Intrusion Detection System
What Is an Intrusion Detection System?
An intrusion detection system (IDS) is a tool that monitors and analyzes network traffic for suspicious inbound and outbound activity that could indicate malicious activity.
An intrusion detection system also uses integrated malware signatures and scans for suspicious IP addresses to identify attempts at unauthorized access. When suspicious activity is detected, an alert is sent to the IT team, allowing them to respond proactively.
Types of Intrusion Detection Systems
The ten types of intrusion detection systems differ based on the techniques used to detect and respond to suspicious activities.
1. Anomaly-based intrusion detection system (AIDS)
With anomaly-based intrusion detection systems, a baseline of normal activity across all systems is established and used to compare against traffic to identify anomalies that could represent a threat. Often, machine learning is used to establish and maintain the baseline. Anomaly-based intrusion detection is also effective in detecting novel threats that have never been experienced before.
2. Cloud-based intrusion detection system (CBIDS)
Purpose-built for cloud environments, cloud-based intrusion detection systems use cloud sensors with cloud service provider (CSP) application programming interfaces (APIs) to monitor and analyze network traffic.
3. Host intrusion detection system (HIDS)
With host intrusion detection systems, the software resides on all computers or devices in the network that have access to the internet and internal networks.
A host intrusion detection system can detect suspicious activity within an organization (i.e., malicious insiders). It can also identify malicious traffic originating from a host when malware attempts to move out across a network to other systems.
4. Intrusion detection and prevention system (IDPS)
An intrusion detection and prevention system augments intrusion detection with the capability to take action when suspicious activity is detected (e.g., to block IP addresses, prevent access to systems).
5. Network intrusion detection systems (NIDS)
Deployed at a strategic point or points across the network (e.g., vulnerable subnets), network intrusion detection systems monitor inbound and outbound traffic that’s flowing to and from all the devices on the network.
6. Perimeter intrusion detection system (PIDS)
Perimeter intrusion detection systems are designed to focus on monitoring and analyzing traffic at the edge of the network.
7. Reputation-based intrusion detection
With reputation-based intrusion detection, communications with external, internet-based hosts’ IP and DNS addresses are compared to a database of potentially malicious hosts. Those identified as malicious or suspicious are flagged and can be blocked.
8. Signature-based intrusion detection system (SIDS)
Signature-based intrusion detection systems monitor network traffic and compare packets to known threats using an integrated library of signatures for known malware.
9. Stack-based intrusion detection system (SBIDS)
Integrated into an organization’s Transmission Control Protocol/Internet Protocol (TCP/IP), stack-based intrusion detection systems monitor and analyze traffic on private networks. Stack-based intrusion detection systems also monitor packets as they flow and pull suspicious ones before they reach operating systems or applications.
10. Virtual machine-based intrusion detection system (VMIDS)
Designed to monitor virtual machines (VMs), VM-based intrusion detection allows organizations to monitor and analyze traffic across all these systems.
IDS Usage in Networks
Most intrusion detection systems rely on signature-based intrusion detection and anomaly-based intrusion detection. These intrusion detection methods can be used in tandem, taking advantage of the benefits of both approaches to provide a more comprehensive defense.
1. Signature-based intrusion detection
Identifies suspicious activity by comparing network traffic and log data to a library of known attack signatures or patterns.
2. Anomaly-based intrusion detection
Identifies novel attacks. It uses machine learning to create baselines or trust models for legitimate activity. When activity that deviates from the norm is detected, an alert is sent. While false positives can occur, this intrusion detection method is effective in combating new strains of malware.
Among the many functions of an intrusion detection system in networks are the following:
- Monitors functions of critical tools, such as routers, firewalls, and key management servers
- Help IT teams tune, organize and understand relevant audit trails and other logs
- Leverages extensive attack signature databases to detect known malware
- Detects if data files have been altered
- Provides alerts and reports when unusual or malicious activity is detected
- Reacts to attacks by blocking access to servers or networks
- Supports the identification of root sources of issues
Evasion Techniques in Intrusion Detection Systems
Denial of service
Attacks on network bandwidth or system resources (e.g., CPU, disk space, memory) fall under denial of service. These attacks flood intrusion detection systems, diminishing their capacity to identify malicious behavior.
Bandwidth attacks flood the intrusion detection host with network traffic. Resource attacks overwhelm intrusion detection systems’ capacity and reduce their ability to analyze traffic.
Cybercriminals leverage the benefits of encryption (e.g., data protection, privacy) to hide malware in packets that cannot be easily read by intrusion detection systems.
Attackers take advantage of packet fragmentation in several ways. Intrusion detection can be evaded by sending malicious code in many small fragments that do not have enough information to trigger an alert or match a known signature.
Another way that fragmentation is exploited to evade intrusion detection systems is by sending fragments so that they overlap.
Cybercriminals use obfuscation techniques to conceal an attack by making the message difficult to understand or using double-encoded data to increase the number of signatures required to detect an attack.
Time-to-Live or TTL Exploitation
By sending several packets with TTL modified to sneak through to the network intrusion detection systems, malicious packets can reach target hosts.
Because some applications accept Unicode in place of text, signature-based intrusion detection systems can be tricked into letting malicious code pass through.
This is because, in Unicode, there can be a duplication of character representations. That is, the same thing can be specified in different ways (e.g., /..%c1%1c../ is the same as ../..).
Why Intrusion Detection Systems Are Important
A few reasons why intrusion detection systems play an important role in an effective security posture are as follows.
- Allows organizations to quickly respond to suspicious behavior to prevent attacks or mitigate damage from a potential attack
- Helps meet compliance requirements by providing visibility across networks and maintaining logs that can be used for reporting
- Identifies vulnerabilities in an organization’s systems
- Organizes network data to make it easier to identify the most critical information
- Provides information about attacks that are attempted—what kinds, level of sophistication, frequency, and targets.
Catch Threats Early with Intrusion Detection
An intrusion detection system plays a valuable role in organizations’ cyber defense strategies. Monitoring all network traffic and devices, intrusion detection systems surface suspicious activity and threats, allowing IT teams to neutralize them. Coupled with other security systems, intrusion detection solutions help organizations to protect critical assets and meet compliance requirements.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 11th July, 2022