Intrusion Detection Systems (IDS): Definition, Types, Purpose

If you can identify an unauthorized network intrusion attempt, you can maintain the confidentiality, integrity, and availability (CIA) of your data assets and network resources.

This is precisely the goal of an intrusion detection system (IDS).

All cyberattacks that violate the CIA of the network and data demonstrate some form of anomalous behavior. The starting point of this behavior may be an unauthorized intrusion into the network, which may then expand into unauthorized use of the resources contained within the network.

In this article, we'll explain what an IDS is, how it differs from other network security systems, and why you should consider integrating one into your network infrastructure.

What is an Intrusion Detection System?

An intrusion detection system (IDS) monitors network traffic for anomalous behavior such as:

• Cyberattacks 
• Violations of your security policy

Once the event is identified as an anomaly, the IDS likely either reports to the administrators or issues an automation control action to the integrated security information and event management (SIEM) tool. The SIEM then uses advanced filtering techniques and protocols to distinguish a legitimate intrusion attempt from false alarms when raising an alert.

(Explore Splunk Enterprise Security, a leading SIEM solution.)

IDS types

There are two types of IDS:

• Host-based IDS (HIDS) focus on a single system. They scan for changes to system files and unusual behavior on that one machine. 
• Network-based IDS (NIDS) cover a bit more ground. They scan entire networks for malicious packets and changes in regular traffic.

IDS vs. IPS

If an IDS is an alarm designed to detect and inform you of incoming threats, an IPS is the guard making sure no threats get into the system. Because while an IDS focuses on threat detection, an IPS focuses mainly on threat prevention.

IPSes operate on the network in real time, ensuring that threats don’t get into the network. They continuously monitor traffic on the network, inspect incoming packets for malicious signals, and detect network anomalies. An IPS also:

• Performs some threat detection.  
• Alerts network administrators to any potential threats.

That's not to say, however, that an IPS is superior to an IDS (or vice versa). In fact, both systems should be used together to provide comprehensive network protection. Because while an IPS does catch threats, an IDS provides far greater network visibility and threat detection that the IPS can then work with.

IDS vs IPS: key infrastructure differences:

• Intrusion Prevention Systems (IPS) are active and placed in-line with network traffic.  As such, they're almost always network-based. This allows them to work in real time to prevent against network threats.
• Intrusion Detection Systems (IDS) are passive and placed out-of-line. They can be host-based or network-based, monitoring traffic by receiving copies of the actual packets being sent. Thus, they don't interfere with the actual traffic.

(Related reading: active vs. passive monitoring.)

IDS vs. Firewall

The IDS process is different from a firewall mechanism, which simply filters and implicitly prevents a possible network intrusion.

So, why not just have a firewall system instead? Modern enterprise IT networks are complex. The networks include thousands of network endpoints and nodes communicating between each other — no fixed set of rules can encompass a holistic and uniform security policy for the entire network. Therefore, IDS systems are deployed at various network nodes to determine potential violations of a network security policy.

Types of Intrusion Detection Systems

IDSes can be broadly categorized into the following groups:

• Signature-based detection
• Anomaly-based detection
• Stateful protocol analysis

Let's take a more detailed look at how each works and its cons.

Signature-based Detection (SD)

Signature-based detection (SD) systems use existing knowledge of attack signatures to identify intrusion attempts. If a traffic request matches a previous unauthorized intrusion attempt, an alarm goes off. A database of attack signatures is maintained and used to compare against current attempts to access the network. These systems are highly accurate in matching known attack signatures.

However, a zero-day exploit may not contain any signature knowledge in the database. If such an attack doesn't demonstrate characteristics and patterns from the available list of previously known attack signatures, it won't be identified by the IDS that relies on SD techniques. After all, SD is a simple detection system that uses contextual knowledge for simple security policy enforcement decisions.

Cons of Signature-based Detection.  SD systems do have drawbacks. We have detailed some of them below:

• SD requires continuous updates to the signatures database; otherwise, you’re quickly out of date.
• Inadequate understanding of the TCP/IP protocols and states means that SD systems can't develop an adequate and intelligent understanding of signature patterns.
• It's ineffective against zero-day exploits.
• SD is intensive on manual configurations and administrative work to keep the signature database up to date.

Anomaly-based Detection (AD)

The limitations of SD are overcome by anomaly-based detection (AD) systems, which model the behavior of the systems, often using:

• Statistical functions
• Knowledge-based methods
• Machine learning techniques

The models train and generalize on the network system’s response to allowed traffic and known attack signatures. Any deviation from the expected system response — allowing legitimate traffic and rejecting traffic that contains patterns of attack signatures—triggers an alert.

The positives of AD systems are that they're less dependent on the underlying technology stack and OS. New vulnerabilities can be easily detected as long the model is sufficiently trained to classify a legitimate traffic request from an unauthorized intrusion attempt. New vulnerabilities such as zero-day exploits are less concerning, as explicit signature knowledge isn't required.

Cons of Anomaly-based Detection. However, AD systems have several drawbacks:

• Modeling complex network systems is difficult. It requires ongoing training of the models as traffic patterns evolve.
• As the observed events constantly change, building correct traffic profiles becomes challenging.
• Alerts may not be raised in real time, or require explicit training, before a malicious intrusion attempt with slightly anomalous deviations is correctly classified as an authorized traffic request.

Stateful Protocol Analysis (SPA)

The stateful protocol analysis (SPA) system evaluates protocols of the TCP/IP stack. The intrusion engine runs at the application layer and uses predefined protocol profiles for each protocol state activity as provided by the vendor. These are universal and standardized profiles that describe how a protocol should govern traffic flows. Any deviation constitutes an anomalous behavior. Hence, it triggers an alarm.

For example, an intrusion attempt initiates an unexpected sequence of attempts without issuing prerequisite commands. The SPA system would check for the protocol profile characteristics — such as length of the command and order sequence — to determine a potentially unauthorized network intrusion attempt.

On the positive, these systems are well positioned to distinguish between traffic protocol sequences, especially as the states are explicitly known and tracked. The information is universally available and standardized across technology vendors.

Cons of Stateful Protocol Analysis. Now to the difficult part:

• Implementation remains challenging. Internal expertise and tools may be required to understand and classify traffic behaviors based on state information.
• State information alone may be inadequate to determine the legitimacy of a traffic request. Additional analysis techniques that study traffic content and signatures may be required.
• If the technology is incompatible with specific operating systems and APIs, the SPA system may need to be reconfigured and customized to extract the required information around protocols and state profiles.

Why use an IDS?

An IDS should be a crucial part of every good network security process. Detection systems provide real-time monitoring of networks and logs. They can sniff out anomalies and recognize potential threats like no other system can. Furthermore, in several countries (including the US), regulators mandate the use of an IDS in medical and financial networks.

As discussed earlier, firewalls and IPSes are great — but using an IDS in tandem with them will create a layered security infrastructure, your best bet in today's complex threat landscape. 

IDS: One part of your security arsenal

These IDS systems don’t provide an actual defense against malicious intrusion attempts. They’re not firewall systems, but a piece of your larger security puzzle.

Rejecting network traffic requests may be difficult to represent as a single policy or rules that are enforced by a firewall system. Instead, IDSes help InfoSec teams understand traffic behavior and make well-informed decisions based on true contextual knowledge, instead of relying on fixed and predefined policies.

However, there’s a lot that goes into creating a rigid security framework. Several security protocols can be used in networks, but an IDS should always be an integral part of your infrastructure.