Intrusion Detection System - Definition

An Intrusion Detection System (IDS) is a security solution designed to monitor networks or IT systems, which detects and reports suspicious activity, attacks or policy violations at an early stage without blocking data traffic.

An IDS analyses network traffic for conspicuous patterns or unusual behaviour. This can detect, for example, DNS poisoning, faulty data packets and scan attacks. The system operates passively and monitors a copy of the data traffic, for instance via a TAP or SPAN port, so that network performance is not affected.

There is an important difference compared to an Intrusion Prevention System (IPS): whilst an IDS merely detects and reports attacks, an IPS can actively intervene and block malicious traffic.

Key types of IDS:

• Network-based IDS (NIDS): Monitors all network traffic within a network. It is usually installed at strategic points, such as directly behind a firewall.
• Host-based IDS (HIDS): Runs directly on individual endpoints or servers, monitoring activity, files and system changes.
• Cloud-based IDS: Protects applications and data in cloud environments.
• Hybrid IDS: Combines multiple approaches, e.g. network and host monitoring, to provide a comprehensive security overview.

Detection methods:

An IDS typically uses two basic methods for attack detection:

• Signature-based detection: Compares network traffic with known attack patterns. This requires signature databases to be updated regularly.
• Anomaly-based detection: Creates a model of normal network behaviour and detects deviations from it. This allows new or unknown attacks to be detected, although there is a higher risk of false positives.