What Is an Intrusion Detection System (IDS)?

People driving computer mice through monitors

Elly Walton / Getty Images

An intrusion detection system (IDS) is a device or application that monitors network traffic for suspicious activity or violations of policy. If it finds something unusual, such as a malware attack, security breach, or untrustworthy user, the IDS alerts the network administrator or may even take action by blocking the user or source IP address.

There's a wide variety of intrusion detection systems, ranging from simple antivirus applications to network-wide monitoring technologies. Here's a look at the main IDS types, their subsets, how they're used, and where firewalls come into play.

When an IDS is capable of responding to an intrusion, it's classified as an intrusion prevention system.

Main IDS Types and What They Do

There are many IDS types, but the most common classifications are network intrusion detection systems (NIDS) and host intrusion detection systems (HIDS).

NIDS

This type of technology analyzes incoming network traffic. Network intrusion detection systems are placed at strategic points within the network to monitor traffic to and from all devices on the network. It compares your network data to known threats and flags suspicious activity.

Ideally, a NIDS will scan all inbound and outbound traffic, but this could create a bottleneck that would impair the overall speed of the network.

HIDS

Host intrusion detection systems run on individual hosts or devices on the network. They monitor inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. A HIDS gives a more complete picture because it looks at all the system’s nodes and hosts while checking for malicious activity.

Because host intrusion detection systems can find suspicious activity that originates within the network itself, some experts consider them to be the most valuable type of IDS.

IDS Subsets

Within NIDS and HIDS are some IDS variants that work with a unique focus.

Signature-Based

A signature-based IDS monitors packets on the network and compares them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. A signature-based IDS is great at finding existing threats, but it can't detect new attacks.

Anomaly-Based

An anomaly-based IDS monitors network traffic and compares it against an established baseline for what's "normal," such as the bandwidth, protocols, ports, and devices that are generally used. It flags an administrator when it detects unknown activity.

This approach is helpful for finding new attacks, but it's prone to false positives because previously unknown legitimate activity could be flagged.

Passive IDS

A passive IDS simply monitors, detects and alerts. When suspicious or malicious traffic is detected, it notifies the administrator. A passive IDS can't carry out any protective or corrective measures.

Reactive IDS

A reactive IDS detects suspicious or malicious traffic, alerts the administrator, and then takes predefined, proactive action to respond to the threat. Typically this means blocking any further network traffic from the source IP address or user.

A popular IDS is the open-source, free Snort. Snort works with many platforms and operating systems, including Linux and Windows. Snort has many resources available to find signatures to implement to detect the latest threats.

How Do Firewalls Come Into Play?

Your system's firewall and IDS both work to protect your network against hacks and intrusions. Your firewall's job is to keep malicious outsiders from breaking into your network, while your IDS tracks down any bad actors that somehow got in.

A firewall is your first line of perimeter defense. It should be explicitly configured to deny all incoming traffic, and then you open up holes where necessary. For example, you may need to open up port 80 to host websites or port 21 to host an FTP file server. While these openings may be necessary, they represent possible points of attack.

This is why you have an IDS as well as a firewall. Whether you implement a NIDS across the entire network or a HIDS on your specific device, the IDS will monitor the inbound and outbound traffic and identify suspicious or malicious traffic that either bypassed your firewall or originated from within.

 An IDS is an important network security safeguard, guarding against the vulnerabilities that can occur when other technologies fail. As cybercrime becomes more advanced, so should your defense measures.