Intrusion detection systems (IDS) are incredibly powerful systems for monitoring traffic and detecting threats on a network or system. For those new to IDS and IPS, understanding the different types of systems available and their various detection methods can be challenging.
This basic guide to IDS/IPS systems will give a basic overview to these systems, how they work, how they might fit into your organization, and other alternatives that could support your cyber security strategy.
An intrusion detection system (IDS) in cyber security is a tool that analyzes system activity or network traffic for patterns that might indicate an attack. These patterns could be:
By identifying these patterns, IDS helps security personnel identify potential threats and take necessary steps to mitigate those threats. There are two main types of intrusion detection systems:
When an IDS detects suspicious activity, it will typically send an alert to a security administrator. The security administrator can then investigate the alert and take appropriate action, such as blocking the attacker's IP address or shutting down a compromised device.
Intrusion detection systems are an important part of a layered security defense. They can help to identify and respond to attacks that other security measures, such as firewalls, may miss. However, it's important to note that IDS systems are not foolproof and can sometimes generate false alarms or cause alert fatigue. One way to bypass these challenges is to use a modern alternative, like the Stamus Security Platform™, to get the benefits of IDS without the same limitations.
The main difference between IDS and IPS is that an IPS extends the functionality of IDS by actively taking steps to prevent intrusions. Based on predefined security policies and identified threats, an IPS can block malicious traffic, terminate suspicious connections, or otherwise disrupt the attacker's progress. This can involve techniques like packet filtering, which blocks unwanted traffic based on pre-defined rules, or deep packet inspection, which examines the content of packets for malicious payloads. It is important to note that one of the challenges with IPS is the possibility of non-malicious traffic being blocked based on a “false positive”.
A good example of a tool that can function as both an IDS and IPS is Suricata.
Suricata is a free, open-source IDS/IPS cybersecurity tool that acts as both Intrusion Detection System (IDS) software and an Intrusion Prevention System (IPS). It is used by organizations all around the world to detect cyber threats and monitor networks for suspicious activity.
Suricata’s strength lies in its versatility. When tuned correctly, it is a high-performance tool that can handle large volumes of network traffic and generate vast amounts of network traffic data. It is also extremely flexible, offering deep analysis of various protocols and the ability to customize rule sets to fit your organization’s specific needs.
Because it’s an open-source IDS/IPS, Suricata benefits from a large, active community that constantly develops and refines its capabilities.
To be used as an IPS, users simply need to configure Suricata to run in IPS mode during set-up.
There are two main types of Intrusion Detection Systems (IDS) based on their deployment and data source:
1. Network Intrusion Detection System (NIDS): NIDS act as network monitoring devices deployed at strategic points within a computer network. Their primary function is to continuously capture and analyze network traffic data traversing a specific network segment. NIDS can be implemented in two primary ways:
NIDS typically utilizes network adapter promiscuous mode. This mode allows the NIDS to capture all network traffic on the attached network segment, regardless of its intended recipient. NIDS employs two main techniques for analyzing captured network traffic data: signature-based detection and anomaly-based detection.
2. Host-Based Intrusion Detection System (HIDS): In contrast to NIDS which focuses on network traffic analysis, HIDS provides security for individual devices (hosts) within the network. HIDS function as software agents deployed directly on the operating system of the host device itself. Their primary function is to monitor and analyze activity occurring on the host device. HIDS are deployed as software agents on individual servers, desktops, or laptops within the network. A single HIDS agent is typically installed on each host device for dedicated monitoring.
HIDS collects data from various sources on the host device, including:
HIDS primarily utilizes anomaly-based detection techniques. By analyzing the collected data, HIDS establishes baselines for typical host activity. Significant deviations from these baselines, such as unusual file access attempts or unexpected processes running, can indicate potential intrusions or suspicious behavior.
Intrusion detection system software can be broken down into 5 essential components that work together to detect suspicious activity:
1. Sensors (Data Acquisition Units): These modules function as the primary data collection mechanism for the IDS. They are deployed at strategic points within the network (network sensors) or on individual hosts (host-based sensors). Network sensors continuously capture and transmit network traffic data to the IDS for analysis. Host-based sensors monitor system activity on the device, including logs, file access attempts, and running processes.
2. Data Processing and Analysis Engine: The analysis engine is the core component responsible for evaluating data collected by the sensors. It employs various techniques to identify potential intrusions:
- Signature-based Detection: This approach involves matching captured data against a database of known attack signatures. These signatures represent characteristic patterns of malicious activity.
- Anomaly Detection: This technique involves employing statistical algorithms to establish baselines for normal network traffic or system activity. The engine then identifies significant deviations from these baselines as potential intrusions.
3. Alert Generation Engine: Upon detecting suspicious activity, the analysis engine triggers the alert generation engine. This engine is responsible for formulating alerts that include details of the suspected intrusion, such as the type of activity detected, its timestamp, and the source IP address. These alerts are then disseminated to:
- Security Personnel: For investigation and response actions.
- Security Information and Event Management (SIEM) System: A central repository that aggregates security events from various sources, including IDS alerts, to facilitate a comprehensive view of security posture.
4. Management Interface: This software component provides a user interface for security administrators to interact with the IDS. It allows them to:
- Configure the IDS: This involves defining security rules for anomaly detection, managing sensor deployment, and establishing alert thresholds and destinations.
- Monitor System Activity: Security personnel can utilize the console to view real-time data on detected threats, analyze historical data, and investigate security incidents.
*It is important to note that not all IDS has a management interface available*
5. Knowledge Base: The IDS maintains a repository of critical information for reference and analysis purposes. This knowledge base typically includes:
- Attack Signatures: A well-maintained database of known attack signatures that facilitates signature-based detection.
