Wed. Jan 25th, 2023

Intrusion Detection Systems

Intrusion detection systems are software or hardware systems that monitor the network and look for any signs that unauthorised access has occurred.

Intrusion detection systems (IDS) monitor networks for any suspicious activity that may result in data breaches or similar lapses in cybersecurity. Each IDS works by establishing what is ‘normal’ for a particular environment so that it can accurately detect and alert IT personnel to any deviations. This baseline is based on normal communication activity for protocols, sources, endpoints, user accounts, access times and data volumes.

Intrusion detection systems can be either host-based (software installed on client machines) or network-based (a device which monitors the network as a whole). Just as anti-malware products scan for known malware and for tell-tale signatures in code, so do intrusion detection systems.

Different types of intrusion detection systems

IDSes come in different flavors and detect suspicious activities using different methods, including the following:

  • network intrusion detection system (NIDS) is deployed at a strategic point or points within the network, where it can monitor inbound and outbound traffic to and from all the devices on the network.
  • host intrusion detection system (HIDS) runs on all computers or devices in the network with direct access to both the internet and the enterprise’s internal network. A HIDS has an advantage over a NIDS in that it may be able to detect anomalous network packets that originate from inside the organization or malicious traffic that a NIDS has failed to detect. A HIDS may also be able to identify malicious traffic that originates from the host itself, such as when the host has been infected with malware and is attempting to spread to other systems.
  • signature-based intrusion detection system (SIDS) monitors all the packets traversing the network and compares them against a database of attack signatures or attributes of known malicious threats, much like antivirus software.
  • An anomaly-based intrusion detection system (AIDS) monitors network traffic and compares it against an established baseline to determine what is considered normal for the network with respect to bandwidth, protocols, ports and other devices. This type often uses machine learning to establish a baseline and accompanying security policy. It then alerts IT teams to suspicious activity and policy violations. By detecting threats using a broad model instead of specific signatures and attributes, the anomaly-based detection method improves upon the limitations of signature-based methods, especially in the detection of novel threats.

Capabilities of intrusion detection systems

Intrusion detection systems monitor network traffic in order to detect when an attack is being carried out by unauthorized entities. IDSes do this by providing some — or all — of these functions to security professionals:

  • monitoring the operation of routers, firewalls, key management servers and files that are needed by other security controls aimed at detecting, preventing or recovering from cyberattacks;
  • providing administrators a way to tune, organize and understand relevant OS audit trails and other logs that are otherwise difficult to track or parse;
  • providing a user-friendly interface so nonexpert staff members can assist with managing system security;
  • including an extensive attack signature database against which information from the system can be matched;
  • recognizing and reporting when the IDS detects that data files have been altered;
  • generating an alarm and notifying that security has been breached; and
  • reacting to intruders by blocking them or blocking the server.

Benefits of intrusion detection systems

Intrusion detection systems offer organizations several benefits, starting with the ability to identify security incidents. An IDS can be used to help analyze the quantity and types of attacks; organizations can use this information to change their security systems or implement more effective controls. An intrusion detection system can also help companies identify bugs or problems with their network device configurations. These metrics can then be used to assess future risks.

Intrusion detection systems can also help the enterprise attain regulatory compliance. An IDS gives companies greater visibility across their networks, making it easier to meet security regulations. Additionally, businesses can use their IDS logs as part of the documentation to show they are meeting certain compliance requirements.

Intrusion detection systems can also improve security responses. Since IDS sensors can detect network hosts and devices, they can also be used to inspect data within the network packets, as well as identify the OSes of services being used. Using an IDS to collect this information can be much more efficient than manual censuses of connected systems.

Challenges of intrusion detection systems

IDSes are prone to false alarms — or false positives. Consequently, organizations need to fine-tune their IDS products when they first install them. This includes properly configuring their intrusion detection systems to recognize what normal traffic on their network looks like compared to potentially malicious activity.

However, despite the inefficiencies they cause, false positives don’t usually cause serious damage to the actual network and simply lead to configuration improvements. A much more serious IDS mistake is a false negative, which is when the IDS misses a threat and mistakes it for legitimate traffic. In a false negative scenario, IT teams have no indication that an attack is taking place and often don’t discover until after the network has been affected in some way. It is better for an IDS to be oversensitive to abnormal behaviors and generate false positives than it is to be undersensitive, generating false negatives.

False negatives are becoming a bigger issue for IDSes — especially SIDSes — since malware is evolving and becoming more sophisticated. It’s becoming harder to detect a suspected intrusion because new malware may not display the previously detected patterns of suspicious behavior that IDSes are typically designed to detect. As a result, there is an increasing need for IDSes to detect new behavior and proactively identify novel threats and their evasion techniques as soon as possible.