What Are Intrusion Detection Systems (IDS) and How Do They Work?

What is an intrusion detection system (IDS)?

An intrusion detection system is a networked device or software that monitors network traffic for suspicious patterns or behavior. When potentially malicious behavior or activity is detected, it raises an alert and logs forensic information for investigation.

Why is an intrusion detection system important?

Intrusion detection systems are important for modern networks because they help enhance server security, log incidents, and alert network administrators to suspicious behavior. An IDS can also detect malicious communications that a firewall failed to stop, as well as command-and-control traffic, zero-day attacks, and even threats from inside an organization.

An IDS also helps to provide the continuous logging and monitoring that’s required by many cybersecurity compliance frameworks and standards. Thorough logging is important in cybersecurity forensics because it helps security teams verify when an incident occurred and who was responsible.

Reliable alerts from an intrusion detection system allow an organization to know almost immediately if they are under attack, limiting potential damage.

What is the difference between an IDS and IPS?

An IPS is an intrusion prevention system. While it’s closely related to an intrusion detection system, they serve different roles in network security. Whereas an IDS detects and alerts, an IPS detects and prevents potential threats. They both monitor similar traffic, and organizations often use an IDS and IPS in tandem for layered security — the IDS for visibility and the IPS for active protection.

Another key difference between IDS and IPS is where they sit in the network. An IDS operates out of band, meaning it monitors a copy of network traffic without handling it directly. This allows it to analyze data without slowing down or interrupting network performance. An IPS, on the other hand, sits inline, directly in the flow of traffic, so it can block malicious activity as it happens.

Both systems can recognize known attack patterns through signature-based detection and spot unusual behavior with anomaly-based detection, but an IPS can also use policy-based detection to automatically enforce specific security rules.

Here’s a table outlining the key differences between an IDS and an IPS:

What is the difference between an IDS and a firewall?

An IDS and a firewall are complementary elements of network security. A firewall acts as a gatekeeper, controlling the flow of traffic based on predefined rules such as IP addresses, ports, or protocols; it is primarily designed to block unauthorized access and is positioned between a router and the internal network.

In contrast, an IDS functions more like a watchdog, monitoring network traffic for suspicious or malicious activity that may slip past a firewall, such as malware infections, brute-force attacks, or unusual behavior patterns.

How do intrusion detection systems work?

Intrusion detection systems are placed at strategic points in the network to monitor traffic moving into or between networks. An IDS typically creates a mirrored copy of the traffic and inspects it for signs of malicious activity, while allowing the original data to flow uninterrupted. If the IDS detects something suspicious in the mirror copy, it creates an alert.

There are two main detection methods in intrusion detection systems used to detect threats: signature-based detection systems and anomaly-based detection systems.

Signature-based intrusion detection systems (SIDS)

Signature-based intrusion detection systems work by checking network traffic against a continuously updated database of known malware, patterns of text, bytes, and behaviors. If a similarity is found, the IDS creates an alert for the cybersecurity team, which then decides if the threat is real or not. SIDS are the most common form of IDS.

Anomaly-based intrusion detection systems (AIDS)

An anomaly-based intrusion detection system works by collecting information about normal network behavior and creating a baseline. Once this baseline has been established, the AIDS checks for behaviors on the network that deviate from the norm, alerting the cybersecurity team when anomalies are found. Cybersecurity specialists then ascertain whether the abnormal behavior is malicious, or if it’s legitimate network activity that simply hasn’t been seen before — also known as a false positive.

Types of IDS

An intrusion detection system can take different forms. For example, a network intrusion detection system (NIDS) monitors data traveling across the network, like a checkpoint overseeing traffic flowing between devices. Meanwhile, a host-based intrusion detection system (HIDS) runs directly on a computer or server, keeping an eye on local files, system logs, and processes for suspicious changes.

Here’s how each works in more detail:

Network intrusion detection systems (NIDS)

A network intrusion detection system monitors all traffic entering or leaving a network. It’s usually placed at a network ingress point, i.e., where a network connects to the internet.

Imagine a subnetwork with valuable data stored within it, with a firewall between the network perimeter and the valuable data. The cybersecurity team might place a NIDS right after the firewall in order to detect any malicious traffic that slipped past, potentially gaining valuable information about attacks in the process.

One example of a popular NIDS is Snort, a free and open-source software developed by Cisco. It is able to act as either a NIDS, creating alerts when malicious activity occurs, or an IPS, actively blocking activity it deems as malicious on a network.

Host-based intrusion detection systems (HIDS)

Unlike NIDS, host-based intrusion detection systems run directly on individual devices or servers. They monitor for changes in the registry on Windows, scan log files, perform file integrity checks on critical system files, look for outbound network connections from the host, and monitor system calls and process behavior for anything suspicious.

