IDS

An IDS (Intrusion Detection System) is a security solution that detects malicious activity within a network. It is complementary to firewalls. When a firewall fails to detect malicious activity, the IDS should handle it by raising an alert, but not by acting on the threat.

Type of IDS

Based on where it is deploied, we have two kinds of IDS.

• Host Intrusion Detection System (HIDS): Installed on each host in the network, it detects threats specific to that host. This can be challenging to manage in large networks because each individual host must be managed, and it is also resource-intensive.

• Network Intrusion Detection System (NIDS): Provides centralized monitoring of network activities, regardless of the specific hosts involved.

Detection mode

Signature-Based IDS detects known attacks by matching patterns (signatures) stored in its database. It's effective at identifying previously encountered threats but cannot detect zero-day attacks, which lack known signatures.

Anomaly-Based IDS learns the normal behavior of a system or network and detects deviations from this baseline. It can identify zero-day attacks but may generate many false positives, as legitimate behaviors can appear abnormal. Fine-tuning can reduce false positives.

Hybrid IDS combines both signature-based and anomaly-based detection methods. It uses signature-based detection for known threats and anomaly-based detection for unknown or new attacks, offering a balanced approach.

Examples

• Snort

• Suricata

• Solarwinds

• CrowdSec