What is IDS - Intrusion Detection System

June 26, 2024
What is IDS - Intrusion Detection System
An intrusion detection system is a network security tool that monitors network traffic and devices for malicious or suspicious activity, or security policy violations.

IDS accelerates and automates network threat detection by alerting or sending alerts to SIEM, a centralized security event management system. SIEM accumulates data from multiple sources to help cybersecurity professionals identify and respond to cyber threats.

IDSs can also ensure compliance with certain requirements. For example, PCI-DSS compliance requires implementing anti-virus protection and securing the network and stored and transmitted cardholder information.

However, an IDS cannot handle security threats on its own and is usually integrated into an IPS, an intrusion prevention system that can detect and prevent security threats automatically.

How intrusion detection systems work

IDSs are implemented as software applications installed on endpoints, or dedicated hardware devices connected to a network. Some IDS solutions are available as cloud-based services. Regardless of the type of implementation, IDS utilizes one or two primary threat detection methods: signature-based or anomaly-based.

Signature-based detection

This method analyzes network packets for attack signatures – unique characteristics associated with a particular threat. IDS maintains a signature database of already known viruses against which it compares network packets. If part of the packet code matches the virus code in the database, IDS will detect it.

To remain effective, signature databases must be updated regularly with information about new viruses. A new, unanalyzed virus may bypass an IDS built on this method.

Anomaly-based detection

This method uses machine learning to create and continuously improve an underlying model of normal network activity. Current network activity is compared to the model to identify suspicious events or trends.

Because an anomaly-based IDS system reports any abnormal behavior, it is able to detect new types of cyberattacks not detected by the signature-based method. For example, anomaly-based IDSs can detect zero-day exploits – attacks that exploit software vulnerabilities before the software developer finds them and has time to patch them.

On the other hand, anomaly-based IDSs are prone to false positives. Even innocuous actions, such as an authorized user accessing a corporate network share for the first time, can make an IDS suspicious.

Less common detection methods

Reputation-based detection blocks traffic from IP addresses and domains associated with malicious or suspicious activity.

Stateful protocol analysis focuses on protocol behavior – for example, it can detect a DDoS attack by detecting an IP address making multiple simultaneous TCP connection requests in a short period of time.

Whatever method or methods IDS uses, when it detects a potential threat or policy violation, it alerts the incident response team. IDS also keeps track of security incidents in its own logs, or by logging them with SIEM. Incident logs are used to refine IDS criteria, for example, by adding new attack signatures or updating the network behavior model.

Types of Intrusion Prevention Systems

IDSs are categorized based on where they are located in the system and what type of activity they monitor.


Network Intrusion Detection System – NIDS monitors incoming and outgoing traffic to network devices. NIDS is placed at important points on the network, often just behind firewalls. NIDS can also be placed inside the network to detect insider threats or hackers gaining access to user accounts. For example, a NIDS can be placed behind each internal firewall in a segmented network to monitor traffic traveling between subnets.

To avoid impeding the flow of legitimate traffic, NIDS is often placed “out-of-band,” meaning that traffic does not pass through it. Thus, NIDS analyzes copies of network packets rather than the packets themselves, which does not prevent it from detecting malicious traffic.


Host Intrusion Detection System – HIDS is installed on a specific endpoint, such as a laptop, router, or server. HIDS monitors only incoming and outgoing traffic on the device where it is installed. Typically, HIDS regularly creates snapshots of critical operating system files and compares them to each other. If the HIDS detects a change, such as log file edits or configuration changes, it alerts the security team.

Security teams often combine NIDS and HIDS systems. NIDS looks at traffic in general, while HIDS provides additional protection for valuable assets. HIDS can also help detect malicious activity from a compromised network host, such as a ransomware program spreading from an infected device.

Although NIDS and HIDS are the most common, security teams can utilize other IDSs as well.

Protocol-based IDS – PIDS monitors the protocols of connections between servers and devices. PIDS is often placed on web servers to monitor HTTP or HTTPS connections.

Application protocol-based IDS – APIDS operates at the application layer. APIDS is typically deployed between a web server and a SQL database to detect SQL injection.

Ways to bypass IDS

Common IDS evasion tactics include DDoS attacks, spoofing, fragmentation, and encryption.

DDoS attacks disable an IDS by flooding it with malicious traffic from multiple sources. When IDS resources are overwhelmed by false threats, hackers sneak in.

Spoofing – Spoofing IP addresses and DNS records to create the illusion that traffic is coming from a trusted source.

Fragmentation – splitting malware or other malicious data into small packets that hide the signature and avoid detection. By delaying packets or sending them out of order, hackers can prevent the IDS from reassembling them and detecting the attack.

Encryption – using encrypted protocols to bypass the IDS, with the expectation that the IDS does not have the corresponding decryption key.

IDS and other security solutions

IDS is not a standalone solution, but part of a holistic information security system. It is usually integrated with SIEM, IPS and firewalls.


IDS alerts are usually forwarded to the SIEM system. Integrating IDS with SIEM allows security teams to link alerts to IDS threat analytics and data from other tools, filter out false alarms, and prioritize incident remediation.


PS, like IDS, monitors network traffic for suspicious activity and intercepts threats in real time, automatically dropping connections or triggering other security tools.

IDS and IPS can be implemented as separate solutions or combined into a single Intrusion Detection and Prevention System (IDPS). It detects and logs intrusions, alerts security services and automatically responds to incidents.

IDS and firewalls

Firewalls act as barriers using predefined rule sets to allow or deny traffic. IDSs often sit alongside firewalls and help intercept malicious traffic. And some firewalls already have IDS and IPS features built in.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.