“INTRUDER ALERT!” Imagine a digital voice shouting out the presence of a cybercriminal and you’ll have an idea what an Intrusion Detection System (IDS) is. It truly does what it says on the (virtual) tin and is a long-time cyber-security staple for large corporations looking for intrusion alarm system software. If their networks are compromised, it can lead to massive financial losses, as well as downtime, data breaches, and a big dent in their reputations. Read on for a quick guide on how IDS works, plus the different types, and why this hard-working digital bodyguard can’t function as a lone ranger: Intrusion detection systems are usually part of other security systems.
What is an intrusion detection system (IDS)?
IDS is a network security intrusion detection system that patrols network traffic like a software Dobermann, always on the lookout for suspicious activity, known cyberthreats, or breaches of policy. It then “barks” (issues alerts) if such activity is discovered, before reporting the violation to an administrator. Sometimes, suspicious activities are collected and logged centrally using a security information and event management (SIEM) system. There’s more on that in our SIEM blog here if you’re interested. Also, don’t call it an “IDS security device” as it’s actually a software system!
IDS alerts typically include the following information: the source address of the intrusion and the target address, as well as the type of attack suspected. But is it really an attack or a false alarm? Much like the Dobermann mentioned earlier, that depends on how well you’ve trained your IDS intrusion detection system. Each IDS is programmed to analyze traffic and identify patterns, but it can also detect traffic that’s a problem to specific software. For example, if a cyberthreat is known to attack only Firefox, the IDS won’t issue an alert if your company uses a different browser.
An IDS is sometimes mistakenly referred to as an “IDS firewall”. While both are related to network security, a firewall works according to the old saying “Prevention is better than the cure”. It looks outwardly for cyberthreats and restricts access between networks to help prevent intrusions from happening. An IDS only sounds the alarm once a suspected intrusion has occurred and doesn’t block suspicious traffic. To sum up: A firewall is the muscled guard at the door blocking access, while your IDS computer intrusion detection screams loudly if anyone suspicious gets in. Together, they’re a great security team.
To make matters more confusing, there’s also an intrusion prevention system or IPS. If an IDS and a firewall had a child, it would probably look like an IPS. This performs intrusion detection and then goes one step further and helps prevent any cyberthreats detected.
What are the main types of intrusion detection systems?
IDS security works in five different ways according to where it’s located.
- Network intrusion detection system (NIDS)
This is set up at a chosen point in the network to examine traffic from all devices on the network. It matches the traffic to a collection of known attacks. If an attack or abnormal behavior is observed, the alert is sent to the administrator.
- Host intrusion detection system (HIDS)
This runs on independent hosts or devices on the network and monitors incoming and outgoing packets from these devices only. It takes a snapshot of existing system files and compares it with a previous snapshot. If any analytical system files have been edited or deleted, an alert is issued.
- Protocol-based intrusion detection system (PIDS)
This consists of a system or agent that resides at the front end of a server, where it monitors the HTTPS protocol stream between a user/device and the server.
- Application protocol-based intrusion detection system (APIDS)
This system or agent generally resides within a group of servers where it identifies intrusions by monitoring and interpreting the communication on application-specific protocols.
- Hybrid intrusion detection system
Here, two or more intrusion detection systems are combined with network information to develop a more complete overview of the IT environment. Hybrid intrusion detection systems are often considered the most effective of all IDSs.
What methods are used for intrusion detection?
There are two and we’ll briefly explore both. Signature-based IDS detects attacks by examining specific patterns such as the number of bytes or 1’s or 0’s in network traffic. It learns malicious instruction sequences (i.e.: the “signature”) of known malware to detect these. Unfortunately, it finds it difficult to identify new malware attacks as their signature is not yet known. That’s why anomaly-based IDS is so useful in a world of rapidly evolving cyberthreats: It can detect unknown malware attacks by using machine learning to create a model of trusted activity. Anything that differs from this baseline is declared suspicious, including a user logging in during non-business hours, new devices added without permission, or a sudden flood of new IP addresses attempting to connect to the network.
Both detection methods have strengths and weaknesses that complement each other, so don’t write one off just yet! Signature-based detection generally has higher processing speeds for known attacks and lower false positive rates. Anomaly-based detection can help identify zero-day exploits, but at the cost of higher rates of false positives. We’ll delve deeper into the pros and cons below.
What are the disadvantages of an intrusion detection system?
While essential to enterprise security, an IDS can be hard work to manage. Once you’ve committed to monitoring your network, you’ll need to respond to the alerts and incidents. Otherwise, why bother setting it up? Also, IDSs are notorious for generating false positives. This puts IT teams under additional pressure to continuously update and fine-tune their detection system to distinguish legitimate cyberthreats from allowable traffic. For example, there would be little benefit to providing alerts for a server that’s already protected from known attacks, as you would be inundated with irrelevant alarms. That’s why organizations may choose a secondary analysis platform, such as a SIEM system, to help collect and investigate alerts.
There are no short cuts with a one-size-fits-all approach. So that the IDS can operate accurately and effectively, every enterprise must be ready to make it fit their own unique needs. Ideally, the IT team will need knowledgeable system analysts. And even the best trained and maintained IDS may still miss legitimate risks, particularly with new cyberthreats—like a doctor faced with a string of “patient zeroes”.
Encrypted traffic can also be a challenge for IDS technology, as it may fail to identify malware signatures. Additionally, the high speed and huge volumes of incoming traffic in an enterprise can limit the effectiveness of an intrusion detection system.
There are ways of “sweetening” the deal with an IDS though! Let’s explore honeypots, and, no, they have nothing to do with bees although cybercriminals may get stung…
What is a honeypot?
Remember the descriptions of war-time “honey traps”, where an attractive (usually) female would entice someone into revealing secrets? Fast forward to the digital age, and cyber “honeypots” work in similar ways, by baiting a trap for hackers. The honeypot looks like a normal IT system, complete with applications and data, and is designed to fool cybercriminals into thinking it’s a legitimate target, like a customer database. Once they’re inside, the hackers can be tracked, and their behavior analyzed. This intelligence is then used to make company systems more secure.
Sometimes, security vulnerabilities like weak passwords or vulnerable ports, are built into honey pots to entice hackers. There are also different types of honeypots that can be used for different cyberthreats: A malware honeypot mimics software apps and APIs to invite malware attacks, while a spider honeypot can trap web crawlers by creating web pages and links that are only accessible to crawlers. Spam traps put a fake email address in a hidden location where only an automated address harvester will find it. All mail that arrives at that address will be spam and the senders can be blocked.
Why is an intrusion detection system important and is it the right choice for you?
There are a variety of tools to help detect and block cyberattacks and unauthorized traffic from entering the network. No single technology is fool proof and no network impenetrable—and so an IDS is another valuable addition to the multi-layered approach to corporate protection. Its main benefit is to ensure that IT teams are notified when an attack or network intrusion may be taking place. Do you have staff with the time, resources, knowledge, and skills to take the right action when alerts are sent? And can they continuously train your system to distinguish the bad from the usual? The volume of alerts can be daunting, and attackers don’t stick to normal business hours. An IDS can be an integral part of an organization’s security, but much like a fire alarm, it must be part of a cohesive response and wider protection to truly work.