Intrusion Detection System

(IDS)
Intrusion Detection System (IDS)
• An Intrusion Detection System (IDS) is a security tool that monitors a
computer network or systems for malicious activities or policy
violations. It helps detect unauthorized access, potential threats, and
abnormal activities by analyzing traffic and alerting administrators to
take action. An IDS is crucial for maintaining network security and
protecting sensitive data from cyber-attacks.
• An Intrusion Detection System (IDS) maintains network traffic looks
for unusual activity and sends alerts when it occurs. The main duties
of an Intrusion Detection System (IDS) are anomaly detection and
reporting, however, certain Intrusion Detection Systems can take
action when malicious activity or unusual traffic is discovered.
What is an Intrusion Detection System?
• A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is
software that checks a network or system for malicious activities or policy
violations. Each illegal activity or violation is often recorded either centrally
using an SIEM system or notified to an administration. IDS monitors a network
or system for malicious activity and protects a computer network from
unauthorized access from users, including perhaps insiders. The intrusion
detector learning task is to build a predictive model (i.e. a classifier) capable of
distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good
(normal) connections’.
Working of Intrusion Detection System(IDS)
• An IDS (Intrusion Detection System) monitors the traffic on a computer network
to detect any suspicious activity.
• It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.
• The IDS compares the network activity to a set of predefined rules and patterns
to identify any activity that might indicate an attack or intrusion.
• If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
• The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.
Classification of Intrusion Detection System(IDS)
• Network Intrusion Detection System (NIDS): Network intrusion detection
systems (NIDS) are set up at a planned point within the network to examine
traffic from all devices on the network. It performs an observation of passing
traffic on the entire subnet and matches the traffic that is passed on the subnets
to the collection of known attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the administrator. An example of a
NIDS is installing it on the subnet where firewalls are located in order to see if
someone is trying to crack the firewall.
• Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS)
run on independent hosts or devices on the network. A HIDS monitors the
incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If the analytical
system files were edited or deleted, an alert is sent to the administrator to
investigate. An example of HIDS usage can be seen on mission-critical machines,
which are not expected to change their layout.
What is an Intrusion in Cybersecurity?
• Understanding Intrusion Intrusion is when an attacker gets unauthorized access
to a device, network, or system. Cyber criminals use advanced techniques to
sneak into organizations without being detected. Common methods include:
• Address Spoofing: Hiding the source of an attack by using fake, misconfigured, or
unsecured proxy servers, making it hard to identify the attacker.
• Fragmentation: Sending data in small pieces to slip past detection systems.
• Pattern Evasion: Changing attack methods to avoid detection by IDS systems that
look for specific patterns.
• Coordinated Attack: Using multiple attackers or ports to scan a network,
confusing the IDS and making it hard to see what is happening.
Intrusion Detection System Evasion Techniques
• Fragmentation: Dividing the packet into smaller packet called fragment and the
process is known as fragmentation. This makes it impossible to identify an
intrusion because there can’t be a malware signature.

• Packet Encoding: Encoding packets using methods like Base64 or hexadecimal

can hide malicious content from signature-based IDS.

• Traffic Obfuscation: By making message more complicated to interpret,

obfuscation can be utilised to hide an attack and avoid detection.

• Encryption: Several security features, such as data integrity, confidentiality, and

data privacy, are provided by encryption. Unfortunately, security features are
used by malware developers to hide attacks and avoid detection.
Benefits of IDS
• Detects Malicious Activity: IDS can detect any suspicious activities and alert the
system administrator before any significant damage is done.

• Improves Network Performance: IDS can identify any performance issues on the
network, which can be addressed to improve network performance.

• Compliance Requirements: IDS can help in meeting compliance requirements by

monitoring network activity and generating reports.

• Provides Insights: IDS generates valuable insights into network traffic, which can
be used to identify any weaknesses and improve network security.
Detection Method of IDS
• Signature-Based Method: Signature-based IDS detects the attacks on the basis of
the specific patterns such as the number of bytes or a number of 1s or the
number of 0s in the network traffic. It also detects on the basis of the already
known malicious instruction sequence that is used by the malware. The detected
patterns in the IDS are known as signatures. Signature-based IDS can easily detect
the attacks whose pattern (signature) already exists in the system but it is quite
difficult to detect new malware attacks as their pattern (signature) is not known.
• Anomaly-Based Method: Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware is developed rapidly. In anomaly-based IDS
there is the use of machine learning to create a trustful activity model and
anything coming is compared with that model and it is declared suspicious if it is
not found in the model. The machine learning-based method has a
better-generalized property in comparison to signature-based IDS as these
models can be trained according to the applications and hardware configurations.
Comparison of IDS with Firewalls

• IDS and firewall both are related to network security but an IDS differs
from a firewall as a firewall looks outwardly for intrusions in order to
stop them from happening. Firewalls restrict access between
networks to prevent intrusion and if an attack is from inside the
network it doesn’t signal. An IDS describes a suspected intrusion once
it has happened and then signals an alarm.
Is IPS AND FIREWALL ARE SAME???
• Firewall
• A firewall is a filter that controls network traffic based on predetermined
rules. It's a passive defender that blocks or allows traffic based on security
rules. For example, a firewall might block traffic that arrives on an
unapproved port.
• IPS
• An IPS (Intrusion Prevention System) is an active defender that detects and
blocks threats. It analyzes traffic patterns to identify suspicious activity and
then blocks the traffic. An IPS can also take other actions, such as
quarantining data, alerting network administrators, or temporarily blocking
the source IP.
 Why Are Intrusion Detection Systems (IDS)
Important?
• An Intrusion Detection System (IDS) adds extra protection to your cybersecurity
setup, making it very important. It works with your other security tools to catch
threats that get past your main defenses. So, if your main system misses
something, the IDS will alert you to the threat.
Advantages
• Early Threat Detection: IDS identifies potential threats early, allowing for quicker
response to prevent damage.
• Enhanced Security: It adds an extra layer of security, complementing other
cybersecurity measures to provide comprehensive protection.
• Network Monitoring: Continuously monitors network traffic for unusual
activities, ensuring constant vigilance.
• Detailed Alerts: Provides detailed alerts and logs about suspicious activities,
helping IT teams investigate and respond effectively.
Disadvantages
• False Alarms: IDS can generate false positives, alerting on harmless activities and
causing unnecessary concern.
• Resource Intensive: It can use a lot of system resources, potentially slowing down
network performance.
• Requires Maintenance: Regular updates and tuning are needed to keep the IDS
effective, which can be time-consuming.
• Doesn’t Prevent Attacks: IDS detects and alerts but doesn’t stop attacks, so
additional measures are still needed.
• Complex to Manage: Setting up and managing an IDS can be complex and may
require specialized knowledge.