Back to course

Introduction to Intrusion Detection Systems (IDS)

Cyber Security Mastery: From Zero to Hero

Monitoring for Malice: IDS

A firewall blocks based on rules; an IDS actively monitors traffic for suspicious activity or known attack signatures.

IDS Types

  1. Network-based IDS (NIDS): Monitors traffic across the entire network segment (e.g., using a mirror port on a switch).

    • Example Tool: Snort, Suricata.

  2. Host-based IDS (HIDS): Runs on individual servers or workstations, monitoring system calls, file integrity, and log files.

    • Example Tool: OSSEC.

Detection Methods

  • Signature-based Detection: Compares traffic against a database of known attack patterns (signatures). High accuracy for known threats, but fails against zero-day (new) attacks.
  • Anomaly-based Detection: Establishes a baseline of normal network behavior. Alerts when traffic significantly deviates from this norm. Effective against unknown threats, but prone to false positives.