Intrusion Detection

Intrusion Detection is the process of monitoring computer systems and networks for unauthorized access, misuse, or abnormal activity.

• Intrusion Detection Systems (IDS) identify potential threats by analyzing traffic patterns, system logs, and behavior signatures. When a threat is detected, the system generates an alert to notify administrators.

Types of Intrusion Detection Systems (IDS):

1.) Host-Based Intrusion Detection System:

A Host-Based Intrusion Detection System (HIDS) is an IDS that is installed directly on individual hosts or devices, such as servers or workstations.

• It monitors and analyzes the internal operations of the host, including system logs, file integrity, and running processes, to detect suspicious activity or unauthorized changes.

• HIDS is particularly effective at identifying attacks that target specific devices and offers deep visibility into system-level activities.

• However, it can consume local resources and may not detect attacks that occur across the network.

2.) Network-Based Intrusion Detection System:

A Network-Based Intrusion Detection System (NIDS) is deployed at strategic points within the network infrastructure to monitor traffic flowing across the entire network.

• It analyzes network packets in real time to detect abnormal patterns, malicious traffic, or unauthorized access attempts.

• NIDS is useful for identifying threats such as Denial-of-Service (DoS) attacks, malware propagation, and port scanning.

• Unlike HIDS, it does not examine host-level details but offers a broad view of network activity. NIDS is typically placed at the perimeter or between critical segments of the network.

3.) Signature-based Detection:

Signature-Based Detection is an IDS technique that identifies threats by comparing observed behavior or data against a predefined database of known attack signatures.

• Each signature is a pattern associated with a specific threat, such as a virus, worm, or exploit.

• If an incoming packet or event matches a known signature, the system raises an alert.

• This method is highly accurate for detecting known attacks, but it cannot detect new or unknown threats (zero-day attacks), since those signatures do not yet exist in the database.

4.) Anomaly-based Detection:

Anomaly-Based Detection works by establishing a baseline of “normal” system or network behavior and then flagging any deviations from that baseline as potential intrusions.

• It uses statistical models, machine learning, or heuristics to identify unusual activity, such as a sudden increase in network traffic or unauthorized access attempts.

• Anomaly detection is capable of identifying unknown or emerging threats, including zero-day attacks.

• However, it may also produce a higher number of false positives, since legitimate but unusual behavior can be incorrectly flagged as malicious.

5.) Hybrid-Based Intrusion Detection System:

A Hybrid-Based Intrusion Detection System combines the features of both signature-based and anomaly-based detection methods to provide a more comprehensive and accurate detection capability.

• It leverages the accuracy of signature detection for known threats and the flexibility of anomaly detection to identify new or unknown attacks.

• Hybrid systems aim to reduce false positives and false negatives by analyzing data from multiple perspectives.

• They may also integrate both host-based and network-based detection capabilities, offering layered protection against a wide range of threats.