What is intrusion detection?
An Intrusion Detection System (IDS) is a network security technology built and intended to detect vulnerability exploits against a target application or computer. Such systems were extended by Intrusion Prevention Systems (IPS) which, in addition to detecting threats, also introduced the ability to block those threats.
An intrusion detection system monitors a network for malicious activity or policy violations. An IDS is essentially a listen-only device. It is used to monitor traffic and report the results found to an administrator, however, it is incapable of automatically taking any sort of preventive action to stop a detected exploit from taking over the system (while an intrusion prevention system can do that).
Since attackers tend to have the ability to rapidly exploit vulnerabilities when they enter the network, just using an IDS might not be able to protect your system if the administrator does not react quickly.
If your intrusion detection system is configured correctly, it keeps a check on your inbound and outbound network traffic, constantly analyzes activity patterns, and immediately alerts you about unusual behavior within the network.
However, if your IDS is not configured properly, it could generate false alarms against some network traffic activity or it could even fail to send alerts regarding some threats.
How does an intrusion detection system work?
An intrusion detection system is usually installed either on your network or a client system. There are two ways in which an IDS could work:
- Looking for signatures of known attacks
- Looking for deviations from normal activity
Any abnormal or anomalous activity or patterns that are detected will be sent up in the stack to be examined and investigated further at the protocol and application layers of the OSI (Open Systems Interconnection) model.
The intrusion detection system is placed out-of-band on the network infrastructure. This means that it is outside of the real-time communication path (a path between the information sender and receiver) within your network infrastructure. Because of this, it will take advantage of a TAP or SPAN port, using it for the purpose of analyzing a copy of the inline traffic stream, fetching the a copy of inline network packets through port mirroring, and checks whether the streaming traffic is malicious or spoofed in any way while making sure that the intrusion detection system does not impact inline network performance.
The intrusion detection system identifies infected elements that have the potential to impact your overall network performance. These include malformed information packets, DNS poisonings, Xmas scans, and many other elements.
What is Intrusion Detection System used for?
The purpose of using intrusion detection is to catch hackers and malicious users before they manage to do any real damage to a network.
The IDS is used offline or out-of-band,to identify and log violations and send an alert to an administrator, or to report the violation to a central repository called a ‘security information and event management (SIEM) system' with the use of a SIEM software.
The SIEM would generally centrally combine alerts from several tools or sources to distinguish malicious activity from false alarms in a better, more effective manner. Since no automatic action is taken, it is known as passive monitoring.
Since it is out-of-band and does not operate on live traffic it can be used to conduct more complex analyses and investigations. It is able to do this because it does not need to perform at line speed.
Some intrusion detection systems are even built to look for attacks that originate within the internal network. To do this, you can deploy your intrusion detection system at any strategic point in the network.
What are the major components of intrusion detection system?
An intrusion detection system is made up of three major components:
- A console or a control unit
- An engine or an annunciator
The purpose of the sensors is to generate security events which trigger the intrusion detection system. The console or the control unit is used to monitor events and alerts and the control sensors. The engine will record the events found by the sensors in a database and then makes use of a system of rules to trigger and send alerts from the security events received by the intrusion detection system.
What are the types of intrusion detection system?
There are four types of intrusion detection systems available. You can pick the one that is right for you based on your business’s needs. Here’s a quick breakdown of the types of intrusion detection systems.
1. Network intrusion detection system (NIDS)
Network intrusion detection systems are independent platforms that keep an eye on network traffic and examine hosts to identify intruders. They connect to network hubs or network taps and tend to be placed at data chokepoints, especially in a demilitarized zone (DMZ) or network border with the purpose of capturing network traffic and analyzing individual packets for malicious content.
They can monitor the total network traffic in an efficient manner without having any impact on performance or on network availability.
2. Host-based intrusion detection system (HIDS)
This is an agent that is directly installed onto the host that senses malicious traffic going through system calls, application logs, and file system modifications.
Since they monitor events that are local to hosts, they could even detect attacks that an NIDS would be unable to detect.
They are also able to function in environments where the network traffic is encrypted. This makes them ideal for protecting highly sensitive information.
3. Perimeter intrusion detection system (PIDS)
A perimeter intrusion detection system (PIDS) will detect and locate intrusion attempts on “perimeter fences” of vital system infrastructures like the main server. It usually comes in the form of an electronic or fiber optic device that is fitted onto the digital perimeter fence of a server. On sensing disturbances that signify that access is being attempted through means other than the regular channel, the PIDS will trigger an alarm.
4. Virtual machine-based intrusion detection system (VMIDS)
A large number of managed IT services providers (MSPs) employ a VMIDS setup. A virtual machine-based intrusion detection system is similar to one or a combination of any of the three IDSs explained but it is deployed remotely via a virtual machine (VM).