wp header logo 656

What is an intrusion detection system (IDS)? Definition from … – TechTarget

Breaking News Trending

An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and alerts when such activity is discovered.
While anomaly detection and reporting are the primary functions of an IDS, some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious Internet Protocol (IP) addresses.
An IDS can be contrasted with an intrusion prevention system (IPS), which monitors network packets for potentially damaging network traffic, like an IDS, but has the primary goal of preventing threats once detected, as opposed to primarily detecting and recording threats.
Intrusion detection systems are used to detect anomalies with the aim of catching hackers before they do real damage to a network. IDSes can be either network- or host-based. A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system resides on the network.
Intrusion detection systems work by either looking for signatures of known attacks or deviations from normal activity. These deviations or anomalies are pushed up the stack and examined at the protocol and application layer. They can effectively detect events such as Christmas tree scans and Domain Name System (DNS) poisonings.
An IDS may be implemented as a software application running on customer hardware or as a network security appliance. Cloud-based intrusion detection systems are also available to protect data and systems in cloud deployments.
IDSes come in different flavors and detect suspicious activities using different methods, including the following:
Historically, intrusion detection systems were categorized as passive or active. A passive IDS that detected malicious activity would generate alert or log entries but would not take action. An active IDS, sometimes called an intrusion detection and prevention system (IDPS), would generate alerts and log entries but could also be configured to take actions, like blocking IP addresses or shutting down access to restricted resources.
Snort — one of the most widely used intrusion detection systems — is an open source, freely available and lightweight NIDS that is used to detect emerging threats. Snort can be compiled on most Unix or Linux operating systems (OSes), with a version available for Windows as well.
Intrusion detection systems monitor network traffic in order to detect when an attack is being carried out by unauthorized entities. IDSes do this by providing some — or all — of the following functions to security professionals:
Intrusion detection systems offer organizations several benefits, starting with the ability to identify security incidents. An IDS can be used to help analyze the quantity and types of attacks. Organizations can use this information to change their security systems or implement more effective controls. An intrusion detection system can also help companies identify bugs or problems with their network device configurations. These metrics can then be used to assess future risks.
Intrusion detection systems can also help enterprises attain regulatory compliance. An IDS gives companies greater visibility across their networks, making it easier to meet security regulations. Additionally, businesses can use their IDS logs as part of the documentation to show they are meeting certain compliance requirements.
Intrusion detection systems can also improve security responses. Since IDS sensors can detect network hosts and devices, they can also be used to inspect data within the network packets, as well as identify the OSes of services being used. Using an IDS to collect this information can be much more efficient than manual censuses of connected systems.
IDSes are prone to false alarms — or false positives. Consequently, organizations need to fine-tune their IDS products when they first install them. This includes properly configuring their intrusion detection systems to recognize what normal traffic on their network looks like compared to potentially malicious activity.
However, despite the inefficiencies they cause, false positives don’t usually cause serious damage to the actual network and simply lead to configuration improvements.
A much more serious IDS mistake is a false negative, which is when the IDS misses a threat and mistakes it for legitimate traffic. In a false negative scenario, IT teams have no indication that an attack is taking place and often don’t discover until after the network has been affected in some way. It is better for an IDS to be oversensitive to abnormal behaviors and generate false positives than it is to be undersensitive, generating false negatives.
False negatives are becoming a bigger issue for IDSes — especially SIDSes — since malware is evolving and becoming more sophisticated. It’s hard to detect a suspected intrusion because new malware may not display the previously detected patterns of suspicious behavior that IDSes are typically designed to detect. As a result, there is an increasing need for IDSes to detect new behavior and proactively identify novel threats and their evasion techniques as soon as possible.
An IPS is similar to an intrusion detection system but differs in that an IPS can be configured to block potential threats. Like intrusion detection systems, IPSes can be used to monitor, log and report activities, but they can also be configured to stop threats without the involvement of a system administrator. An IDS simply warns of suspicious activity taking place, but it doesn’t prevent it.
An IPS is typically located between a company’s firewall and the rest of its network and may have the ability to stop any suspected traffic from getting to the rest of the network. Intrusion prevention systems execute responses to active attacks in real time and can actively catch intruders that firewalls or antivirus software may miss.
However, organizations should be careful with IPSes because they can also be prone to false positives. An IPS false positive is likely to be more serious than an IDS false positive because the IPS prevents the legitimate traffic from getting through, whereas the IDS simply flags it as potentially malicious.
It has become a necessity for most organizations to have either an IDS or an IPS — and usually both — as part of their security information and event management (SIEM) framework.
Several vendors integrate an IDS and an IPS together in one product — known as unified threat management (UTM) — enabling organizations to implement both simultaneously alongside firewalls and systems in their security infrastructure.
Arista’s new switches provide more options for enterprises and higher speeds for bandwidth-hungry hyperscalers. The latest …
Telecom operators have committed to sustainability plans to reduce carbon emissions and energy use. But they also face challenges…
Nmap might be more common for security tasks, but it’s also useful for network documentation and inventory. Follow these best …
Research shows organizations are still struggling to bring in IT talent. We identify the reasons why there’s a shortage and what …
The threat of a recession coupled with the ongoing need for transformation and growth means CIOs must make force multiplying …
The U.S. Senate, federal agencies and state governments have banned TikTok from government devices due to concerns about data …
Modern enterprise organizations have numerous options to choose from on the endpoint market. Learn about some of the main …
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep …
While Microsoft Loop is not yet generally available, Microsoft has released details about how Loop can connect users and projects…
It is challenging to find the right balance between performance, availability and cost. Learn how to enable and apply AWS Compute…
Among other benefits, a hybrid cloud data warehouse can offer enhanced flexibility and scalability, as well as on-demand access …
The wrong instance type can affect workload performance and even increase costs. This year at re:Invent, AWS released new EC2 …
Composability offers a ‘philosophical mindset shift’ to ensure that technology does not dictate your business
We’ve all seen laptops adorned with security stickers and in-jokes, but how did this cyber community trend get started, what does…
Against a backdrop of rising energy costs and supply uncertainty, cutting the amount of power their ICT estate consumes can also …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information


Leave a Reply

Your email address will not be published. Required fields are marked *