Network Security - Intrusion Detection
What Is Intrusion Detection?
Intrusion Detection is a security process that monitors a network or system for suspicious activity, malicious behavior, or unauthorized access attempts.
Its main purpose is to detect cyberattacks early so security teams can respond before major damage occurs.
Why Intrusion Detection Matters
-
Prevents data breaches
-
Detects hacking attempts
-
Identifies malware activity
-
Protects sensitive information
-
Helps organizations maintain security compliance
Types of Intrusion Detection Systems (IDS)
1. Network-Based IDS (NIDS)
Monitors network traffic across the entire network.
-
Detects unusual patterns like port scanning, DDoS attempts, or suspicious IP addresses.
2. Host-Based IDS (HIDS)
Monitors activity on a specific device or server.
-
Checks logs, file changes, suspicious processes, and unauthorized user actions.
Intrusion Detection Methods
1. Signature-Based Detection
-
Works like an antivirus.
-
Compares activity with known attack signatures.
-
Fast and accurate for known threats.
2. Anomaly-Based Detection
-
Uses machine learning or baselines to detect unusual behavior.
-
Good for spotting new or unknown attacks.
How Intrusion Detection Works
-
Monitoring: Continuously observes network packets or system activity.
-
Analysis: Compares data with signatures or normal behavior patterns.
-
Detection: Flags suspicious or abnormal actions.
-
Alerting: Sends notifications to administrators or security teams.
Examples of Intrusion Detection
-
Detecting brute-force login attempts
-
Identifying malware communicating with external servers
-
Flagging unusual large data transfers
-
Catching unauthorized access to sensitive files
IDS vs IPS (Important Difference)
-
IDS (Intrusion Detection System): Detects and alerts.
-
IPS (Intrusion Prevention System): Detects, alerts, and automatically blocks threats.