When a HIDS detects suspicious behavior, it creates an alert for the cybersecurity team to investigate.

Other types of IDS

A few other types of IDS exist. Although they are less common, they serve important purposes in certain kinds of networks. Here are a few other types of intrusion detection systems you may come across:

• Protocol-based intrusion detection system (PIDS): This kind of IDS usually sits in front of a web server or DNS server and watches for protocol abuse, such as misaligned headers or unexpected request sequences.

• Flow-based intrusion detection systems (FIDS): Rather than looking at the content of the packet itself, FIDS look at the network flow metadata, such as timestamps, source and destination addresses, protocol, and packet and byte counts. A FIDS can be useful for detecting attacks that other detection systems might miss, such as DNS poisoning.

• Behavior-based intrusion detection system (BBIDS): A BBIDS builds a baseline of user behavior by compiling data such as typical login times, process launches, and command sequences. If deviations from the norm occur, alerts are created.

• Application-based intrusion detection system (AIDS): These IDS watch for any deviations from the norm at the application level. Activities such as API calls, user behavior on an application, and data queries to an application can be monitored for signs of suspicious activity.

• Wireless intrusion detection system (WIDS): A WIDS is a dedicated system that scans for threats specific to Wi-Fi environments, such as rogue access points, fake (spoofed) network names, and deauthentication attacks that try to disconnect users from the network.

Limitations of intrusion detection systems

While IDS are an important part of security on modern networks, they are far from watertight. The frequency of major hacks, data breaches, and security compromises in the news is a testament to this. Here are some limitations of intrusion detection systems:

• Detection, not protection: Intrusion detection systems are only there to monitor and alert. An IPS or IDS/IPS hybrid model is necessary to stop attacks.

• Zero-day exploits: Signature-based detection relies on a database of known attack patterns; if the attack is not known, then this kind of detection method will not work.

• False positives: Legitimate network traffic can easily be mistaken for suspicious activity. For example, a network administrator performing a network scan might be flagged by an IDS as suspicious.

• Encrypted network traffic: On busy networks, the computational cost of decrypting and encrypting network traffic can be high and require complex certificate handling. Attacks may be missed if the communications are encrypted.

• IDS management load: IDS require constant updates to their databases and rules. They must also be tailored to each organization’s specific network requirements. The constant attention an IDS requires to function ideally in a network can become cumbersome.

Evasion tactics used by attackers

Skilled attackers can avoid being detected by an IDS. Here are some of the ways that malicious actors might bypass detection and sneak by an IDS without alerting the security team:

• Flooding the device with UDP or ICMP packets: IDS come with a computational cost, and they can be overwhelmed with enough data. This can result in the IDS missing malicious packets or the cybersecurity team being overwhelmed with alerts.

• Payload fragmentation: Payloads can be split across many different IP fragments that get reconstructed at the destination. If the IDS does not reassemble all the fragments, signatures may not get picked up, meaning that attacks are able to bypass detection.

• Default port use avoidance: Some basic IDS lack advanced detection and rely on default port mappings for common services. As a result, they may miss attacks where an attacker runs a service on a nonstandard port to maintain access or move laterally through the network.

• Address spoofing or proxying: When attackers spoof addresses or use a proxy to avoid detection, correct attribution can become more difficult. If analysts can’t properly identify where attacks are coming from, organizations will have a harder time defending against them.

• Obfuscation: Attackers can use simple encoding to avoid signature detection in some cases. Or, they can use encryption to hide malicious content from an IDS completely.

• Signature pattern changing / polymorphism: In some cases, payloads can be altered slightly, strings in code can be changed, and functions can be replaced with similar but not-quite-identical functions to achieve the same end goal. This means that signature-based detection that relies on static patterns will not match, and the attack will go by undetected.

• Timing-based techniques: Attacks such as network scans or data exfiltration can be spread out over long periods of time to avoid detection. This means that attackers can gain valuable information or obtain sensitive data without setting off any alerts from an IDS listening on the network.

It’s important to remember that intrusion detection systems are just one tool in a cybersecurity team’s arsenal. Other tools exist to pick up the slack where an IDS falls short. A comprehensive cybersecurity strategy provides in-depth defense that covers multiple fronts.

Gain award-winning protection at home with Avast

While an IDS is a powerful tool, it can be costly to set up, time-consuming to maintain, and unnecessary for most consumers. But fortunately, you can secure your home network for free with powerful protection you can trust. Install Avast Free Antivirus today for robust Wi-Fi network security, safer browsing and emailing, and ransomware protection.