- An intrusion detection system (IDS) is a technology solution that monitors inbound and outbound traffic in your network for suspicious activity and policy breaches.
- IDS is the first line of defense of network systems, which can proactively detect abnormal behavior and reduce the average detection time.
IDS is an important part of an organisation’s network security architecture as it identifies and alerts the SOC to threats that it may have missed, which traditional firewalls do not have. Although all intrusion detection systems fulfill the same purpose, they work in slightly different ways. Altogether, there are five IDS types.
What is an intrusion detection system
An intrusion detection system (IDS) is a technology solution that monitors inbound and outbound traffic in your network for suspicious activity and policy breaches. As the name suggests, the primary purpose of an IDS is to detect and prevent intrusions within your IT infrastructure, and then alert the relevant people. These solutions can be either hardware devices or software applications.
Typically, an IDS will be part of a larger security information and event management (SIEM) system. When implemented as part of a holistic system, your IDS is your first line of defense. It works to proactively detect unusual behavior and cut down your mean time to detect. Ultimately, the earlier you recognise an attempted or successful intrusion, the sooner you can take action and secure your network.
Also read: What is a host intrusion prevention system and how does it work?
Also read: Host intrusion prevention: The key way to safeguard individual hosts
Different types of intrusion detection systems
1. Network intrusion detection system
A network intrusion detection system (NIDS) is a solution that monitors the entire network through one or more touchpoints. To use NIDS, you typically need to install them on a piece of hardware in your network infrastructure. After installation, your NIDS will sample every packet (collection of data) that passes through it.
A typical NIDS can check all traffic that passes through it. They can analyse all inbound and outbound traffic and detect events in real time, allowing for fast responses. They are more challenging for intruders and can be strategically deployed in key areas.
2. Network node intrusion detection system
Network node intrusion detection systems (NNIDS) are technically a variant of NIDS, but because they work differently, we treat them as a different type of ID.
NNIDS also analyses the packets that pass through it. However, instead of relying on a central device to monitor all network traffic, the system monitors every node connected to the network. Since there is less traffic analysed by each NNIDS agent, the system can work faster. But NNIDS requires multiple devices for each server you want to monitor.
3. Host intrusion detection system
Host intrusion detection system (HIDS) further enhances the device independence of NNIDS. With ID, you can install id software on every device connected to the network.
Hiding works by taking a “snapshot” of the device it specifies. By comparing recent snapshots to past records, hiding can identify differences that could indicate an intrusion. They can be installed on a computer or server to pinpoint the affected device. However, hidden solutions may be subject to “after the fact” monitoring.
4. Protocol-based intrusion detection system
A protocol-based Intrusion detection system (PIDS) is a specific intrusion detection system used to monitor the protocols in use. In practice, the system typically analyses the HTTP or HTTPS protocol flow between the device and the server.
5. Intrusion detection system based on application protocol
Application protocol-based intrusion detection system (APIDS) is a kind of intrusion detection system for software application security. APIDS are typically associated with host-based intrusion detection systems (HIDS) that monitor the communication occurring between applications and servers. APIDS are typically installed on server groups.
