침입 감지 시스템(IDS)

A network intrusion detection system (IDS) is a cybersecurity solution designed to identify and generate alerts regarding potential intrusions. Intrusion detection system (IDS) monitors network traffic and creates an alert if suspicious activities or threat signatures are discovered. A valuable security tool, IDSs accelerate the identification and remediation of potential threats. But, they’re not standalone solutions and must be deployed within a broader security framework.

 

데모 요청하기 Miercom 2025 Firewall report

침입 탐지 시스템(IDS)이란 무엇인가요?

IDS 작동 방식

IDS는 다음과 같이 배포할 수 있습니다:

  • 네트워크 기반 솔루션
  • 호스트 기반 솔루션

두 배포 위치 모두에서 네트워크 트래픽 및 기타 악성 활동을 모니터링하여 모니터링되는 네트워크 또는 디바이스에 대한 잠재적인 침입 및 기타 위협을 식별합니다. IDS는 잠재적 위협을 식별하는 데 다음과 같은 몇 가지 방법을 사용할 수 있습니다:

  • 시그니처 기반: 시그니처 기반 탐지 메커니즘은 고유 식별자를 사용하여 알려진 위협을 찾습니다. 예를 들어, IDS는 보호된 시스템에 침투하려는 알려진 멀웨어를 식별하는 데 사용하는 멀웨어 해시 라이브러리를 가지고 있을 수 있습니다.
  • 이상 행위 기반: 이상 행위 기반 탐지: 이상 행위 기반 탐지는 네트워크 또는 보호 대상 디바이스 내의 정상 동작 모델을 구축하는 데 의존합니다. 그런 다음 사이버 공격이나 기타 사고를 나타낼 수 있는 이 표준에서 벗어난 것을 찾습니다.

Why use an Intrusion Detection System (IDS)?

Cyberattacks have reached record levels in recent years. Data from the Identity Theft Resource Center found that data breaches in 2024 were the second highest on record, behind only 2023. But, while the number of data breaches remained roughly the same in 2024 as in 2023, the number of victims increased significantly, with attacks affecting many more people.

Data breaches and unauthorized access to your corporate network can have significant consequences, with:

  • Financial costs
  • 평판 손상
  • Loss of customers

Organizations must develop robust security strategies to protect their corporate data. There are many methods attackers use to target corporate networks.

With attack vectors such as phishing and other social engineering attacks, unsecured endpoints, software application vulnerabilities, SQL injection, cross-site scripting, insider threats, and more continuously targeting enterprise IT, security teams need tools to monitor network traffic and automate intrusion detection.

An IDS monitors networks for suspicious behavior that needs to be escalated through further investigation or immediate preventative measures (blocking traffic, quarantining files, etc.). IDSs also support compliance by protecting your data and providing reporting.

While generally seen as an incident response trigger, IDSs also provide valuable data about your networks to help identify vulnerabilities and prevent attacks.

The 8 Types of Intrusion Detection Systems

There are many types of intrusion detection systems. From simple antivirus software applications to comprehensive monitoring systems that cover your entire organization: From cloud-based intrusion detection and local on-premises systems, to software applications installed on endpoints and physical hardware placed throughout the network.

The most common ways of distinguishing between the different types of intrusion detection systems are where they are located in the network, and the method by which they identify potential threats.

Network Location

The two most common types of intrusion detection systems based on network location are Network Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDSs).

Network Intrusion Detection Systems

NIDSs are most commonly positioned at the network perimeter behind firewalls to flag inbound and outbound traffic. However, they can also be used more centrally to target insider threats or compromised accounts. NIDSs are often “out of band” to monitor traffic without impacting network performance.

This means they copy data packets for inspection rather than analyze the original.

Host-Based Intrusion Detection Systems

HIDSs are positioned at specific endpoints (e.g., router, server, etc.) and only monitor traffic passing through the device. HIDSs are often used to periodically monitor vital operating systems, looking for suspicious activities such as edited log files or configuration changes.

It is not uncommon for security teams to rely on NIDSs and HIDSs. Utilizing NIDSs for big-picture information on the entire network and HIDSs for detailed data related to the most important systems.

Other types of IDS include:

  • Protocol-based Intrusion Detection System (PIDS): Tracks connection protocols such as HTTP or HTTPS.
  • Application Protocol-based Intrusion Detection System (APIDS): Monitors application-specific protocols, for example, protecting against SQL injections.

Detection Method

The two main types of intrusion detection systems based on detection methods are signature and anomaly approaches.

Signature-Based IDS

As attack vectors are identified and studied, we are able to identify the specific patterns they follow.

These are known as signatures, and signature-based IDSs inspect network traffic to identify the patterns associated with potential threats.

To implement signature-based detection, the IDS requires an up-to-date threat database containing the latest known attack signatures. This approach is inherently more reactive. It requires that threats be observed and their signatures be identified and input into security tool databases.

You are susceptible to new attacks and must regularly update your IDS to ensure the best protection.

Anomaly-Based IDS

In contrast, anomaly-based methods take a more proactive approach to IDS, identifying any suspicious activity regardless of whether it follows a previously seen threat.

Anomaly-based IDS uses machine learning behavioral analysis to monitor your network and develop a model for normal network activity. By learning what safe network traffic looks like, the technology can identify instances that deviate from the model, potentially signaling an attack.

As it is based purely on identifying real-time anomalous behavior, not known signatures, this approach can catch new threats like zero-day exploits. 

But, the quality of anomaly-based IDS depends on how it is implemented. The method can be prone to sending false positives that incorrectly class behavior as suspicious and waste the time and resources of security teams. Taking into account contextual information can improve performance, providing a better understanding of normal activities and reducing the rate of false positives.

