• Identity 101
  • Defining Intrusion Detection Systems & How IDS Monitors Work

Defining Intrusion Detection Systems & How IDS Monitors Work

Okta
Updated: 02/14/2023 - 11:28
Time to read: 6 minutes

An intrusion detection system (or IDS) is a form of software that stays active around the clock to spot malicious or unusual activity within the network. Installing a product like this could be an exceptional step toward protecting your company from hackers, intruders, and more.

A traditional IDS can't fix anything it finds. That's a task for intrusion prevention systems instead. By comparison, an IDS sends anomalies to another program (or to a human) to assess and address. 

IDS security programs aren't new. The earliest forms were developed in the 1980s. But as threats evolve, so do the systems that protect against them. 

We'll explore how an IDS works, and we'll outline how to install one properly. We'll also outline a few risks and benefits, so you can determine if this is truly the solution you've been searching for.

How does intrusion detection work?

Out of all businesses open in the United States right now, 14 million are vulnerable to a hack. Large corporations are obviously at risk. But even smaller companies could be enticing to thieves and mischievous programmers. An IDS should help you spot a problem early before too much damage is done. 

There are two main types of IDS.

  • NIDS: A network intrusion detection system monitors everything that goes into or out of a device on the network. 
  • HIDS: A host intrusion detection system monitors an individual device (or host) within the network. It scans inbound and outbound traffic. 

How does an IDS spot a problem within traffic patterns? Two main detection types are available. Your system might flag issues based on:

  • Signatures. The IDS compares movement within your system to a vast database of known hacking techniques. In essence, the program attempts to determine if what's happening on your system right now has harmed someone in the past. 
  • Anomalies. The system compares action happening right now to what has happened in that same spot in the past. A sudden spike in activity, or a precipitous drop, could be innocent enough. But it could also be a sign of a problem. 

No matter what type of IDS you have and the detection type you're using, the solution won't reside within the IDS. These programs can't halt traffic, close trapdoors, or clean up messes. 

Just as a smoke detector can't put out a fire, an IDS can't stop an attack in progress. All these programs can do is alert you to a problem.

Where should an IDS be located?

Your network has plenty of entrances and exits. You need them so data can move in and out freely. But each one is a vulnerability, and if you have many, finding the right place to install your IDS can be tricky. 

You can place your IDS:

  • Behind the firewall. Every company, no matter the size or configuration, should have a firewall. Install an IDS just behind your firewall for close monitoring of traffic entering your system. 
  • Within your firewall. Integrate the two systems to ensure monitoring of attacks as they enter the network. 
  • On your network. Ensure that an attack within your server doesn't spread with this approach. 

Analyze past attacks, along with your current risks, to determine which placement choice is right for you. In time, you may find that you must move the IDS for the highest level of protection. 

How is an IDS different from other security methods?

Plenty of security systems exist, and while they often work together, keeping them separate in your mind isn't always easy. 

An IDS is different from:

  • A firewall. Should someone enter the network? A firewall answers that question. Rules define who should come in and what should happen while there. A firewall doesn't alert you to a problem as an IDS does. Instead, a firewall simply follows the rules you define. 
  • An IPS. An intrusion prevention system (IPS) both finds problems and solves them. A system like this is a bit more sophisticated than an IDS. You might still get an IPS alert when a problem appears, but you'll know that the solution is already in play. With an IDS, you have no such assurances. 
  • An IDPS. Intrusion detection and prevention systems (IDPS) identify problems, report them, and work on preventing them from happening again. A system like this might point out flaws in your plans that leave you vulnerable to attack. A standard IDS requires you to do the detective work to uncover a problem's source. 

Security programs come with plenty of acronyms, and it's easy to get them confused. But in general, think of an IDS as a useful tool you pair with your own smarts to protect your company. Think of the other products as tools that can help make your job a little easier.

IDS benefits and drawbacks

Hackers are prolific. In December of 2020 alone, 14 known hacks took place. In just one, hackers demanded $1 million in bitcoin.

Without proper defenses, an attack like this is likely. And if you're not monitoring traffic, the attack can last for months or even years. The longer the intruder stays in your system, the greater your risk of catastrophic damage. 

But even with an IDS in place, a hacker can move through your elaborate web of protection via:

  • Masking. Proxy servers make hiding the source of an attack very easy. 
  • Sharing. Hackers may spread the work among many devices and users. It's harder to see the damage at a glance. 
  • Splitting. A hacker may fragment packets to avoid detection. 

Your IDS may also be subject to known limitations, such as:

  • Outdated software. If the IDS compares your traffic to prior attacks that are months or years old, you may miss signals of newer versions. 
  • Decryption problems. Most systems can't assess encrypted packets. 
  • Poor practices. More than half of all small and mid-sized companies under attack close their doors within six months. They don't develop next steps to guide them when an attack is in progress. Without those rules, they can see they're facing a problem, but they have no idea how to solve it. 
  • Lack of human resources. Someone must be available to look over every alert, including false positives. An IDS produces reams and reams of data, and a human must look over every piece. 

Even so, with hacks coming every 39 seconds, companies can't afford to ignore the benefits and focus solely on the risks. An IDS does provide a great deal of valuable data you can use to protect your company. If you don't use it, you are leaving the door wide open to hackers.

The future of IDS 

Companies realize the limitations of a standard IDS. Some are reacting to build bigger and better products for their customers. 

In a year or two, new IDS solutions may come with a lower administrative burden. They may rely on machine learning to lower the risk of false positives, so staff has less to examine every day. And vendors may update them simultaneously, so the system always has access to up-to-date information about new challenges.

Learn more about the difference between IDS and IPS.

References

14 Million U.S. Businesses Are at Risk of a Hacker Threat. (July 2017). CNBC. 

Why Every Business Needs a Firewall. (November 2018). Phoenix Business Journal

Significant Cyber Incidents. Center for Strategic and International Studies. 

60 Percent of Companies Fail in 6 Months Because of This (It's Not What You Think). (May 2017). Inc. 

Hackers Attack Every 39 Seconds. (February 2017). Security.