Intrusion Detection System (IDS)

An intrusion detection system (IDS) device inspects all network activity passing through it and identifies suspicious patterns that might indicate a network or device attack. IDS can be categorized three ways.

Misuse detection vs. anomaly detection

With misuse detection, the IDS analyzes the data stream and compares it to databases of known attack signatures. The IDS can only look at previously documented, specific attacks. This is similar to the process many virus- scanning programs use, and, like those programs, the protection is only as good as the database of attack signatures available.

In anomaly detection (or profile detection), the administrator defines the baseline profile of the “normal” network traffic characteristics. The IDS monitors network segments and compares their state to the baseline, looking for deviations or anomalies.

Network-based vs. host-based systems

With network-based systems (NIDS), such the Cisco IDS 4200 Series appliances, the individual packets flowing through a network are analyzed by dedicated devices. As specialty devices, NIDS have been optimized to detect suspicious packets, which, typically, are overlooked by a firewall’s filtering rules.

A host-based system is IDS software configured on key resources such as servers, routers, or switches to examine activity on that device.

Passive system vs. reactive system

When a passive system detects a potential security threat, it logs the pertinent information and signals an alert message.

A reactive system would log the event and send out the alert but, at the same time, the IDS responds to block traffic from the suspected malicious source.

This capability to react to an evolving threat allows IDS implementations to provide protection beyond that of a firewall without IDS features. Furthermore, firewalls tend to be configured to look for bad traffic coming into the network, but remain oblivious to internal traffic. IDS can simultaneously protect the network from internal and external threats.