updated: 2022-04-02

  • Intrusion Detection System ** Overview An intrusion detection system (IDS) is a software agent or system of agents that monitors a host system or network for policy violations, security problems, or malicious activity. On detecting an issue, the IDS reports the problem to an administrator or to a security information and management system.

IDS generally detect issues in one of two major ways: signature based or anolmoly based. Signature based systems work by comparing known signatures against a library of expected results. Anomoly detection works by comparing current values with past values.

** Intrusion Prevention Systems

Additionally, IDS can be extended to become anintrusion prevention system. These systems can take action when an issue is detected. For example, they can fix files if a CRC difference is found, block an IP or range of IPs if an attack is occuring, etc.

** Limitations

There are a number of limitations to IDS:

  • IDS systems can be noisy, making it difficult to find actual problems;
  • There is a lag between threat discovery and the signature being added to the IDS;
  • Encrypted packets are not usually inspected;
  • NIDS has the same limitation as any network software, and as such can fall prey to network attack such as DDOS.

** Implementations

*** Free and OSS

AIDE, snort, OSSEC, Suricata

*** Paid

Alert, Trend Micro, Cloudaware IDS