What is Intrusion Detection Systems (IDS)? How does it Work? | Fortinet (2024)

Anintrusion detection system(IDS) is an application that monitors network traffic and searches for known threats and suspicious or malicious activity. The IDS sends alerts to IT and security teams when it detects any security risks and threats.

Most IDS solutions simply monitor and report suspicious activity and traffic when they detect an anomaly. However, some can go a step further by taking action when it detects anomalous activity, such as blocking malicious or suspicious traffic.

IDS tools typically are software applications that run on organizations’ hardware or as a network security solution. There are also cloud-based IDS solutions that protect organizations’ data, resources, and systems in their cloud deployments and environments.

The answer to "what is intrusion" is typically an attacker gaining unauthorized access to a device, network, or system. Cyber criminals use increasingly sophisticated techniques and tactics to infiltrate organizations without being discovered. This includes common techniques like:

1. Address spoofing:The source of an attack is hidden using spoofed, misconfigured, and poorly secured proxy servers, which makes it difficult for organizations to discover attackers.
2. Fragmentation:Fragmented packets enable attackers to bypass organizations’ detection systems.
3. Pattern evasion:Hackers adjust their attack architectures to avoid the patterns that IDS solutions use to spot a threat.
4. Coordinated attack:A network scan threat allocates numerous hosts or ports to different attackers, making it difficult for the IDS to work out what is happening.

IDS solutions come in a range of different types and varying capabilities. Common types ofintrusion detection systems (IDS) include:

1. Network intrusion detection system (NIDS):A NIDS solution is deployed at strategic points within an organization’s network to monitor incoming and outgoing traffic. This IDS approach monitors and detects malicious and suspicious traffic coming to and going from all devices connected to the network.
2. Host intrusion detection system (HIDS):A HIDS system is installed on individual devices that are connected to the internet and an organization’s internal network. This solution can detect packets that come from inside the business and additional malicious traffic that a NIDS solution cannot. It can also discover malicious threats coming from the host, such as a host being infected with malware attempting to spread it across the organization’s system.
3. Signature-based intrusion detection system (SIDS):A SIDS solution monitors all packets on an organization’s network and compares them with attack signatures on a database of known threats.
4. Anomaly-based intrusion detection system (AIDS):This solution monitors traffic on a network and compares it with a predefined baseline that is considered "normal." It detects anomalous activity and behavior across the network, including bandwidth, devices, ports, and protocols. An AIDS solution uses machine-learning techniques to build a baseline of normal behavior and establish a corresponding security policy. This ensures businesses can discover new, evolving threats that solutions like SIDS cannot.
5. Perimeter intrusion detection system (PIDS):A PIDS solution is placed on a network to detect intrusion attempts taking place on the perimeter of organizations’ critical infrastructures.
6. Virtual machine-based intrusion detection system (VMIDS):A VMIDS solution detects intrusions by monitoring virtual machines. It enables organizations to monitor traffic across all the devices and systems that their devices are connected to.
7. Stack-based intrusion detection system (SBIDS):SBIDS is integrated into an organization’s Transmission Control Protocol/Internet Protocol (TCP/IP), which is used as a communications protocol on private networks. This approach enables the IDS to watch packets as they move through the organization’s network and pulls malicious packets before applications or the operating system can process them.

IDSsolutions excel in monitoring network traffic and detecting anomalous activity. They are placed at strategic locations across a network or on devices themselves to analyze network traffic and recognize signs of a potential attack.

An IDS works by looking for the signature of known attack types or detecting activity that deviates from a prescribed normal. It then alerts or reports these anomalies and potentially malicious actions to administrators so they can be examined at the application and protocol layers.

This enables organizations to detect the potential signs of an attack beginning or being carried out by an attacker. IDS solutions do this through several capabilities, including:

1. Monitoring the performance of key firewalls, files, routers, and servers to detect, prevent, and recover from cyberattacks
2. Enabling system administrators to organize and understand their relevant operating system audit trails and logs that are often difficult to manage and track
3. Providing an easy-to-use interface that allows staff who are not security experts to help with the management of an organization’s systems
4. Providing an extensive database of attack signatures that can be used to match and detect known threats
5. Providing a quick and effective reporting system when anomalous or malicious activity occurs, which enables the threat to be passed up the stack
6. Generating alarms that notify the necessary individuals, such as system administrators and security teams, when a breach occurs
7. In some cases, reacting to potentially malicious actors by blocking them and their access to the server or network to prevent them from carrying out any further action

An intrusion detection system provides an extra layer of protection, making it a critical element of an effective cybersecurity strategy. You can use it alongside your other cybersecurity tools to catch threats that are able to penetrate your primary defenses. So even if your main system fails, you are still alerted to the presence of a threat.

