Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) monitors network traffic and system activities for signs of malicious activity, policy violations, or known attack patterns. When suspicious activity is detected, the IDS generates alerts for security teams to investigate.

Types of IDS:

• Network IDS (NIDS): Monitors network traffic at strategic points for suspicious patterns
• Host IDS (HIDS): Monitors individual systems for file changes, process activity, and log anomalies
• Intrusion Prevention System (IPS): Actively blocks detected threats (not just alerting)
• Network Behaviour Analysis (NBA): Detects unusual traffic patterns and anomalies

Detection methods:

• Signature-based: Matches traffic against a database of known attack patterns
• Anomaly-based: Establishes a baseline of normal behaviour and alerts on deviations
• Stateful protocol analysis: Compares observed activity against expected protocol behaviour
• Machine learning: Uses AI to identify previously unknown threats

IDS vs IPS:

• IDS (Detection): Monitors and alerts - passive, no traffic blocking
• IPS (Prevention): Monitors, alerts, and blocks - active, inline with traffic
• Many modern solutions combine both capabilities (IDPS)

IDS deployment best practices:

• Place NIDS at network boundaries and between segments
• Deploy HIDS on critical servers and high-value targets
• Tune rules to reduce false positives
• Integrate with SIEM for centralised alerting and correlation
• Keep signature databases updated regularly
• Combine signature-based and anomaly-based detection
• Document and regularly review alert response procedures