Other Detection Methods

Other types of intrusion detection systems incorporate lesser-used detection methods, such as:

  • Reputation-based detection: Blacklists specific IP addresses and domains known for malicious activities and blocks all traffic from them.
  • Stateful protocol analysis: Blocks traffic depending on protocol behavior. For example, blocking an IP address that makes a large number of requests in a short period to prevent denial-of-service attacks.

IDS의 가장 일반적인 7가지 과제

IDS는 기업 보안 아키텍처의 중요한 구성 요소가 될 수 있습니다. 그러나 조직은 일반적으로 IDS를 사용할 때 다음과 같은 문제에 직면하게 됩니다:

  1. 잘못된 탐지: IDS는 시그니처와 이상 징후 탐지 메커니즘을 함께 사용할 수 있으며, 방화벽 설계가 강화되지 않은 경우 두 가지 모두 실수를 할 수 있습니다. 새로운 멀웨어 변종에 데이터베이스에 시그니처가 없는 경우 시그니처 탐지는 오탐지가 발생하기 쉽습니다. 이상 징후 탐지는 양성 이상 징후를 잠재적 위협으로 잘못 분류하는 경우 오탐이 발생할 수 있습니다.
  2. 알림 볼륨: 열악한 IDS 설계는 보안 담당자가 검색하고 분류해야 하는 대량의 경고를 생성하는 경우가 많습니다. 보안팀은 쉽게 압도당할 수 있으며, 많은 알림이 오탐인 경우 이를 무시하기 시작하여 침입을 놓칠 수 있습니다.
  3. 알림 조사: IDS 알림은 종종 보안 사고에 대한 기본 정보를 제공하지만 중요한 컨텍스트가 부족할 수 있습니다. 결과적으로 보안 담당자는 사고 대응을 트리거하거나 오탐으로 처리하기 전에 경보를 조사하고 이해하는 데 상당한 시간과 노력을 투자해야 할 수 있습니다.
  4. 위협 차단 없음: IDS는 잠재적인 위협을 식별하여 보안 팀에 경고하도록 설계되었습니다. 실제로 위협을 방지하는 데는 아무런 역할을 하지 않으며, 수동 대응 작업이 트리거되기 전에 조직을 공격할 수 있는 틈을 남겨둡니다. 알림을 놓치거나 무시하면 보안팀이 사고에 대응하지 못할 수도 있습니다.
  5. 경고 피로: IDS는 조직에 경고를 보내기 위한 목적으로만 설계되었습니다. 통합 IDS+IPS(침입 방지 서비스)의 자동화된 대응이 없기 때문에 보안팀은 더 많은 업무 부담을 안게 됩니다. 그리고 많은 경우, 이러한 팀들은 조사할 '데이터'가 너무 많다는 이유로 경고를 무시하거나 음소거합니다.
  6. 구성 및 유지 관리: 잠재적인 보안 위험을 올바르게 식별하려면 IDS를 올바르게 배포, 구성 및 유지 관리해야 합니다. 이를 위해서는 다른 곳에서 사용할 수 있는 전문 지식과 리소스가 필요합니다.
  7. 리소스 요구 사항: 특히 대규모 서명 사전이나 고급 이상 징후 탐지 알고리즘이 있는 경우 IDS는 위협을 식별하는 데 상당한 리소스를 소비할 수 있습니다. IDS를 인라인으로 배포할 경우 시스템 성능이 저하되거나 성능이 저하될 수 있습니다. 또한 최신 위협을 식별하기 위해 시그니처 라이브러리를 자주 업데이트해야 합니다.

침입 탐지 시스템(IDS) 대 침입 방지 시스템(IPS)

As noted, an IDS only generates alerts. It does not intercept or block threats.

A similar security tool that provides additional capabilities is an Intrusion Prevention System (IPS), which identifies potential threats and automatically intercepts them. This could be directly responding via blocking traffic or indirectly responding by activating other tools.

These systems accelerate threat response even more than an IDS, preventing attacks before they have a chance to infiltrate your network. But, automated responses mean that false positives will block legitimate traffic, impacting operations. IDS vs. IPS creates a trade-off between the speed of protection and blocking legitimate traffic, between security and usability.

Challenges and Limitations of IDS

While IDSs offer a range of threat protection benefits, implementation challenges and performance limitations exist. These include:

  • Slowing down network performance by inspecting traffic.
  • Complex installation and determining the optimal implementation in terms of IDS solution types.
  • Regular updates and maintenance to ensure your IDS has the latest signatures and provides comprehensive coverage.
  • Implementation requires a lot of work for a detection system that doesn’t prevent attacks by itself.
  • False positives waste IT resources that could be spent investigating genuine threats and potentially lead to alert fatigue and underestimating real attacks.

There are also specific evasion tactics attackers can utilize to bypass IDSs. Methods include:

  • A Distributed Denial-of-Service (DDoS) attack is used as a decoy to take IDSs offline, followed by a genuine attack once defenses are down.
  • Obscuring 멀웨어 signatures through fragmentation and finding inventive ways to split the payload across different packets.
  • Bypassing IDSs by using encrypted protocols.
  • 주소 spoofing or proxy servers are used to hide the source of traffic.

체크 포인트로 IDS/IPS 솔루션 선택하기

Check Point’s next-generation firewall, Quantum, incorporates intrusion prevention systems to detect and prevent attempts to gain unauthorized access. Quantum simplifies IPS management with automatic updates to maintain comprehensive threat databases and protect your systems.

However, if you want to go further and integrate all the security functionality you need into a single platform while maintaining network performance consider Harmony SASE – the future of cybersecurity.