What are the types of Intrusion-Detection Systems in information security?

An intrusion detection system (IDS) is an app or device that monitors inbound and outbound network traffic, continuously analyzing events for changes in patterns, and alerts an administrator when it identify unusual behavior. An administrator can reviews alarms and takes actions to delete the threat.

For example, an IDS can inspect the data carried by network traffic to look if it includes known malware or other malicious content. If it can identify this type of threat, it sends an alert to the security team so they can investigate and remediate it. Because your team receives the alert, they should act rapidly to avoid an attack from taking over the system.

In a Network-based Intrusion-detection System (NIDS), the sensors are placed at choke points in network to be monitored, often in the Demilitarized Zone (DMZ) or at network borders. The sensor captures some network traffic and analyzes the content of exclusive packets for malicious traffic.

In systems, PIDS and APIDS are used to monitor the transport and protocols illegal or improper traffic or constructs of language (say SQL). In a host-based system, the sensor generally includes a software agent, which monitors some activity of the host on which it is installed. Hybrids of these two systems also occur.

  • A network intrusion detection system is an independent platform which identifies intrusions by determining network traffic and monitors several hosts. Network Intrusion Detection Systems gain access to network traffic by linking to a hub, network switch configured for port mirroring, or network tap. An instance of a NIDS is Snort.

  • A Protocol-based Intrusion Detection System (PIDS) includes a system or agent that can generally sit at the front end of a server, monitoring and analyzing the communication protocol among a connected device (a user/PC or system).

    For a web server, this can generally monitor the HTTPS protocol stream and understand the HTTP protocol corresponding to the webserver it is attempting to protect. Where HTTPS is in use then this system would be required to reside in the “shim” or interface among where HTTPS is un-encrypted and directly before it enters the Web presentation layer.

  • An Application Protocol-based Intrusion Detection System (APIDS) includes a system or agent that can generally sit within a set of servers, monitoring and analyzing the communication on application specific protocols. In a web server with database this can monitor the SQL protocol specific to the middleware/businesslogin as it carry out with the database.

  • A Host-based Intrusion Detection System (HIDS) includes an agent on a host which identifies intrusions by analyzing system calls, software logs, file-system modifications (binaries, password files, capability databases) and multiple host activities and state. An instance of a HIDS is OSSEC.

  • A hybrid intrusion detection system combines multiple approaches. Host agent data is combined with network data to form a comprehensive look of the network. An instance of a Hybrid IDS is Prelude.