What is an Intrusion Detection System? Explained

Any device or software application that detects and monitors policy violations or any malicious activities is called an intrusion detection system. Typically, any violation or malicious activities are collected or reported centrally using a security and event management system.

Moreover, some intrusion detection systems can detect as well as respond to intrusions when they are discovered. There are different classifications of intrusion detection systems and let’s find out what they are.

Types of Intrusion Detection System

Basically, there are various Intrusion Detection Systems, ranging from tiered monitoring systems that monitor the entire network traffic to antivirus software. However, the most common classifications are:

  • Host-based Intrusion Detection Systems (HIDS): Important operating system files are monitored by HIDS.
  • Network Intrusion Detection Systems (NIDS): Incoming network traffic is analyzed by NIDS.

Furthermore, there are also variants or subsets of Intrusion Detection Systems. The most common ones are:

Intrusion Detection System
Intrusion Detection System
  • Signature-based: Signature-based IDS detects specific patterns that can be possible threats. It looks for known malicious instruction sequences used by malware or byte sequences in network traffic.

The term ‘signature’ originates from detected patterns in antivirus software known as signatures. In spite of the fact that signature-based IDS can detect known attacks, it is nearly impossible to detect new attacks whose patterns are currently unknown.

  • Anomaly-based: To detect new attacks, a newer technology was developed known as Anomaly-based IDS. This model uses machine learning that creates a defined model of what trustworthy activities are and compares any and every activity to this trust model.

However, there is a chance of getting false positive as legitimate activities that were previously unknown can be accidentally classified as malicious.

Various Evasion Techniques

Cybercriminals trying to breach your secure network can use various evasion techniques. Being aware of these techniques can help your IT department to understand how the IDS systems can be deceived into passing on some actionable threats.

So, here are some such techniques that cyber criminals can use.

  • Coordinated, low-bandwidth attacks: This type of attack includes coordinating a scan among many attackers and even allocating various hosts or ports to these attackers; making it difficult for the IDS to detect that a network scan is in progress by correlating to the captured packets.
  • Pattern change evasion: As IDS relies on pattern matching to detect attacks, attackers can make a slight change to the architecture of the attack so that detection can be avoided.
  • Fragmentation: Attackers can bypass the system’s ability to detect attack signatures by sending fragmented packets that allow them to stay under the radar.
  • Address proxying/spoofing: If the source is spoofed and bounced by the server, it makes it difficult to detect. So, attackers can use incorrectly configured or poorly secured proxy servers to bounce an attack.
  • Avoiding Defaults: If an attacker reconfigures a port utilized by a protocol, the IDS may not always detect the presence of a trojan as there is no indication to the protocol that’s being transported.

Use of IDS in networks

An IDS will perform an analysis of passing traffic and match the traffic that is passed on the subnets to the library of known attacks, when placed at strategic points within a network to monitor traffic from all devices on the network.

Once an abnormal behavior is sensed or an attack is identified, an alert is sent to the administrator.

Importance of Intrusion Detection System

High level security is a must have for any modern networked business environment. It ensures trusted and safe communication within as well as between the organizations.

If in any case, traditional technologies fail, an intrusion detection systems can act as an adaptable safeguard technology. It is for sure that cyber attacks will become more sophisticated, therefore, it is also important that the protection technologies evolve along the way to adapt to these newer threats.