enterprise security

SecurityTrails Blog · Jul 20 · by Sara Jelen

Intrusion Detection Systems: Types, Detection Methods and Challenges

Reading time: 12 minutes
Listen to this article

For years now, network security has been one of the main investments organizations of all sizes make to protect their networks, users and data.

Much of this focus has come about to address the sheer volume and sophistication of cyber threats in today’s landscape. The rise of malicious actors seeking to compromise data, steal information, disrupt services and cause damage has led to the implementation of numerous defense strategies, practices and technologies.

Encrypting data, using firewalls to prevent unauthorized traffic entering the network, employing antimalware solutions and a variety of other tools are upheld as a standard for more or less every organization, and are used to detect cyber attacks and ultimately stop them. Another tool that is just as universal is the IDS, or intrusion detection system. Next to packet analysis, log aggregation, proxy firewalls and similar blue team tools, IDS is an indispensable tool for defense teams to detect and prevent attacks.

Intrusion detection systems have been around for decades, and while they’ve gone through many iterations and innovative advancements, the IDS still stands as a fundamental part of good cyber hygiene. Just as a home alarm system is designed to alert you to an intruder’s attempt at breaking in, an IDS will in the same way monitor network traffic and notify you of suspicious activity.

In this post we’ll explore the history and concept of intrusion detection, its importance in network security, the different types and detection methods of IDSs, as well as some of the challenges they face that may require solving with next-gen technologies.

Concept of intrusion detection

The earliest concept of intrusion detection systems was set forth in 1980 by James Anderson at the NSA with his “Computer Security Threat Monitoring and Surveillance” report. Then, in 1986, Dorothy E. Denning wrote “An Intrusion-Detection Model“—an academic paper that shaped the foundation for many systems still in use today. The model presented in the paper was used to develop the Intrusion Detection Expert System, or IDES.

The IDES model detected behaviour patterns of a potential intruder by using statistics for anomaly detection based on profiles of users, host systems, and target systems.

From the 1980s all the way to the early 2000s, IDS was considered a security best practice. But, at that time, the noisy and turbulent nature of networks led to many false positives from IDS, labeling it unreliable in the eyes of many.

In recent years, however, their dominance and the challenges of cloud computing have shined a new light on intrusion detection systems, a longtime staple of enterprise security. And while many organizations invest in proactive security measures and other preventative strategies, they can still fail. Detecting attacks that may occur afterwards remains crucial.

What are intrusion detection systems?

The term IDS itself refers to the processes used for the detection of unauthorized access to and intrusive activities on a network. An intrusion detection system, therefore, is a tool that monitors network traffic for potential intrusions that may indicate malicious activity or a breach of policies.

Intrusions in this sense can be defined as any type of unauthorized access with the potential to harm the confidentiality, integrity and availability of data. An IDS issues alerts when such activity is discovered, which is then either reported to an admin or collected through a security information and event management system (SIEM).

Often compared and confused with a firewall, an IDS doesn’t sit on the perimeter of a network and monitor traffic with the goal of determining what should be allowed into the network the way a firewall does. An IDS is ideally placed at strategic points within a network, where it monitors and analyses traffic to and from endpoints on the network to detect any malicious activity.

This allows an IDS to act as a second layer of security, in case a threat slips through the firewall, as well as in cases of threats that originated inside the network. A good analogy would be thinking of the firewall as the front door of your house, allowing or blocking what’s going in and coming out, and the IDS would be the security camera watching the door.

It’s also important to differentiate between IDSs and IPSs, or intrusion prevention systems. Whereas an IDS is concerned with informative and reactive intrusion detection, an IPS is a preventative measure that prevents threats before they reach the network. We’ll be exploring IPSs a bit more in the future.

