Namewise, “intrusion detection system” pretty well sums it up.  An IDS is hardware or software that is installed throughout the network, and whose purpose is to detect intrusions by examining network traffic and looking for patterns that indicate malicious activity.  The two primary types of IDS (in terms of how they work) are signature-based and anomaly-based.

Certain patterns are known to be either precursors to an attack, or an attack themselves.  For example, an attacker often will conduct a port scan, running any number of readily available utilities (such as NMAP) against an IP address, working its way up the ports.  This incursion would register literally as

10.8.x.x:1
10.8.x.x:2

and so on, up to perhaps 65,534, which I won’t write out, since I don't want to bore you.

Anomaly-based intrusion detection, also called behavioral, is a somewhat “smart” system.  The IDS is installed on the network, and monitors traffic in order to learn what is “normal” behavior: typical packet size, source and destination systems, protocols, etc., as well as time-of-day patterns.  Once this baseline is established, traffic outside of the boundaries is flagged. 

An IDS also can be classified based on where it sits.  A network-based IDS (also called a NIDS) monitors traffic as it flows across a network segment.  A host-based IDS (also called a HIDS) is installed on a specific machine.  An HIDS is installed on a computer or server that either hosts really sensitive data, or is otherwise vulnerable because, for example, it runs an older operating system required by a mission-critical legacy application.

The main drawback to an IDS—at least as originally conceived—is that it is not a reactive system.  Once it detects an intrusion of some sort, it logs the event and then (marginally) reacts by sending an alert, either via email or to the management console.

Next time: Intrusion Prevention Systems