- Security Rules: Custom rules defined by the security administrator to identify suspicious behavior specific to the organization's network or system.
- Alert History: A chronological record of all generated alerts, including timestamps, details of the detected activity, and the current investigation status.
There are two primary methods of IDS/IPS detection, anomaly-based and signature-based, but it is also important to mention the third method, hybrid. These methods define how the IDS analyzes data to identify potential intrusions.
1. Anomaly-Based IDS: Anomaly-based IDS focuses on identifying deviations from normal behavior within a network or system. It works by establishing a baseline for normal activity by statistically analyzing network traffic or system activity over time. This baseline becomes a reference for identifying anomalies. The IDS then continuously monitors network traffic or system activity and compares the real-time data to the established baselines. Significant deviations from these baselines are flagged as potential intrusions.
2. Signature-Based IDS: A signature-based intrusion detection system relies on a predefined database of attack signatures to identify malicious activity. These signatures represent known patterns or fingerprints of network attacks or suspicious system behavior. The IDS continuously monitors network traffic or system activity and compares this data against the database of attack signatures. Any matches trigger an alert, indicating a potential intrusion attempt.
3. Hybrid IDS: A hybrid intrusion detection system combines both anomaly-based and signature-based detection methods to address the limitations of each approach. A hybrid system leverages signature-based detection for known threats and anomaly-based detection for novel attacks. This enhances the overall effectiveness of intrusion detection.
Each of these three detection methods (Anomaly-based, Signature-based, Hybrid) offers different strengths and weaknesses. Choosing the most suitable approach depends on factors like the specific security requirements of the network, the resource availability for managing the IDS, and the acceptable level of false positives.
It is also important to consider switching to a more advanced modern network security solution, such as network detection and response (NDR). The Stamus Security Platform (SSP) is a modern NDR solution that leverages the best from IDS technology without the same challenges faced by IDS users. Learn more at https://www.stamus-networks.com/stamus-security-platform
The main difference between a firewall and an IDS is that a firewall is simply a control mechanism, while a signature-based intrusion detection system actually detects and alerts on potentially malicious traffic. Firewalls enforce a set of predefined rules to permit or deny traffic flow based on characteristics like IP addresses, ports, protocols, or applications. It allows only authorized traffic through the network perimeter.
IDS is a monitoring and detection system. It analyzes network traffic for malicious activity or suspicious patterns that might indicate an ongoing attack. IDS doesn't directly block traffic but raises alerts for further investigation and potential response by security personnel. However, some IDS solutions, like Suricata, can be configured to function as an IPS. In this instance, the IPS actually can block traffic much like a firewall. Some organizations opt to use an IPS instead of a firewall, while others use a firewall and an IDS together.
The ideal placement for an IDS depends on your specific network security needs and resource limitations. There are two main approaches regardless of the type of intrusion detection system:
IDS after the Firewall (Most Common):
- Reduced Load on IDS: The firewall acts as a first filter, blocking a significant portion of unwanted traffic before it reaches the IDS. This improves the efficiency of the IDS by focusing its resources on analyzing legitimate traffic for suspicious activity.
- Focus on Internal Threats: Placing the IDS inside the network allows it to monitor for malicious activity originating from within as well as external threats that bypassed the firewall.
- Potential Security Gap: Malicious traffic that slips through the firewall could reach the IDS before being blocked.
IDS before the Firewall (Less Common):
- Early Detection: This provides the potential to know about threats before they even reach the firewall, offering an extra layer of protection.
- Reduced Network Load: Blocking some threats before they enter the internal network can lessen the overall load on network resources.
- Increased Resource Consumption: The IDS will need to analyze all incoming traffic, including a larger volume of unwanted traffic, potentially impacting performance.
- Limited Visibility into Internal Threats: Primarily focuses on external threats.
Here are some additional factors to consider:
Ultimately, the best placement depends on your specific situation. It's recommended to consult with a network security professional to determine the optimal placement for your network environment.
IDS is undoubtedly a powerful and effective means to detect known threats on your organization’s network. Unfortunately, most IDS deployments are riddled with false positives, provide limited threat detection, and lack sufficient visibility into anomalous activity and subtle attack signals. Traditional IDS vendors have failed to innovate in ways that solve these challenges, leading to inefficient or downright ineffective threat detection.
You need a network security platform that doesn’t generate an endless stream of useless alerts across part of your network, and instead automatically identifies alerts of interest and notifies you of only serious and imminent threats. Your organization deserves response-ready detection with visibility into your entire network regardless of the environment with easy access to all the contextual evidence you need to stop an attack before it can cause damage. Replace your legacy IDS with a modern network detection and response platform that gives you these features and more.
The Stamus Security Platform™ is a network-based threat detection and response solution that eliminates the challenges of legacy IDS while lowering your response time. Stamus Security Platform harnesses the full potential of your network, bringing state-of-the-art threat detection, automated event triage, and unparalleled visibility to the security team.
Book a demo to see if Stamus Security Platform is right for your organization.
If you're considering upgrading from IDS to a modern alternative, we recommend looking at the following resources.
ABOUT STAMUS NETWORKS ™
Stamus Networks believes that cyber defense is bigger than any single person, platform, company, or technology. That’s why we leverage the power of community to deliver the next generation of open and transparent network defense. Trusted by security teams at the world’s most targeted organizations, our flagship offering – Clear NDR™ – empowers cyber defenders to uncover and stop serious threats and unauthorized network activity before they harm their organizations. Clear NDR helps defenders see more clearly and act more confidently through detection they can trust with results they can explain.
© 2014-2025 Stamus Networks, Inc. All rights Reserved.