How do intrusion detection systems (IDS) work?

What are Intrusion Detection Systems?

Protection is becoming a vital necessity as internet services such as online banking and e-commerce keep growing. Intrusion Detection System (IDS) is a piece of hardware and software that identifies and mitigates threats and attacks. The IDS acquires and analyses information on malicious activities and reports them to the system administrator and can also be stored in a Security Information and Event Management System (SIEM).

What does an intrusion detection system do?

Intrusion detection systems use two methods: signature-based detection, which takes data activity and compares it to a signature or pattern in the signature database. Signature-based detection has a constraint whereby a new malicious activity that is not in the database is ignored. The other detection method is the statistical anomaly-based or behavior-based detection, which, unlike signature-based, detects any anomaly and gives alerts; hence it detects new types of attacks. It is referred to as an expert system as it learns what normal behavior in the system is.

What are the different types of intrusion detection systems?

1.    Network-based Intrusion Detection System (NIDS)

Network intrusion detection systems operate at the network level and monitor traffic from all devices going in and out of the network. NIDS performs analysis on the traffic looking for patterns and abnormal behaviors upon which a warning is sent. In ethical hacking, if a port scanner is performed on a network secured by an IDS, it is flagged, and it is investigated further. A warning is also flagged if the NIDS detects a change in the predetermined conditions such as the standard packet size as well as the standard traffic load. An example of this is NIDS detects abnormal packet behavior in application protocol verification. Some advantages of NIDS include:

• NIDS can be easily introduced into an existing network with minimal disruptions.
• Maybe undetectable by attackers and are mostly immune to direct attacks.

Some notable disadvantages are they at times cannot handle large traffic volumes, and they cannot analyze encrypted data as well as fragmented packets.

2.    Host-based Intrusion Detection System (HIDS)

The HIDS, unlike the NIDS which monitors the entire network, HIDS monitors system data and looks for malicious activity on an individual host. HIDS can take snapshots, and if they change over time maliciously, an alert is raised.  A HIDS analyzes the change management in the operating system files, logs, as well as software and many more.

Advantages of a Host-based IDS include:

• HIDS can access encrypted data packets and can detect attacks with elusive capabilities.
• Information in audit logs can be used to monitor changes in systems and application programs.

Some major nonconformities are:

• A direct attack against the host’s operating system makes them vulnerable too.
• It can utilize large amounts of disk space, overwhelming the host’s resources.

Other types of intrusion detection systems are Application-based IDS and log file monitors.

How to Become an Ethical Hacker

Becoming a Certified Ethical Hacker (CEH) is certainly nothing to take lightly. This course will immerse you into the Hacker Mindset so that you will be able to defend against future attacks. Upon completion of the Certified Ethical Hacker training, you will have scanned, tested, hacked, and secured your own networks and systems. With this knowledge, you can bring peace of mind to an organization knowing their network is more secure from today’s biggest and toughest cybercriminals.