Types of intrusion detection systems

Intrusion detection systems come in different variations and can detect suspicious activity using different methods and capabilities. Usually, the different flavors of IDSs can be classified by five types:

Types of intrusion detection systems

Network intrusion detection system (NIDS)

A network intrusion detection system (NIDS) is set up across the network, on tactical points, where it monitors inbound and outbound traffic to and from all devices on a network. It examines traffic and matches it with indicators of known attacks. When anomalous activity is detected, an alert is generated for the incident to be examined further.

Host intrusion detection system (HIDS)

A host intrusion detection system (HIDS) runs on all of a network’s hosts and devices that have access to the internet as well as the internal network. It monitors the operations of individual hosts and tracks the status of all files on an endpoint and detects any activity, such as deletion or modification of system files. An HIDS also scans all data packets that are sent to or from an endpoint, meaning it can detect suspicious activity that originates inside an organization, an important capability to aid in the prevention of insider threats.

Protocol-based intrusion detection system (PIDS)

A protocol-based intrusion detection system (PIDS) is typically deployed on a web server and is used to monitor and analyze communication between devices on a network and online resources, as it scans data transmitted over HTTP/HTTPS.

Application protocol-based intrusion detection system (APIDS)

An application protocol-based intrusion detection system (APIDS) monitors the communication between users and applications. It monitors the packets transmitted over application-specific protocols and identifies instructions, tracing it to individual users.

Hybrid intrusion detection system

A hybrid intrusion detection system is defined exactly as its name implies: it’s a combination of two or more types of IDSs. In the hybrid type, the capabilities of two systems—host- and network-based IDSs for example—are combined, rendering it more effective than any single type of IDS.

Intrusion detection systems are also categorized as active or passive:

  • An active IDS is also known as an intrusion detection and prevention system (IDPS). Not only is it configured to monitor traffic and detect anomalous behavior, it is also automated to block any suspected attacks with blocking IPs or by restricting access to sensitive resources without any need for admin involvement.
  • A passive IDS only monitors and analyzes network traffic and alerts an admin to a potential attack. It doesn’t have the ability to perform any blocking or preventative activity on its own.

IDS detection methods

An IDS detects suspicious activity by using these two methods:

Signature-based intrusion detection system (SIDS)

A signature-based intrusion detection system (SIDS), also known as a knowledge-based IDS, identifies active instructions by monitoring packets travelling through the network and comparing them against a database of known system vulnerabilities and their attributes. SIDSs look for specific patterns such as number of bytes or known malicious instruction sequences, with the detected patterns (something originating from antivirus software) known as signatures. Because IDSs can only detect known attacks, it’s important to continuously update signatures, but that still won’t allow protection from zero-day threats.

Anomaly-based intrusion detection system (AIDS)

An IDS that is anomaly-based (AIDS)—or behaviour-based—was introduced to fill the gaps left by SIDS and present a newer technology that detects unknown attacks to keep up with the speed at which new malware and threats are developed. Instead of monitoring network traffic and comparing it to a database of known attacks, AIDS establishes a baseline of normal and trustworthy network activity and compares it with traffic to identify anomalies.

While in comparison with signature-based IDSs they can adapt to the changing internal IT and external threat landscape, they can suffer from their own challenges. These challenges come in the form of false positives: accidentally classifying unknown and legitimate activity as malicious, then needlessly spending the time and resources allocated to investigating it.

Benefits of intrusion detection systems

Every day, new techniques and malware are developed to break into systems and networks, and obtain, steal and leak sensitive information, with cybercriminals continually finding new ways to breach our defenses. This is why the implementation of an IDS is a crucial and foundational part of any good security infrastructure. Combining different types of IDSs and different methods of detection can allow it to evolve with the IT environment it monitors along with the threats and attacks lurking outside.

There are some distinct benefits to IDSs:

Benefits of intrusion detection systems

Identify security risks

An IDS tool, by identifying intrusions and security incidents, can help you understand the security risks that your organization is facing, as well as their quantity and level of sophistication. It can also identify problems with your network device configuration and provide valuable metrics that can be used to further inform incident response policies.

