Ask the Expert

The ABCs of intrusion detection

What kinds of intrusion detection systems are there?

    Requires Free Membership to View

Intrusion-detection systems (IDS) are the oldest and most prevalent technology. Intrusion-prevention systems (IPS) are newer and generating a lot of discussion. Both of these tools have sub-categories I will discuss briefly. Finally, some firewall vendors are starting to incorporate these kinds of technologies into their products. All of these products should have the ability to report to a central console in some way and many can be managed centrally as well.

Intrusion-detection systems have been around since the late '80s and early 90's, and are classically broken down into signature-based and anomaly-based. Signature-based IDS works like antivirus and looks for patterns that match known malicious events. Anomaly-based IDS looks for anomalies in the network protocol, user and traffic behavior patterns or system (kernel) calls. They are further broken into network and host-based categories. Modern network IDS (NIDS) sniff a single network segment, usually using a hybrid of signature and traffic, and/or protocol anomaly detection. Host IDS (HIDS) live on an individual host and monitor some combination of system logs, calls to the system kernel and/or changes to various important files. The key point with any flavor of IDS is that it is detection only -- the even has already happened.

Intrusion-prevention systems come in many flavors similar to IDS, specifically host (HIPS) and network (NIPS) equivalents. A NIPS is usually inline (essentially a smart bridge) so that it can prevent malicious traffic from traversing the network. A HIPS may prevent an application or thread from doing something deemed questionable or dangerous. That's the key with IPS -- they can break things if they prevent something that is not malicious.

Finally, firewalls have traditionally rarely operated at the application layer, except for application proxies that have mostly been concerned with protocol compliance. They are used to enforce traffic policy of who can talk to what, how. Firewall vendors are now starting to blend IDS signature matching and other technology into their products, which has the effect of creating a combined firewall and IPS.

All of these technologies are infamous for false positives -- alerting on benign events -- and false negatives -- missing new or previously unknown events. Anomaly detection and looking at system calls for truly malicious events are two ways of combating the latter. Tuning and "targeted" IDS are methods of reducing the former.

For more info on this topic, please visit these resources:
  • Best Web Links: Intrusion detection
  • Guest Commentary: Intrusion detection is not dead but evolving into intrusion prevention
  • Web Security Tip: Evaluating and tuning an intrusion-detection system

    This was first published in January 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: