Computer Basics - Intrusion Detection System (IDS)

An Intrusion Detection System (IDS) is a security tool designed to monitor network traffic or host activity to detect suspicious or malicious behavior. Its primary role is to identify potential security breaches, policy violations, or abnormal activity and alert administrators.

Key Functions of IDS:

• Monitoring: Continuously inspects network packets, system logs, and user activities.

• Detection: Identifies patterns of known attacks (signature-based) or unusual behavior (anomaly-based).

• Alerting: Notifies administrators when suspicious activity is detected.

• Forensics support: Provides logs and reports to help investigate incidents.

Types of IDS:

1. Network-based IDS (NIDS):
   Monitors traffic across an entire network segment (e.g., Snort, Suricata).

2. Host-based IDS (HIDS):
   Runs on individual machines to track system calls, file integrity, and local logs (e.g., OSSEC, Tripwire).

Detection Methods:

• Signature-based: Matches known attack patterns.

• Anomaly-based: Detects deviations from normal behavior.

• Hybrid: Combines both for better accuracy.

Limitations:

• IDS is passive (alerts only, doesn’t block by default).

• May generate false positives (benign activity flagged as suspicious).

• Needs tuning to the environment to reduce noise.