updated: 2022-04-02
- Intrusion Detection System ** Overview An intrusion detection system (IDS) is a software agent or system of agents that monitors a host system or network for policy violations, security problems, or malicious activity. On detecting an issue, the IDS reports the problem to an administrator or to a security information and management system.
IDS generally detect issues in one of two major ways: signature based or anolmoly based. Signature based systems work by comparing known signatures against a library of expected results. Anomoly detection works by comparing current values with past values.
** Intrusion Prevention Systems
Additionally, IDS can be extended to become anintrusion prevention system. These systems can take action when an issue is detected. For example, they can fix files if a CRC difference is found, block an IP or range of IPs if an attack is occuring, etc.
** Limitations
There are a number of limitations to IDS:
- IDS systems can be noisy, making it difficult to find actual problems;
- There is a lag between threat discovery and the signature being added to the IDS;
- Encrypted packets are not usually inspected;
- NIDS has the same limitation as any network software, and as such can fall prey to network attack such as DDOS.
** Implementations
*** Free and OSS
AIDE, snort, OSSEC, Suricata
*** Paid
Alert, Trend Micro, Cloudaware IDS