An intrusion detection system, abbreviated IDS, is able to detect and inform about attacks directed at computers, servers, or networks. Often the Intrusion Detection System complements the usual functions of a firewall.
What is an intrusion detection system (IDS)?
An intrusion detection system uses certain patterns to independently detect attacks on computer systems or networks and informs users or administrations. An IDS can be installed as stand-alone hardware in a network or implemented as a software component on an existing system.
Compared to a so-called Intrusion Prevention System (IPS), the IDS clearly distinguishes itself, as it only detects attacks but does not actively prevent and defend against them.
The appropriate countermeasures in the event of attacks are initiated by the administrators or by other systems on the basis of the alerting by the IDS. Compared to a pure firewall, the intrusion detection system offers better protection because it can detect attacks even after they have broken through the firewall.
In order to take effective measures to defend against the attack, it is important that the IDS provides accurate information about the type and origin of the attack. For example, affected services can be stopped or ports blocked.
Different types of intrusion detection systems
Depending on the system to be protected and the IDS used, a basic distinction can be made between three different types of intrusion detection systems:
- The host-based intrusion detection system
- The network-based intrusion detection system
- The hybrid intrusion detection system
The host-based IDS is installed directly on the systems to be protected and monitored. It collects different data of the system directly from its logs, the kernel, or from the registry database and analyzes them with regard to anomalies or known attack patterns. For example, if the system is disabled by a DoS attack, the IDS is ineffective.
A network-based IDS is installed on a network in such a way that it can read all packets and examine them for suspicious patterns. To support the high bandwidths of modern networks, the IDS must support high performance for processing and analyzing data. If this is not the case, complete monitoring by the IDS cannot be ensured.
So-called hybrid IDS combine host and network-based systems and provide even more comprehensive protection. The components of a hybrid IDS are host-based sensors, network-based sensors, and management for administration and monitoring of the sensors and further analysis of the data.
How an intrusion detection system works
The functionality of an intrusion detection system can always be divided into the individual steps of data collection and data analysis. While the network-based IDS collects its data based on the traffic it reads, host-based or hybrid IDSs use other sources for their data. It is important that all data comes from trusted sources or is collected by the IDS itself so that manipulation is impossible.
The IDS examines the collected data for anomalies or known attack patterns. For this purpose, it consults databases with predefined patterns. At the same time, the system looks for anomalies. These can be identified by significant deviations from normal operation and do not require predefined patterns.
Anomalies can also be used to detect previously unknown attack scenarios. Modern and powerful systems use artificial intelligence methods for anomaly detection.
The honeypot as part of an intrusion detection system
A component of many intrusion detection systems is a so-called honeypot. This is a special service or a special computer in the network that is supposed to provoke an attack. It virtually attracts the attacks and offers the possibility to analyze them in more detail. In order to direct attacks to the honeypot, security vulnerabilities are deliberately present there.
Since the honeypot itself does not hold any critical data for attackers and is sealed off from the rest of the system, the attack does not pose a security problem. Based on the analyzed attack methods, defensive measures and strategies can be developed.