An IDS short for intrusion detection system is a vital system in cyber security. It can
alert a company if there is a breach or if they are under attack. Thus giving them the
ability to respond accordingly. There are a few different types of intrusion detection
systems each with their own goal in mind.
NIDS
Network intrusion detection systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the network. It performs an
observation of passing traffic on the entire subnet and matches the traffic that is
passed on the subnets to the collection of known attacks. Once an attack is
identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of an NIDS is installing it on the subnet where firewalls
are located in order to see if someone is trying crack the firewall.
HIDS
Host intrusion detection systems (HIDS) run on independent hosts or devices on the
network. A HIDS monitors the incoming and outgoing packets from the device only and
will alert the administrator if suspicious or malicious activity is detected. It
takes a snapshot of existing system files and compares it with the previous
snapshot. If the analytical system files were edited or deleted, an alert is sent to
the administrator to investigate. An example of HIDS usage can be seen on mission
critical machines, which are not expected to change their layout.
PIDS
Protocol-based intrusion detection system (PIDS) comprises a system or agent that
would consistently reside at the front end of a server, controlling and
interpreting the protocol between a user/device and the server. It is trying to
secure the web server by regularly monitoring the HTTPS protocol stream and accept
the related HTTP protocol. As HTTPS is un-encrypted and before instantly entering
its web presentation layer then this system would need to reside in this interface,
between to use the HTTPS.
APIDS
Application Protocol-based Intrusion Detection System (APIDS) is a system or agent
that generally resides within a group of servers. It identifies the intrusions by
monitoring and interpreting the communication on application specific protocols. For
example, this would monitor the SQL protocol explicit to the middleware as it
transacts with the database in the web server.
Hybrid Intrusion Detection System
Hybrid intrusion detection system is made by the combination of two or more
approaches of the intrusion detection system. In the hybrid intrusion detection
system, host agent or system data is combined with network information to develop a
complete view of the network system. Hybrid intrusion detection system is more
effective in comparison to the other intrusion detection system. Prelude is an
example of Hybrid IDS.
The two most commonly used IDS technologies are NIDS and HIDS. The NIDS is used on a
router or sensor to monitor network traffic and generate alerts if it sees anything
suspicious. The HIDS is used on endpoints scanning the operating system for anything
suspicious and generating alerts. These 2 intrusion prevention systems combined can be a
powerful tool for any blue team.
Apart from these different types of intrusion prevention systems you also got two
different types in how they handle suspicious activities.
Signature-based
Signature-based IDS detects the attacks on the basis of the specific patterns such
as number of bytes or number of 1’s or number of 0’s in the network traffic. It also
detects on the basis of the already known malicious instruction sequence that is
used by the malware. The detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already
exists in system, but it is quite difficult to detect the new malware attacks as
their pattern (signature) is not known.
Anomaly-based
Anomaly-based IDS was introduced to detect the unknown malware attacks as new
malware are developed rapidly. In anomaly-based IDS there is use of machine learning
to create a trustful activity model and anything coming is compared with that model,
and it is declared suspicious if it is not found in model. Machine learning based
method has a better generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and hardware
configurations.
Signature-based intrusion prevention systems are the most used and very effective because
they recognise any known threats and generates alerts for them. On the other hand
unknown threats are most of the time the most devastating to a company. This might be
because it's a zero-day or because the attack was especially tailored to attack this
company. So a combination of the two would be the most effective but an anomaly-based
IDS might generate more false positives.