What is Intrusion Detection?

keyboard keys and pad lock

Table of Contents

What is Intrusion Detection?

Like firewalls and anti-virus software, an intrusion detection system is an indispensable part of your organization’s network security. Simply put, intrusion detection devices and applications monitor your network and systems for malicious activity.

In this article, we will cover the differences between an intrusion detection system (IDS) and an intrusion prevention system (IPS), the advantages and disadvantages of each, and their common subtypes. Finally, we discuss how your business can implement one without the headache.

Let’s begin with the basics.

man working on server switch

What is the Difference Between IDS and IPS?

IDS stands for intrusion detection system, while IPS stands for intrusion prevention system. Both IDS and IPS are nearly identical in function, except for one critical distinction: in the aftermath of a detected threat, an IDS merely sends an alert, while an IPS sends an alert and actively responds to the suspicious activity.

Both IDS and IPS are part of your network infrastructure, though their positions differ within the architecture. An IDS sits inline between your network’s firewall and your network. As a result, it does not actually handle network traffic, but only receives copies of it.

Since an IDS merely analyzes copies of data packets, it cannot actively defend against potential threats. In fact, by the time an IDS sends an alert to the management terminal, the threat has already traveled from the switch to the router.

An IPS, on the other hand, actually sits on the network where it handles incoming data. This allows it to stop an attack if it gets past the firewall.

IDS Pros and Cons

Like a firewall, an IDS watches as traffic flows into your network. In the event that it recognizes a malicious signature or detects anomalous activity, an alert is sent to the security administrator or event management system (EMS).

Addressing threats with an IDS requires continuous monitoring. Often, between the time an alert is sent and when it’s manually resolved, the threat has already entered the network. This is why it’s crucial to have your IDS managed by a team of professionals.

IPS Pros and Cons

Like IDS, IPS monitors your network or systems for malicious activity and sends off an alert when it detects something suspicious. However, unlike IDS, IPS also intervenes to neutralize the threat.

So, if an IPS does everything an IDS does, with the added capability of threat-response, why use an IDS at all?

Although an IPS can respond to suspected threats in real time, it’s also liable to trigger false positives. This occurs when benign incoming data is deemed malicious. Additionally, an IPS must be constantly kept up to date, making it less flexible.

hands working on a computer keyboard

Intrusion Detection Types: Host-Based vs. Network

Detection and prevention systems come in a variety of forms. And while there are several types that exist, network and host-based are the most common intrusion detection and response systems (IDPS).

Although we will only examine a few examples here, other types include wireless intrusion prevention systems (WIPS) and network behaviour analysis (NBA).

Host-Based Intrusion Detection

A host-based intrusion detection system (HIDS) is a software that runs on a single computer. It monitors suspicious activity locally. If a cyber criminal is targeting your device, a HIDS can detect it. The same applies for host-based intrusion prevention systems (HIPS), with the additional benefit of threat-response.

HIDS and HIPS are well-suited to small businesses that have few devices. At scale, HIDS and HIPS is costly to maintain, as you’ll have to purchase individual software licenses for each computer each year. Additionally, HIDS/HIPS can be taxing on a computer’s CPU, negatively impacting performance.

Network Intrusion Detection

Network intrusion detection systems (NIDS) and network intrusion prevention systems (NIPS) monitor, report, and – in the case of NIPS – defend your business at the network level. NIDS are especially beneficial for medium to large organizations, as they oversee traffic across a large population of devices on the network.

One drawback is that NIDS and NIPS can’t actually protect the devices on the network. For instance, if a cyber criminal launches an attack against a single computer, NIDS and NIPS cannot detect it.

open concept tech office

Intrusion Detection Subtypes: Signature-Based vs. Anomaly-Based

Whether your organization opts for host-based or network intrusion detection systems, there are two subtypes that determine how suspicious activity is detected. These are known as signature detection and anomaly detection.

Signature-Based IDS/IPS

Similar to antivirus software, a signature-based IDS keeps a list of suspicious signatures. When an incoming data packet presents a particular pattern that matches one of the malicious signatures, the IDS will send an alert. As new threats emerge, the list is updated.

Anomaly-Based IDS/IPS

In anomaly-based intrusion detection systems, the IDS learns about a network’s activity through a normalization process. This process generates a predictable map of network functioning.

In the event that the IDS detects something abnormal, it dispatches an alert, usually in the form of an email, to the management terminal.

DDoS attacks are particularly common against this type of IDS. In a DDoS attack, the server is bombarded with requests from both malicious and legitimate sources. The result is that no request is able to enter the network and normal operations come to a standstill.

two men in a server room

Managed IDS/IPS Services are Central to Your Business’s Security Operations

An IDS/IPS is a central piece of your network security puzzle. Of course, responding to threats requires a security professional to be ready at all times. That’s why managed IDS/IPS has become the preferred method for businesses.

You may be wondering, “how are IDS/IPS systems managed?” With managed intrusion detection and prevention, your network benefits from gap-free coverage, allowing security professionals and software to act in real time to stop attacks.

As cyber crime becomes increasingly sophisticated, adaptive IDS/IPS services are essential to safeguarding your systems and network from harm. With the advent of deep learning AI, the rules for managed IDS are ever-changing. You need a partner that can keep up.

At Foresite, we offer proactive 24/7 managed IDS services that help you mitigate the cost of hiring a full team. Schedule a consultation with us today to learn more about IDS as a service.

Tristin Zeman

Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.