By:Victoria Gonzalez
An intrusion detection system (IDS) alerts an organization if any malicious activity is detected within their systems. Although the primary function of the IDS is to send an alert to the administrator of the system, IDS can also take action on it's own when malicious activity is detected, such as, through blocking incoming traffic on a computer (2). There are five types of an IDS. I will be going over the five types of an IDS within the next section.
The first type of IDS is Network intrusion detection systems (NIDS) which monitors traffic through various sensors which helps the system monitor traffic through sensor points (1). NIDS can be modified by adding your own rules to the engine system and with many NIDS, you could import those into the system at your own convenience and soon be able to create your own rules (2). With many NIDS, the provider of the system, can make rules available to you and you can import those into your system (2). Once you have become familiar with the syntax that you have chosen for your NIDS, you will be able to create your own rules (2). Another key distinction that you would want to pay attnetion to would be not to dump all your traffic into files or run the whole thing through a dashboard because you will not be able to analyze all of the data (2). For example, if you have a rule for a type of HTTP traffic, your NIDS will be able to pick it up and store those HTTP packets and display those characteristics (2). Although a NIDS is typically installed on a dedicated piece of hardware, some solutions come as a piece of network kit with the software pre-loaded onto it (2). This, however, is the high-end paid-for enterprise solutoins and you usually do not have to pay much for the specialist hardware (2). A NIDS does require though a sensor module to pick up on any traffic so that you can load it onto a LAN module and choose to allocate a computer to run the task (2). The main thing to remember however, is to make sure that your piece of equipment is up for the task by having enough clock spped to not slow your network down (2). There are many types of pros and cons of owning a NIDS. The pros of owning a NIDS is that it provides a IDS security across the entire network, it is relatively easy to secure and hide from intruders, it covers networks parts where traffic may be at its most vulnerable, and it can monitor up to an enterprise-size network (3). Despite all of the pros of having a NIDS, there are some cons of having a NIDS as well. For example, NIDS are expensive to set up, they have trouble detecting threats wihtin encrypted traffic, they are not typically fit with switch-based networks, and if a NIDS must monitor a busy network, the system can suffer from specificity and occasionally have an unnoticed breach (3).
The next type of IDS is Host intrusion detection systems (HIDS) which is placed on devices directly to monitor traffic. HIDS needs to include a control module if you don't want to have to login each time you need to get feedback (1). HIDS examine events on a computer rather than the traffic that passes through a system. The type of intrusion detection system operates by looking at data through the administrative files on the computer it protects (2). A HIDS will also back up your configuration files so you can restore settings that a virus could loosen the security of a system by changing the setup of your computer (2). A HIDS will not be able to block the changes from root access on Unix-like platforms or alterations on Windows system, however, it should be able to alert you if these changes do occur (2). For every host, the HIDS monitor needs to have some software installed on it. You can also just get HIDS to monitor one computer, however, it is preferable to intall HIDS on every device on your network (2). This is due to the fact that you do not want to overlook configuration changes on any piece of equipment (2). If you have more than one HIDS host on your network, you do not have to login to each one to get your feedback and will be able to login to just one in order to get your feedback (2). So, in order to have a HIDS system be at its best, you need to look for a system that not only encrypts communications between host agents and the central monitor, but also look for a HIDS system that includes a centralized control module (2). There are also pros and cons of having and maintaining a HIDS. The pros of having a HIDS is that it offers deep visability into a host divice and its activity, it provides an excellent second line of defernse against malicious packets that NIDS may have failed to protect, it is effective at detecting and preventing software integrity breaches, it is far cheaper than setting up a NIDS, and it is better at analyzing encrypted traffic than a NIDS due to having less packets (3). Despite the number of pros of having a HIDS, there are a number of cons as well. The cons of having a HIDS is that there is that there is limited visability in a HIDS as the system can only monitor one device at a time, there is less available context for decision-making when it comes to onwing a HIDS, it is more visable to attackers than a NIDS is, it is not good at detecting network scans or other network-wide surveillance attacks, and it is hard to manage for large companies because the team needs to configure and handle information for every host that the HIDS is on (3).
The third type of IDS is Protocol-based intrusion detection systems (PIDS) which is a protocol-based IDS that monitors traffic flowing from devices (1). This is leveraged to secure users browsing on the internet (1). In the picture you can see that PIDS is monitoring traffic flowing from difference places.
The fourth is the Application protocol-based intrusion detection systems (APIDS) which is like PIDS, however, the difference is that this system monitors traffic across a group of servers instead of just one (1). This is often leveraged on specific application protocols to specfically monitor activity, helping network administrators better segment and classify their netwoek monitoring activities (1). As you can see in the picture, there are two types of operation. One is the capture test image while the other is the loading test image. In the first operation, a capture test image, you then acquire a test image, which then goes into preprocessing information, which leads to extracting SURF and ORB Features, then goes to clustering, which then leads to a trained algorithm, which then leads to the detected model, where it then transforms the image and if there are no faults then that is the end of the process, however, if there are faults, you would need to focus on ROI, which leads to process for defects, and then finally, you would label the process a pass or fail, depending if the feature passes or fails. The load test image is practically the same process, however, instead of acquring an test image, the process would go straight to preprocessing.
The fifth type of IDS is the hybrid intrusion detection systems which is a hybrid of the previous systems that cover multiple systems in one interface. If you are stuck in deciding whether you should get a NIDS or a HIDS, the answer is both. NIDS will give you a lot more monitoring power than a HIDS (2). With a NIDS, you are able to intercept attacks as they happen, while with a HIDS, you are only able to notice something wrong with a file or setting on a device once it has already been changed (2). However, just because a HIDS doesn't have as much activity as a NIDS does, that does not mean it is any less important (2). Despite the NIDS is usually installed on a stand-alone piece of equipment means that it doesn't drag down the other processors on your servers, such as a HIDS (2). Although the activity of a HIDS is not as agressive as that of a NIDS, a HIDS should not burn up too much CPU, neither a NIDS or HIDS should generate extra network traffic (2).
There are many different types of Intrusion Detection Systems (IDS) that are out there to help protect you and your software. The most important out of the categories listed above would be HIDS and NIDS. The IDS sends an alert to the security team, so they can investigate and solve the problem. The main goal of an IDS is to track any abnormalities before hackers can complete their objective within the system along with detect what resources the attackers may have wanted to access, how did they get past security controls, and what type of cyberattacks did they initiate (1). The pros of HIDS are that it offers an excellent line of defense if NIDS fails to detect a breach in the network, it is far cheaper than setting up a NIDS, it is better at analyzing encrypted traffic than NIDS, and more (3). The pros involving having NIDS would that it would provide IDS security along the entire network, cover parts of the network where the traffic is most vulnerable, secure and hide from intruders, and more (3). Overall, having an Intrusion Detection System would work best when it comes to preventing hackers from attacking your software.
(1). IDS vs. IPS: What Organizations Need to Know by Ledesma, Josue. Published on Varonis, June 30, 2022."IDS vs. IPS: What Organizations Need to Know"
(2). Intrusion Detection Systems Explained: 14 Best IDS Software Tools Reviewed by Cooper, Stephen. Published on comparitech, May 6 2022."Intrusion Detection Systems Explained: 14 Best IDS Software Tools Reviewed"
(3). What is an Intrusion Detection System? by Velimirovic, Andreja. Published on PhoneixNAP, September 2 2021."What Is an Intrusion Detection System?"
"Hybrid of NIDS and HIDS Picture"