A healthcare organization, for example, can deploy an IDS to signal to the IT team that a range of threats has infiltrated its network, including those that have managed to bypass its firewalls. In this way, the IDS helps the organization to stay in compliance with data security regulations.

IDS solutions offer major benefits to organizations, primarily around identifying potential security threats being posed to their networks and users. A few common benefits of deploying an IDS include:

1. Understanding risk:An IDS tool helps businesses understand the number of attacks being targeted at them and the type and level of sophistication of risks they face.
2. Shaping security strategy:Understanding risk is crucial to establishing and evolving a comprehensive cybersecurity strategy that can stand up to the modern threat landscape. An IDS can also be used to identify bugs and potential flaws in organizations’ devices and networks, then assess and adapt their defenses to address the risks they may face in the future.
3. Regulatory compliance:Organizations now face an ever-evolving list of increasingly stringent regulations that they must comply with. An IDS tool provides them with visibility on what is happening across their networks, which eases the process of meeting these regulations. The information it gathers and saves in its logs is also vital for businesses to document that they are meeting their compliance requirements.
4. Faster response times:The immediate alerts that IDS solutions initiate allow organizations to discover and prevent attackers more quickly than they would through manual monitoring of their networks. The sensors that an IDS uses can also inspect data in network packets and operating systems, which is also faster than manually collecting this information.

While IDS solutions are important tools in monitoring and detecting potential threats, they are not without their challenges. These include:

1. False alarms:Also known as false positives, these leave IDS solutions vulnerable to identifying potential threats that are not a true risk to the organization. To avoid this, organizations must configure their IDS to understand what normal looks like, and as a result, what should be considered as malicious activity.
2. False negatives:This is a bigger concern, as the IDS solution mistakes an actual security threat for legitimate traffic. An attacker is allowed to pass into the organization’s network, with IT and security teams oblivious to the fact that their systems have been infiltrated.

As the threat landscape evolves and attackers become more sophisticated, it is preferable for IDS solutions to provide false positives than false negatives. In other words, it is better to discover a potential threat and prove it to be wrong than for the IDS to mistake attackers for legitimate users. Furthermore, IDS solutions increasingly need to be capable of quickly detecting new threats and signs of malicious behavior.

An IDS solution is typically limited to the monitoring and detection of known attacks and activity that deviates from a baseline normal prescribed by an organization. The anomalies that an IDS solution discovers are pushed through the stack to be more closely examined at the application and protocol layer. Therefore, most IDS solutions are not capable of preventing or offering a solution for the threats that they discover.

An intrusion prevention system (IPS) goes beyond this by blocking or preventing security risks. An IPS can both monitor for malicious events and take action to prevent an attack from taking place.

IPS solutions help businesses take a more proactive cybersecurity approach and mitigate threats as soon as possible. They constantly monitor networks in search of anomalies and malicious activity, then immediately record any threats and prevent the attack from doing damage to the company's data, networks, resources, and users. An IPS will also send insight about the threat to system administrators, who can then perform actions to close holes in their defenses and reconfigure their firewalls to prevent future attacks.

Deploying an IPS tool enables organizations to prevent advanced threats such as denial-of-service (DoS) attacks, phishing, spam, and virus threats. They can also be used within security review exercises to help organizations discover vulnerabilities in their code and policies.

It is increasingly important for organizations to deploy tools capable of IDS and IPS, or a tool that can do both, to protect their corporate data and users. Integrating IDS and IPS in one product enables the monitoring, detection, and prevention of threats more seamlessly.

Firewalls and intrusion detection systems (IDS) are cybersecurity tools that can both safeguard a network or endpoint. Their objectives, however, are very different from one another.

1. IDS: Intrusion detection systems are passive monitoring tools that identify possible threats and send out notifications to analysts in security operations centers (SOCs). In this way, incident responders can promptly look into and address the potential event.
2. Firewall: A firewall, on the other hand, analyzes the metadata contained in network packets and decides whether to allow or prohibit traffic into or out of the network based on pre-established rules. A firewall essentially creates a barrier that stops certain traffic from crossing through it.

An IDS is focused ondetecting and generating alerts about threats, while a firewall inspects inbound and outbound traffic, keeping all unauthorized traffic at bay.