If you can identify an unauthorized network intrusion attempt, you can maintain the confidentiality, integrity, and availability (CIA) of your data assets and network resources.
This is precisely the goal of an intrusion detection system (IDS).
All cyberattacks that violate the CIA of the network and data demonstrate some form of anomalous behavior. The starting point of this behavior may be an unauthorized intrusion into the network, which may then expand into unauthorized use of the resources contained within the network.
In this article, we'll explain what an IDS is, how it differs from other network security systems, and why you should consider integrating one into your network infrastructure.
An intrusion detection system (IDS) monitors network traffic for anomalous behavior such as:
Once the event is identified as an anomaly, the IDS likely either reports to the administrators or issues an automation control action to the integrated security information and event management (SIEM) tool. The SIEM then uses advanced filtering techniques and protocols to distinguish a legitimate intrusion attempt from false alarms when raising an alert.
(Explore Splunk Enterprise Security, a leading SIEM solution.)
There are two types of IDS:
If an IDS is an alarm designed to detect and inform you of incoming threats, an IPS is the guard making sure no threats get into the system. Because while an IDS focuses on threat detection, an IPS focuses mainly on threat prevention.
IPSes operate on the network in real time, ensuring that threats don’t get into the network. They continuously monitor traffic on the network, inspect incoming packets for malicious signals, and detect network anomalies. An IPS also:
That's not to say, however, that an IPS is superior to an IDS (or vice versa). In fact, both systems should be used together to provide comprehensive network protection. Because while an IPS does catch threats, an IDS provides far greater network visibility and threat detection that the IPS can then work with.
IDS vs IPS: key infrastructure differences:
(Related reading: active vs. passive monitoring.)
The IDS process is different from a firewall mechanism, which simply filters and implicitly prevents a possible network intrusion.
So, why not just have a firewall system instead? Modern enterprise IT networks are complex. The networks include thousands of network endpoints and nodes communicating between each other — no fixed set of rules can encompass a holistic and uniform security policy for the entire network. Therefore, IDS systems are deployed at various network nodes to determine potential violations of a network security policy.
IDSes can be broadly categorized into the following groups:
Let's take a more detailed look at how each works and its cons.
Signature-based detection (SD) systems use existing knowledge of attack signatures to identify intrusion attempts. If a traffic request matches a previous unauthorized intrusion attempt, an alarm goes off. A database of attack signatures is maintained and used to compare against current attempts to access the network. These systems are highly accurate in matching known attack signatures.
However, a zero-day exploit may not contain any signature knowledge in the database. If such an attack doesn't demonstrate characteristics and patterns from the available list of previously known attack signatures, it won't be identified by the IDS that relies on SD techniques. After all, SD is a simple detection system that uses contextual knowledge for simple security policy enforcement decisions.
Cons of Signature-based Detection. SD systems do have drawbacks. We have detailed some of them below:
The limitations of SD are overcome by anomaly-based detection (AD) systems, which model the behavior of the systems, often using:
The models train and generalize on the network system’s response to allowed traffic and known attack signatures. Any deviation from the expected system response — allowing legitimate traffic and rejecting traffic that contains patterns of attack signatures—triggers an alert.
The positives of AD systems are that they're less dependent on the underlying technology stack and OS. New vulnerabilities can be easily detected as long the model is sufficiently trained to classify a legitimate traffic request from an unauthorized intrusion attempt. New vulnerabilities such as zero-day exploits are less concerning, as explicit signature knowledge isn't required.
Cons of Anomaly-based Detection. However, AD systems have several drawbacks:
The stateful protocol analysis (SPA) system evaluates protocols of the TCP/IP stack. The intrusion engine runs at the application layer and uses predefined protocol profiles for each protocol state activity as provided by the vendor. These are universal and standardized profiles that describe how a protocol should govern traffic flows. Any deviation constitutes an anomalous behavior. Hence, it triggers an alarm.
For example, an intrusion attempt initiates an unexpected sequence of attempts without issuing prerequisite commands. The SPA system would check for the protocol profile characteristics — such as length of the command and order sequence — to determine a potentially unauthorized network intrusion attempt.
On the positive, these systems are well positioned to distinguish between traffic protocol sequences, especially as the states are explicitly known and tracked. The information is universally available and standardized across technology vendors.
Cons of Stateful Protocol Analysis. Now to the difficult part:
An IDS should be a crucial part of every good network security process. Detection systems provide real-time monitoring of networks and logs. They can sniff out anomalies and recognize potential threats like no other system can. Furthermore, in several countries (including the US), regulators mandate the use of an IDS in medical and financial networks.
As discussed earlier, firewalls and IPSes are great — but using an IDS in tandem with them will create a layered security infrastructure, your best bet in today's complex threat landscape.
These IDS systems don’t provide an actual defense against malicious intrusion attempts. They’re not firewall systems, but a piece of your larger security puzzle.
Rejecting network traffic requests may be difficult to represent as a single policy or rules that are enforced by a firewall system. Instead, IDSes help InfoSec teams understand traffic behavior and make well-informed decisions based on true contextual knowledge, instead of relying on fixed and predefined policies.
However, there’s a lot that goes into creating a rigid security framework. Several security protocols can be used in networks, but an IDS should always be an integral part of your infrastructure.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.