侵入検知システム（IDS）

The 8 Types of Intrusion Detection Systems

There are many types of intrusion detection systems. From simple antivirus software applications to comprehensive monitoring systems that cover your entire organization: From cloud-based intrusion detection and local on-premises systems, to software applications installed on endpoints and physical hardware placed throughout the network.

The most common ways of distinguishing between the different types of intrusion detection systems are where they are located in the network, and the method by which they identify potential threats.

Network Location

The two most common types of intrusion detection systems based on network location are Network Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDSs).

Network Intrusion Detection Systems

NIDSs are most commonly positioned at the network perimeter behind firewalls to flag inbound and outbound traffic. However, they can also be used more centrally to target insider threats or compromised accounts. NIDSs are often “out of band” to monitor traffic without impacting network performance.

This means they copy data packets for inspection rather than analyze the original.

Host-Based Intrusion Detection Systems

HIDSs are positioned at specific endpoints (e.g., router, server, etc.) and only monitor traffic passing through the device. HIDSs are often used to periodically monitor vital operating systems, looking for suspicious activities such as edited log files or configuration changes.

It is not uncommon for security teams to rely on NIDSs and HIDSs. Utilizing NIDSs for big-picture information on the entire network and HIDSs for detailed data related to the most important systems.

Other types of IDS include:

• Protocol-based Intrusion Detection System (PIDS): Tracks connection protocols such as HTTP or HTTPS.
• Application Protocol-based Intrusion Detection System (APIDS): Monitors application-specific protocols, for example, protecting against SQL injections.

Detection Method

The two main types of intrusion detection systems based on detection methods are signature and anomaly approaches.

Signature-Based IDS

As attack vectors are identified and studied, we are able to identify the specific patterns they follow.

These are known as signatures, and signature-based IDSs inspect network traffic to identify the patterns associated with potential threats.

To implement signature-based detection, the IDS requires an up-to-date threat database containing the latest known attack signatures. This approach is inherently more reactive. It requires that threats be observed and their signatures be identified and input into security tool databases.

You are susceptible to new attacks and must regularly update your IDS to ensure the best protection.

Anomaly-Based IDS

In contrast, anomaly-based methods take a more proactive approach to IDS, identifying any suspicious activity regardless of whether it follows a previously seen threat.

Anomaly-based IDS uses machine learning behavioral analysis to monitor your network and develop a model for normal network activity. By learning what safe network traffic looks like, the technology can identify instances that deviate from the model, potentially signaling an attack.

As it is based purely on identifying real-time anomalous behavior, not known signatures, this approach can catch new threats like zero-day exploits. 

But, the quality of anomaly-based IDS depends on how it is implemented. The method can be prone to sending false positives that incorrectly class behavior as suspicious and waste the time and resources of security teams. Taking into account contextual information can improve performance, providing a better understanding of normal activities and reducing the rate of false positives.

Other Detection Methods

Other types of intrusion detection systems incorporate lesser-used detection methods, such as:

• Reputation-based detection: Blacklists specific IP addresses and domains known for malicious activities and blocks all traffic from them.
• Stateful protocol analysis: Blocks traffic depending on protocol behavior. For example, blocking an IP address that makes a large number of requests in a short period to prevent denial-of-service attacks.

侵入検知システム(IDS)と侵入防止システム(IPS)

As noted, an IDS only generates alerts. It does not intercept or block threats.

A similar security tool that provides additional capabilities is an Intrusion Prevention System (IPS), which identifies potential threats and automatically intercepts them. This could be directly responding via blocking traffic or indirectly responding by activating other tools.

These systems accelerate threat response even more than an IDS, preventing attacks before they have a chance to infiltrate your network. But, automated responses mean that false positives will block legitimate traffic, impacting operations. IDS vs. IPS creates a trade-off between the speed of protection and blocking legitimate traffic, between security and usability.

Challenges and Limitations of IDS

While IDSs offer a range of threat protection benefits, implementation challenges and performance limitations exist. These include:

• Slowing down network performance by inspecting traffic.
• Complex installation and determining the optimal implementation in terms of IDS solution types.
• Regular updates and maintenance to ensure your IDS has the latest signatures and provides comprehensive coverage.
• Implementation requires a lot of work for a detection system that doesn’t prevent attacks by itself.
• False positives waste IT resources that could be spent investigating genuine threats and potentially lead to alert fatigue and underestimating real attacks.

There are also specific evasion tactics attackers can utilize to bypass IDSs. Methods include:

• A Distributed Denial-of-Service (DDoS) attack is used as a decoy to take IDSs offline, followed by a genuine attack once defenses are down.
• Obscuring マルウェア signatures through fragmentation and finding inventive ways to split the payload across different packets.
• Bypassing IDSs by using encrypted protocols.
• 住所 spoofing or proxy servers are used to hide the source of traffic.