An Intrusion Detection System (IDS) are used to monitor network traffic and keeps watch of any suspicious activity and sends an alarm to the system or the network administrator. In other cases, the IDS may respond to anomalous or malicious traffic by blocking the user or the source IP address from accessing the network.
There are some IDS that detect by looking for specific signatures of known threats like the way an security operations center standards software works and others detect based on comparing traffic patterns against a baseline and find anomalies. There are those that simply monitor and alert while others watch and perform an action once they detect a threat. This is an overview of the different types of Intrusion Detection Systems.
Network Intrusion Detection Systems
NIDS are placed as a strategic point within the network to monitor traffic flow to and from all the devices on that network. Ideally, you will be scanning all the inbound and outbound traffic but this will impair the overall speed of the network.
Host Intrusion Detection Systems
HIDS typically are run on individual device or hosts on the network. They monitor inbound and outbound flow from the device only and alert the administrator or user once they detect suspicious activity.
Signature based IDS monitor packets on the network and compares them against a database of signatures from known malicious threats. They work like the way most antivirus software works in detecting malware. The only problem in this is that it will take some time between the discovery of a new threat and the application of the signature to your intrusion detection system. During this lag time, the IDS would be unable to detect the new threat.
A passive IDS will detect and alert. When suspicious traffic is detected the IDS generates a signal and sends it to the administrator or user, and it is up to the user to take action and block the threat or respond in another way.
A Reactive IDS detects malicious or suspicious traffic and alerts the administrator and also takes pre-defined proactive actions to respond to the threat. It responds by blocking further traffic from the source IP address or the user.
Anomaly based IDS monitors the network traffic and compares it against an established baseline. The baseline identifies what is typical for that network; the sort of bandwidth that is used, the protocols used, the ports and devices that connect to each other, and then alert the administrator when anomalous or significantly different traffic is detected based on the baseline.