入侵偵測系統(IDS)

A network intrusion detection system (IDS) is a cybersecurity solution designed to identify and generate alerts regarding potential intrusions. Intrusion detection system (IDS) monitors network traffic and creates an alert if suspicious activities or threat signatures are discovered. A valuable security tool, IDSs accelerate the identification and remediation of potential threats. But, they’re not standalone solutions and must be deployed within a broader security framework.

 

申請示範 Miercom 2025 Firewall report

什麼是入侵偵測系統 (IDS)?

IDS 的運作方式

IDS 可以部署為:

  • 網路為基礎的解決方案
  • 主機型解決方案

在這兩個部署位置,它都會監視網路流量和其他惡意活動,以識別對受監視網路或裝置的潛在入侵和其他威脅。 IDS 可以使用幾種不同的方法來識別潛在威脅,包括:

  • 以簽名為基礎:以簽名為基礎的偵測機制使用唯一的識別碼來尋找已知的威脅。 例如,IDS 可能有一個惡意軟體哈希庫,用於識別試圖滲透受保護系統的已知惡意軟體。
  • 基於異常:基於異常的偵測取決於在網路路或受保護裝置內建立正常行為的模型。 然後,它會尋找可能表明網絡攻擊或其他事件的任何偏離此規範。

Why use an Intrusion Detection System (IDS)?

Cyberattacks have reached record levels in recent years. Data from the Identity Theft Resource Center found that data breaches in 2024 were the second highest on record, behind only 2023. But, while the number of data breaches remained roughly the same in 2024 as in 2023, the number of victims increased significantly, with attacks affecting many more people.

Data breaches and unauthorized access to your corporate network can have significant consequences, with:

  • Financial costs
  • 聲譽損害
  • Loss of customers

Organizations must develop robust security strategies to protect their corporate data. There are many methods attackers use to target corporate networks.

With attack vectors such as phishing and other social engineering attacks, unsecured endpoints, software application vulnerabilities, SQL injection, cross-site scripting, insider threats, and more continuously targeting enterprise IT, security teams need tools to monitor network traffic and automate intrusion detection.

An IDS monitors networks for suspicious behavior that needs to be escalated through further investigation or immediate preventative measures (blocking traffic, quarantining files, etc.). IDSs also support compliance by protecting your data and providing reporting.

While generally seen as an incident response trigger, IDSs also provide valuable data about your networks to help identify vulnerabilities and prevent attacks.

The 8 Types of Intrusion Detection Systems

There are many types of intrusion detection systems. From simple antivirus software applications to comprehensive monitoring systems that cover your entire organization: From cloud-based intrusion detection and local on-premises systems, to software applications installed on endpoints and physical hardware placed throughout the network.

The most common ways of distinguishing between the different types of intrusion detection systems are where they are located in the network, and the method by which they identify potential threats.

Network Location

The two most common types of intrusion detection systems based on network location are Network Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDSs).

Network Intrusion Detection Systems

NIDSs are most commonly positioned at the network perimeter behind firewalls to flag inbound and outbound traffic. However, they can also be used more centrally to target insider threats or compromised accounts. NIDSs are often “out of band” to monitor traffic without impacting network performance.

This means they copy data packets for inspection rather than analyze the original.

Host-Based Intrusion Detection Systems

HIDSs are positioned at specific endpoints (e.g., router, server, etc.) and only monitor traffic passing through the device. HIDSs are often used to periodically monitor vital operating systems, looking for suspicious activities such as edited log files or configuration changes.

It is not uncommon for security teams to rely on NIDSs and HIDSs. Utilizing NIDSs for big-picture information on the entire network and HIDSs for detailed data related to the most important systems.

Other types of IDS include:

  • Protocol-based Intrusion Detection System (PIDS): Tracks connection protocols such as HTTP or HTTPS.
  • Application Protocol-based Intrusion Detection System (APIDS): Monitors application-specific protocols, for example, protecting against SQL injections.

Detection Method

The two main types of intrusion detection systems based on detection methods are signature and anomaly approaches.

Signature-Based IDS

As attack vectors are identified and studied, we are able to identify the specific patterns they follow.

These are known as signatures, and signature-based IDSs inspect network traffic to identify the patterns associated with potential threats.

To implement signature-based detection, the IDS requires an up-to-date threat database containing the latest known attack signatures. This approach is inherently more reactive. It requires that threats be observed and their signatures be identified and input into security tool databases.

You are susceptible to new attacks and must regularly update your IDS to ensure the best protection.

Anomaly-Based IDS

In contrast, anomaly-based methods take a more proactive approach to IDS, identifying any suspicious activity regardless of whether it follows a previously seen threat.

Anomaly-based IDS uses machine learning behavioral analysis to monitor your network and develop a model for normal network activity. By learning what safe network traffic looks like, the technology can identify instances that deviate from the model, potentially signaling an attack.

