I
IDS (Intrusion Detection System)
A security technology that monitors network traffic or system activities for malicious actions and policy violations, generating alerts.
What is an IDS?
An Intrusion Detection System (IDS) monitors network traffic or system activities for malicious behavior or policy violations. When suspicious activity is detected, the IDS generates alerts for security teams to investigate.
IDS Types
By Monitoring Method:
- Network IDS (NIDS): Monitors network traffic at strategic points
- Host IDS (HIDS): Monitors activities on individual hosts
- Hybrid: Combines network and host monitoring
By Detection Method:
- Signature-based: Matches patterns of known attacks
- Anomaly-based: Detects deviations from baseline behavior
- Stateful Protocol Analysis: Verifies protocol compliance
How IDS Works
- Capture traffic or system events
- Analyze against rules/baselines
- Identify suspicious patterns
- Generate alerts for security team
- Log events for forensics
IDS vs. IPS
- IDS: Detects and alerts only (passive)
- IPS: Detects and actively blocks threats (inline)
Limitations
- Signature-based misses unknown (zero-day) attacks
- Anomaly-based can produce false positives
- Requires ongoing tuning and maintenance
- Cannot prevent attacks (only detect)
- May not see encrypted traffic