What is an Intrusion Detection System (IDS) and how does it work?

An Intrusion Detection System (IDS) is a security system that monitors computer systems and network traffic. It searches for malicious traffic that can represent attacks to the system or network. Also, it searches for systems or network misuse.

The main goal of an IDS is to detect intrusions and/or react in real-time avoiding the intruder to cause any harm.

Among the characteristics that an IDS should have, we can find:

• minimum human supervision
• automated updates
• high accuracy
• low rate of false alarm
• ability to detect all the attacks
• respond quickly to an attack

There are several things we should consider when choosing an IDS, like the type of IDS, the type of attacks that the network/system is exposed to and different types of IDS implementations. Keep reading to get more information on those topics.

Table of Contents

• Main types of Intrusion Detection Systems
• The main type of attacks to an Intrusion Detection System
• How to assess an Intrusion Detection System
• How to implement your own IDS?
• Differences between IDS and IPS
• Five IDS/IPS you can use
• Summary

Main types of Intrusion Detection Systems

The main types of IDS are:

• anomaly-based IDS. This type of IDS focuses on network behaviour. It can separate “normal” traffic from malicious traffic.
• signature-based IDS. This type of IDS makes use of know attacks to identify patterns and determine possible attacks. This is the reason why they are signature-based; they try to identify signatures of known attacks in the traffic.

Find below a summary of the advantages and disadvantages of the two main types of IDS.

Type of IDS	Advantages	Disadvantages
Anomaly-based	Detects zero-day attack Low rate of false alarms Can be used to create signatures of known attacks	low detection rate high false alarms needs initial training
Signature-based	High response time Low rate of false alarm	Needs regular update Limited detection of zero-day attacks It cannot detect new attacks unless there is an update

The main type of attacks to an Intrusion Detection System

It is important to know and understand what types of attacks can be carried out against an IDS or in general to a computer system.

Find below the main 4 types of attacks:

• Denial of Service Attack (DoS attack): the attacker/intruder try to prevent an authorised user from using the service. This attack relies on taking down a connection or a service by overloading the network traffic. An example of this type of attack is Ping of Death.
• User to Root Attack: the attacker/intruder gets access to a normal user account and then exploits system vulnerabilities to gain root privileges. An example of this type of attack is rootkit.
• Remote to User Attack: the attacker/intruder try to access a local machine to send packets over the network.
• Probing: the attacker/intruder uses software to scan and monitor the network activities or collect data from the network. An example of such software is Nmap.

How to assess an Intrusion Detection System

An IDS can be assessed using several metrics:

• Effectiveness: Low rate of false alarms.
• Accuracy: A measure of how well the IDS detect attacks and false alarms.
• Efficiency: A measure of how the IDS uses the resources to detect intrusions in a timely manner.
• Timeliness: Time spent to detect or report an intrusion.
• Implementation cost: Total cost needed for implementing a detection technique.
• Reliability. It is how well a detection approach performs.

It is important to know how an IDS performs on the previous metrics before we deploy it into the network.

How to implement your own IDS?

There are several approaches one can use to implement an IDS:

• Statistical-Based Anomaly. This approach uses statistical properties during anomaly detection to determine if a certain action is an intrusion or normal action to the system.
• Pattern Matching: detects intrusions based on matching the existing patterns with the incoming traffic patterns. Intrusions are detected by comparing the current pattern with the known patterns or attack signatures that are already known.
• Data Mining. It is used to detect intrusions where the data set is large.
• Machine Learning: the system learns and keeps improving over time. Especially useful when new attacks need to be recognised frequently. Machine Learning techniques include Neural Networks, Fuzzy Logic and Support Vector Machine techniques. Human intervention can be very low or none.

In the current situation, new attacks are appearing daily. Therefore, the need to have systems that can adapt quickly to new situations and need a low level of human intervention.

The quicker and autonomous the system, the lower the chances of attacks occurring in the network or computer systems.

Following this reasoning, it seems logical to use an IDS implemented using machine learning, for a computer system/network that is regularly exposed to new threats.

Neural Networks needs minimum human intervention to detect intrusions. A study published here, found that Recurrent Neural Networks are ideal for building IDS. They provide a high accuracy and detection rate and a low false-positive rate. Therefore, the previous study recommends the use of Neural Networks to implement effective IDSs that needs minimum human intervention and detect intrusions in real-time.

Differences between IDS and IPS

A term related to IDS is IPS.

” An intrusion prevention system (IPS) is an automated network security device used to monitor and respond to potential threats. Like an intrusion detection system (IDS), an IPS determines possible threats by examining network traffic. Because an exploit may be carried out very quickly after an attacker gains access, intrusion prevention systems administer an automated response to a threat, based on rules established by the network administrator”. Source.

A “traditional” IDS identify threats and report (log, inform admin, etc.) information about them Some IDS can take action against malicious attacks. These are classified as Intrusion Prevention Systems (IPS).

Five IDS/IPS you can use

1. Snort. Opensource, Free and lightweight. IDS, IPS.
2. Suricata. Opensource. IDS, IPS, network security monitoring.
3. OSSEC. Multiplatform, opensource, free. PCI Compliance.
4. Zeeks. Opensource. IDS.
5. Cisco Secure Network Analytics (formerly Stealthwatch). Powered by Cisco.

Summary

There are several types of IDS and different approaches are being used to implement them.

Machine learning is having a great impact on how IDS are developed and what they can do.

You should choose an IDS according to your specific needs. When assessing which one matches your needs, don’t forget to check the desirable characteristics:

• minimum human supervision
• automated updates
• high accuracy
• low rate of false alarm
• ability to detect all the attacks
• respond quickly to an attack

Related topics

• Information security system: a resemblance with other security systems
• General concepts to study Cryptography