Open in app

Sign in

Write

Sign in

What is IDS (Intrusion Detection System) & How it works?

Hrushikesh Badgujar
4 min readJul 16, 2023

--

Welcome to my first blog which is all about, What is IDS (Intrusion Detection System), what are the types of IDS, and their work?

Hi, I am Hrushikesh Badgujar, a Cyber Security Researcher, and a Student.

Please read till the end and press the clap button to like the write-up. Follow me for more write-ups.

The write-up consists of:-

  • What is Intrusion Detection?
  • Introduction to IDS (Intrusion Detection System)
  • Techniques used by IDS for detection
  • Types of IDS
  • Pros of Intrusion Detection Systems:
  • Cons of Intrusion Detection Systems:

Let's start with the first topic of today's discussion.

What is Intrusion Detection?

Intrusion Detection is the act of detecting an unauthorized intrusion or activity by a computer on the network. This unauthorized access or intrusion attempts to compromise or otherwise harm other network devices.

What is IDS (Intrusion Detection System)?

An Intrusion Detection System (IDS) is used to monitor network traffic for suspicious activity and generate alerts when such activity is discovered by the system.

IDS | Intrusion Detection System

Techniques used by IDS

Known Good Policy

It will first create a baseline to recognize good or allowed data from network traffic and will generate an alert if it finds anything else.

Known Bad Policy

It will maintain the signature of attacks or bad network traffic and will generate an alert only on that particular type of traffic is detected.

Types of IDS

Based on where the system is deployed

  • Network-based IDS
  • Host-based IDS
  • Distributed IDS
  • Gateway IDS
  • Application IDS

Based on what method/techniques the system uses for detection

  • Anomaly Based IDS
  • Signature Base IDS

We will go a little deep inside to know IDS better. Let’s start:-

Types of IDS Based on where it is deployed are following

1. Network-based IDS

It is also called NIDS. It monitors the entire network from the perspective of the location where it is deployed.

Normally, Computer NIC (Network Interface Card) operates in a non-promiscuous mode. What does this mean? The answer is the computer will receive only those packets that are destined for that NIC-specific MAC address and broadcast packets.

But NIDS will work in promiscuous mode which means it will receive all the packets from the network segment whether it is intended for that NIC-specific MAC address or not.

NIDS should be connected to either a span port on the local switch or as a network tapper duplicating traffic on a link you want to monitor

Network-based IDS / NIDS

2. Host-based IDS

It is also called HIDS. It monitors only the host system on which it resides.

In HIDS computer NIC operates in default non-promiscous mode.

If we try to switch on the promiscuous mode, it can be CPU intensive resulting in slowing down the host machine.

Host-based IDS / HIDS

3. Distributed IDS

It is also called DIDS. In DIDS Sensors are remotely located reporting to centralized management stations. Network logs are periodically uploaded to the management station and stored in a central database. We can deploy new attack signatures on sensors as per our needs.

In DIDS, the individual sensors can be NIDS, HIDS, or a combination of both. This also means that we can have sensors operating in a promiscuous mode as well as a non-promiscuous mode.

4. Gateway IDS

It monitors the traffic passing in and out of your network at the gateway.

5. Application IDS

It focuses on understanding and parsing application-specific traffic about the flow of application logic as well as underlying protocols.

Note — Most effective solution will combine NIDS & HIDS.

This is all about Types of IDS based on where it is deployed. Now we will look at the next classification.

Types of IDS Based on what method/techniques the system uses for detection

1. Anomaly-Based IDS

Anomaly-based IDS monitors network traffic and compares it with a predefined baseline to detect unusual behavior across devices, bandwidth, ports, protocols, etc. It uses the Known good policy technique.

2. Signature-Based IDS

It will monitor all the network packets and compare them with the database of attack signatures to alert if it finds suspicious. It uses the Known bad policy technique.

Pros of Intrusion Detection Systems:

  1. IDS can be Tuned to find specific content in network packets
  2. Analyzes the amount and types of attacks
  3. Use to make it easier to keep up with regulations
  4. Boost efficiency

Cons of Intrusion Detection Systems:

  1. Do not prevent incidents by themselves
  2. Skill professionals required to administer alerts
  3. Do not process encrypted packets
  4. False Positives Alerts
  5. Need to update the signature database continuously

This is all about IDS (Intrusion Detection System), its types, and how they work.

If you find this useful then share it with your connections on LinkedIn and WhatsApp groups to help others too.

My LinkedIn: https://www.linkedin.com/in/hrushikesh-badgujar

Shower your love with the claps & share this with your friends ❣

Ids
Intrusion Detection
Cybersecurity
Network Security
Networking

--

--

Hrushikesh Badgujar

Written by Hrushikesh Badgujar

16 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams