Menu Close

How Do Intrusion Detection Systems (IDS) Work?

What are Intrusion Detection Systems?

Cyber security protection is becoming a vital necessity for small and midsize businesses. With the recent COVID-19 pandemic forcing a shift to remote working, the threat landscape has expanded overnight. Therefore, businesses must implement an Intrusion Detection System that is capable of monitoring for security events and attacks on the network.

An Intrusion Detection System (IDS) is a piece of hardware and software that identifies and mitigates threats and attacks on your network. The IDS collects and analyses information on malicious activities and reports them to a SOC (Security Operations Centre) for cyber security experts to analyse.

What does an Intrusion Detection System do?

Intrusion detection systems use two methods of detection:

  • Signature-based detection, which takes data activity and compares it to a signature or pattern in the signature database. For instance, signature-based detection has a constraint whereby a new malicious activity that is not in the database is ignored.
  • Behavior-based detection, unlike signature-based, detects any anomaly and provides alerts; which means it is capable of detecting new types of attacks. It is referred to as an expert system as it learns what normal behavior in your system looks like, for instance.

At m3 we use an IDS that uses BOTH of the above detection methods along with human-based analysis detection.

What are the different types of Intrusion Detection Systems?

1.    Network-based Intrusion Detection System (NIDS)

A NIDS system operates at the network level and monitors traffic from all devices going in and out of the network. NIDS performs analysis on the traffic looking for patterns and abnormal behaviors upon which a warning is sent. For example, if a port scan is performed on a network secured by an IDS, it is flagged. Then, it is investigated further by cyber security experts. A warning is also flagged should the NIDS detects a change, such as the standard packet size or traffic load. Some advantages of NIDS include:

  • NIDS is easily introduced into an existing network with minimal disruptions.
  • Maybe undetectable by attackers and are mostly immune to direct attacks.

However, some disadvantages are they (at times) cannot handle large traffic volumes, and they cannot analyse encrypted data or fragmented packets.

2.    Host-based Intrusion Detection System (HIDS)

The HIDS, unlike the NIDS which monitors the entire network. HIDS monitors system data and looks for malicious activity on an individual host. HIDS take snapshots, and if they change over time maliciously, an alert is raised.  A HIDS analyzes the change management in the operating system files, logs, as well as software and many more.

Let’s look at a couple of advantages of a Host-based IDS include:

  • HIDS can access encrypted data packets and can detect attacks with elusive capabilities.
  • Information in audit logs is used to monitor changes in systems and application programs.

Some drawbacks are:

  • Firstly, a direct attack against the host’s operating system makes them vulnerable too.
  • Also, it can use large amounts of disk space.

Intrusion Detection Systems from m3

If you want to protect your business network with an Intrusion Detection System, call us today on 01738 237003.

Related Posts