As it is based purely on identifying real-time anomalous behavior, not known signatures, this approach can catch new threats like zero-day exploits. 

But, the quality of anomaly-based IDS depends on how it is implemented. The method can be prone to sending false positives that incorrectly class behavior as suspicious and waste the time and resources of security teams. Taking into account contextual information can improve performance, providing a better understanding of normal activities and reducing the rate of false positives.

Other Detection Methods

Other types of intrusion detection systems incorporate lesser-used detection methods, such as:

  • Reputation-based detection: Blacklists specific IP addresses and domains known for malicious activities and blocks all traffic from them.
  • Stateful protocol analysis: Blocks traffic depending on protocol behavior. For example, blocking an IP address that makes a large number of requests in a short period to prevent denial-of-service attacks.

IDS 最常見的 7 個挑戰

IDS 可以是企業安全架構的重要組成部分。 但是,組織在使用 IDS 時通常會面臨挑戰,包括以下內容:

  1. 不正確的偵測: IDS 可以結合使用簽章和異常偵測機制,如果防火牆設計不強化,兩者都可能出錯。 當新的惡意軟體變體的資料庫中沒有簽名時,簽章偵測更容易出現漏報。 如果良性異常被錯誤分為潛在威脅,則異常偵測可能會產生假陽性。
  2. 警示量:較低的 IDS 設計通常會產生大量警報,安全人員需要搜索和分類。 安全團隊可能會很容易受到壓力,如果許多警報都是假陽性的,他們可能會開始忽略這些警報,從而導致錯過的入侵。
  3. 警示調查:IDS 警示通常會提供有關安全事件的基本資訊,但可能缺少重要的前後關聯。 因此,安全人員可能會花費大量時間和精力調查和理解警報,然後觸發事件回應或將其視為假陽性。
  4. 無威脅防護: IDS 旨在識別潛在威脅並向安全團隊發出警報。 它實際上無法防止威脅,在觸發手動響應操作之前,留下了一個視窗來攻擊組織。 如果警示被錯過或忽略,安全團隊甚至可能無法對事件做出回應。
  5. 警示疲勞:IDS 僅設計為提醒組織。 由於缺乏整合式 IDS+IPS (入侵預防服務) 的自動回應,安全團隊會承受更高的工作負載。 在許多情況下,這些團隊會根據過多的「數據」無法調查而忽略或靜音警報。
  6. 組態與維護:若要正確識別潛在的安全風險,必須正確部署、設定和維護 IDS。 這需要專門的專業知識和資源,否則可以在其他地方使用。
  7. 資源需求:IDS 可能會消耗大量資源來識別威脅,尤其是如果它具有大型簽名字典或進階異常偵測演算法時。 如果系統內部署 IDS,這些可能會降低系統效能或導致效能不佳。 此外,必須經常更新簽章程式庫,以識別最新的威脅。

入侵偵測系統 (IDS) 與入侵防禦系統 (IPS)

As noted, an IDS only generates alerts. It does not intercept or block threats.

A similar security tool that provides additional capabilities is an Intrusion Prevention System (IPS), which identifies potential threats and automatically intercepts them. This could be directly responding via blocking traffic or indirectly responding by activating other tools.

These systems accelerate threat response even more than an IDS, preventing attacks before they have a chance to infiltrate your network. But, automated responses mean that false positives will block legitimate traffic, impacting operations. IDS vs. IPS creates a trade-off between the speed of protection and blocking legitimate traffic, between security and usability.

Challenges and Limitations of IDS

While IDSs offer a range of threat protection benefits, implementation challenges and performance limitations exist. These include:

  • Slowing down network performance by inspecting traffic.
  • Complex installation and determining the optimal implementation in terms of IDS solution types.
  • Regular updates and maintenance to ensure your IDS has the latest signatures and provides comprehensive coverage.
  • Implementation requires a lot of work for a detection system that doesn’t prevent attacks by itself.
  • False positives waste IT resources that could be spent investigating genuine threats and potentially lead to alert fatigue and underestimating real attacks.

There are also specific evasion tactics attackers can utilize to bypass IDSs. Methods include:

  • A Distributed Denial-of-Service (DDoS) attack is used as a decoy to take IDSs offline, followed by a genuine attack once defenses are down.
  • Obscuring 惡意軟體 signatures through fragmentation and finding inventive ways to split the payload across different packets.
  • Bypassing IDSs by using encrypted protocols.
  • 地址 spoofing or proxy servers are used to hide the source of traffic.

選擇具有 Check Point 的 IDS/IPS 解決方案

Check Point’s next-generation firewall, Quantum, incorporates intrusion prevention systems to detect and prevent attempts to gain unauthorized access. Quantum simplifies IPS management with automatic updates to maintain comprehensive threat databases and protect your systems.

However, if you want to go further and integrate all the security functionality you need into a single platform while maintaining network performance consider Harmony SASE – the future of cybersecurity.