Improve security controls

Maintaining a healthy knowledge and understanding of cyber security risks is necessary to establish and improve cyber security policies and strategies that evolve as the threat landscape changes. Analyzing the quantity and types of attacks your organization faces can help it implement more effective security controls and prevent future attacks more efficiently.

Regulatory compliance

As the number of regulatory policies organizations must comply with grows, and across a wide range of industries, having a tool that empowers and simplifies the process of meeting those regulations is crucial. IDSs can help by providing visibility into the network, while generating and storing logs that form an important part of any documentation maintained for compliance audits.

Better response time

While we mentioned that IDS solutions can be used to inform better incident response practices, it’s also important to emphasize its ability to boost response time to security incidents. Not only are alerts generated immediately whenever an IDS detects anomalous behaviour while monitoring network packets on hosts and devices, but the IDS can also inspect information in those packets, collecting valuable data efficiently and promptly.

Challenges of intrusion detection systems

As the IDS presents a technology with a long history, it’s bound to have some challenges that don’t mesh well with the modern IT environment. It’s been around for so long, malicious attackers have devised evasion techniques to trick IDS solutions into missing intrusion. Even many online vulnerability scanners such as Nikto incorporate IDS evasion techniques.

These IDS evasion techniques include:

  • Fragmentation: This is a basic technique that splits the attack payload by fragmenting it into multiple packets to stay under the radar. While merely being small packets doesn’t allow them to evade an IDS, modifying them to require complicated reassembly will help them avoid detection. One way fragmentation is implemented is to add pauses during the sending of other parts of the payload, in the hope that the IDS will time out. Other ways involve sending packets in such a way that one fragment overwrites data from a previous packet, and by sending packets in incorrect order—to confuse the IDS but not the target host.

  • Obscurity: This IDS evasion technique involves the deliberate manipulation of protocols to use different ports. If the IDS doesn’t handle these protocol transgressions in a way the target host does, it will miss detection of the intrusion.

  • Low-bandwidth attacks: Attackers can coordinate an attack spread across a large number of sources, and over a long period of time it can imitate benign traffic and noise such as that produced by online scanners, thereby avoiding IDS detection. This technique works by making it challenging for the IDS to correlate all packets and make the distinction of whether this is benign or malicious scanning activity.

Besides the evasion techniques that have been known and used for decades, there are still other challenges innate to IDS technology. Firstly, they are prone to false alarms, or the lack thereof. The main weaknesses of IDSs are false positives and false negatives. False positives contribute to the noise that can severely impact the effectiveness of an IDS and sometimes even entire analyst teams and security operations centers (SOC). A high false positive rate can lead to alert fatigue in security teams, opening the doors to real threats that slip through all the noise, dangerously unnoticed.

False positives, while potentially disruptive, aren’t truly able to cause the same damage that false negatives can. A false negative, in this case, is when an IDS misses an intrusion and deems it trustworthy. With a false negative, security teams have no indicators of attack and aren’t even aware that an intrusion has occurred until the network has already suffered real damage. And false negatives are a big problem with malware and attack techniques becoming more sophisticated—for example, a new type of malware can exhibit no previously observed patterns of behavior, allowing it to avoid IDS detection. Thus, for an IDS to be truly effective, a constantly changing database of signatures is needed to guard against leaving a network vulnerable to novel threats.

Conclusion

Intrusion detection systems represent a technology that has been with us for decades, with some of the first systems’ foundational outlines still present, in some way, in today’s more modern solutions. While flawed and challenged by shortcomings in its detection methods and functionalities, the IDS remains an important part of any cybersecurity architecture. Just as with many security solutions and technologies, an IDS shouldn’t be a simple “install and you’re done” proposition, but should be fine-tuned and properly configured to differentiate normal traffic from that which is potentially malicious, and continuously updated to keep up with today’s ever-evolving security threats.

Sara Jelen Blog Author
SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.