger, and intrusion detection. It can also employ intrusion prevention techniques.
- Simple installation process and functionality.
- Large user community, with abundant online support resources.
- Doesn't offer GUI, but add-ons are available from the community.
- Packet processing can be slow.
Like Snort, Suricata uses signature and anomaly-based detection methods to identify intrusions.
It combines intrusion prevention, network security monitoring, and PCAP processing to efficiently manage incoming attacks.
- Compatible with Snort's rulesets.
- Advanced features, e.g., multi-threading capabilities, GPU acceleration.
- Prone to false positives.
- Resource-intensive on system and network.
3. Zeek (formerly Bro)
Zeek performs traffic logging and analysis using signature and anomaly-based detection methods.
It operates on Unix, Linux, and Mac OS. Zeek runs on the application layer, allowing users to track services across different OSI laters, such as HTTP, DNS, SNMP, and FTP.
- NIDS platform can extend to additional network security capabilities.
- Requires proficiency in Bro DSL programming.
OpenWIGS-ng is a NIDS designed for wireless networks and operates exclusively on Linux. Its functionality includes three main components - a sensor that collects and sends commands, a server with an analysis engine, and an interface that displays events and alerts.
- Modular and plugin-based; DIYers can build the required software and hardware.
- Limited to wireless security solutions.
Sguil is a collection of network security monitoring components and works on operating systems that support tc/tk.
Sguil enables alerts from other IDSs like Snort, Suricata, OSSEC, Zeek, as well as other data sources.
- Compatible with all operating systems that support tcl/tk.
- Can receive alerts from Snort, Suricata, OSSEC, Zeek, and other data sources.
- Limited to operating systems that support tcl/tk.
6. Security Onion
Security Onion is an Ubuntu-based Linux distribution for IDS and network security monitoring.
The platform combines several open source technologies, such as Snort, Suricata, Zeek, and Sguil to provide comprehensive intrusion detection, network security monitoring, and log management.
- Provides comprehensive security stack with leading open-source IDS solutions.
- Easy setup tool for installation of the whole stack.
- Inherits the drawbacks of each constituent tool.
7. SolarWinds Security Event Manager (SEM)
SolarWinds SEM is a SIEM solution that offers automated threat detection and response.
The SEM collects NIDS logs to determine information about the number of network attacks and types.
This data works in conjunction with other infrastructure logs to help strengthen IDSs and protocols on the network.
- User-friendly interface despite offering advanced capabilities
- Offers customizable reporting templates.
- SolarWind's involvement in the supply chain attack on the US Government in March 2020 has affected the company's reputation.