Intrusion Detection Systems: An Introduction

intrusion detection systemAn intrusion detection system (IDS) is the high-tech equivalent of a burglar alarm. It is a device or software application that is configured to monitor information gateways, hostile activities, and known intruders, and produces reports to a management station. An IDS is a specialized tool that knows how to parse and interpret network traffic and/or host activities. This data can range from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs and access calls, network flow data, and more. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it’s monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automated actions ranging from shutting down Internet links or specific servers to launching back-traces, and make other active attempts to identify attackers and collect evidence of their nefarious activities.

By analogy, an IDS does for a network what an antivirus software package does for files that enter a computer system: it inspects the contents of network traffic to look for and deflect possible attacks just as an antivirus software package inspects the contents of incoming files, e-mail attachments, active Web content, and so forth to look for virus signatures or for possible malicious actions.


Intrusion detection means detecting unauthorized use of or attacks upon a system or network. An IDS is designed and used to detect such attacks or unauthorized use of systems, networks, and related resources, and then in many cases to deflect or deter them if possible. Like firewalls, IDSes can be software-based or can combine hardware and software in the form of pre-installed and preconfigured stand-alone IDS devices. IDS software may run on the same device or server where the firewall or other services are installed will monitor those devices with particular closeness and care. Although such devices tend to be deployed at network peripheries, IDSes can detect and deal with insider attacks as well as external attacks, and are often very useful in detecting violations of corporate security policy and other internal threats.

Types of Intrusion Detection Systems

There are several types of IDSes. It is possible to distinguish IDSes by the kinds of activities, traffic, transactions, or systems they monitor. IDSes that monitor network links and backbones looking for attack signatures are called network-based IDSes, whereas those that operate on hosts and defend and monitor the operating and file systems for signs of intrusion are called host-based IDSes. Groups of IDSes functioning as remote sensors and reporting to a central management station are know as distributed IDSes (DIDSes). A gateway IDS is a network IDS deployed at the gateway between your network and another network, monioriting the traffic passing in and out of your network at the transit point. IDSes that focus on understanding and parsing application-specific traffic with regard to the flow of application logic well as the underlying protocols are often called application IDSes.

Most commercial environments use a combination of network, host and/or application-based IDSes to observe what is happening on their networks while also monitoring key hosts and applications more closely. In addition, some IDSes use signature detection, using a database of traffic or activity patterns known as attack signatures. Another approach is called anomaly detection, whereby rules or predefined concepts about normal and abnormal system activity, called heuristics, to distinguish anomalies from normal system behavior and to monitor, report or block anomalies as they occur.


To summarize, intrusion detection systems have many different characteristics:

  • They can be software-based, or a combination of software and hardware.
  • They can be network-based, host-based, or distributed
  • The primary job of the intrusion detection system is to detect attacks and inform the administrator, not to block attacks; however, many intrusion detection systems will go a step further and take measures to block attacks.

External Links:

Intrusion detection system on Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy