Intrusion detection systems (IDS) are a critical component of any security infrastructure. These hardware and/or software devices monitor a network for potentially malicious activity
There's actually a relatively simple taxonomy used to classify most intrusion detection systems. It's based upon two characteristics – the type of monitoring algorithm (signature or anomaly detection) and the monitored environment (network or host). Let's take a brief look at each.
An IDS's monitoring algorithm defines how the system determines whether activity is malicious or benign. The two most common algorithm types are:
- Anomaly detection first develops a baseline (which may change over time) of "normal"
activity on a system or network and then uses that baseline to detect when abnormal activity takes
place. The major advantage to anomaly-detection systems is that they are often capable of detecting
new types of malicious activity as soon as they occur. The downside is that systems can be
"trained" to accept malicious activity as part of the baseline by slowly introducing it into the
monitored environment until it is accepted as normal.
- Signature detection systems, on the other hand, use a database of known attack patterns. When they detect activity matching one of those patterns, an alert is triggered. Signature-detection systems have an extremely low false alarm (or "false positive") rate but require constant updating in order to detect new types of attack.
Intrusion-detection systems may be further classified by the type of environment they monitor:
- Network-based systems monitor an entire network for malicious activity. They can detect
distributed attacks, but may miss attacks on individual hosts, such as a virus infection.
- Host-based systems are responsible for monitoring individual systems (although many host-based systems provide centralized monitoring solutions). They are capable of detecting malicious code and other attacks that may only impact one system and not involve any network activity.
It's important to note that every IDS on the market doesn't necessarily fit neatly into these classifications. There are a number of hybrid systems available that combine characteristics of the two major monitoring algorithm types and/or monitor more than one type of environment. When planning an IDS architecture, you should strive to achieve a balance of algorithms and monitored environments.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
This was first published in August 2003