Defining Intrusion Detection Systems & How IDS Monitors Work

An intrusion detection system (or IDS) is a form of software that stays active around the clock to spot malicious or unusual activity within the network. Installing a product like this could be an exceptional step toward protecting your company from hackers, intruders, and more.

A traditional IDS can't fix anything it finds. That's a task for intrusion prevention systems instead. By comparison, an IDS sends anomalies to another program (or to a human) to assess and address. 

IDS security programs aren't new. The earliest forms were developed in the 1980s. But as threats evolve, so do the systems that protect against them. 

We'll explore how an IDS works, and we'll outline how to install one properly. We'll also outline a few risks and benefits, so you can determine if this is truly the solution you've been searching for.

How does intrusion detection work?

Out of all businesses open in the United States right now, 14 million are vulnerable to a hack. Large corporations are obviously at risk. But even smaller companies could be enticing to thieves and mischievous programmers. An IDS should help you spot a problem early before too much damage is done. 

There are two main types of IDS.

  • NIDS: A network intrusion detection system monitors everything that goes into or out of a device on the network. 
  • HIDS: A host intrusion detection system monitors an individual device (or host) within the network. It scans inbound and outbound traffic. 

How does an IDS spot a problem within traffic patterns? Two main detection types are available. Your system might flag issues based on:

  • Signatures. The IDS compares movement within your system to a vast database of known hacking techniques. In essence, the program attempts to determine if what's happening on your system right now has harmed someone in the past. 
  • Anomalies. The system compares action happening right now to what has happened in that same spot in the past. A sudden spike in activity, or a precipitous drop, could be innocent enough. But it could also be a sign of a problem. 

No matter what type of IDS you have and the detection type you're using, the solution won't reside within the IDS. These programs can't halt traffic, close trapdoors, or clean up messes. 

Just as a smoke detector can't put out a fire, an IDS can't stop an attack in progress. All these programs can do is alert you to a problem.

Where should an IDS be located?

Your network has plenty of entrances and exits. You need them so data can move in and out freely. But each one is a vulnerability, and if you have many, finding the right place to install your IDS can be tricky. 

You can place your IDS:

  • Behind the firewall. Every company, no matter the size or configuration, should have a firewall. Install an IDS just behind your firewall for close monitoring of traffic entering your system. 
  • Within your firewall. Integrate the two systems to ensure monitoring of attacks as they enter the network. 
  • On your network. Ensure that an attack within your server doesn't spread with this approach. 

Analyse past attacks, along with your current risks, to determine which placement choice is right for you. In time, you may find that you must move the IDS for the highest level of protection. 

How is an IDS different from other security methods?

Plenty of security systems exist, and while they often work together, keeping them separate in your mind isn't always easy. 

An IDS is different from:

  • A firewall. Should someone enter the network? A firewall answers that question. Rules define who should come in and what should happen while there. A firewall doesn't alert you to a problem as an IDS does. Instead, a firewall simply follows the rules you define. 
  • An IPS. An intrusion prevention system (IPS) both finds problems and solves them. A system like this is a bit more sophisticated than an IDS. You might still get an IPS alert when a problem appears, but you'll know that the solution is already in play. With an IDS, you have no such assurances. 
  • An IDPS. Intrusion detection and prevention systems (IDPS) identify problems, report them, and work on preventing them from happening again. A system like this might point out flaws in your plans that leave you vulnerable to attack. A standard IDS requires you to do the detective work to uncover a problem's source. 

Security programs come with plenty of acronyms, and it's easy to get them confused. But in general, think of an IDS as a useful tool you pair with your own smarts to protect your company. Think of the other products as tools that can help make your job a little easier.

IDS benefits and drawbacks

Hackers are prolific. In December of 2020 alone, 14 known hacks took place. In just one, hackers demanded $1 million in bitcoin.

Without proper defences, an attack like this is likely. And if you're not monitoring traffic, the attack can la