What is an Intrusion Detection System (IDS)? Complete guide with everything you need to know

If you read Orwell’s 1984 and thought it was a great idea… to apply to your IT infrastructure, you’re in luck. Because an IDS (Intrusion Detection System) will allow you to fulfill your dream of controlling everything that happens in your networks and systems, detecting hackers and intrusion attempts as if you had eyes and ears in every corner.
Given the cybersecurity landscape, an intrusion detection system is a must for any organization. Therefore, we will explain what an IDS is, how it works, existing alternatives and how to make every IT administrator’s true dream come true: to become a tyrant by instantly discovering any suspicious activity in your technological realm.

What is an IDS and what is it for?

An IDS is a monitoring technology that allows detecting any suspicious and unauthorized action in our network or host, alerting the SOC or SIEM to take action.
We can say that the IDS is the constant surveillance system, the tireless observer behind every corner, our own KGB, who turns on the beacons of Gondor because someone tries to breach its walls.
Its usefulness is clear, to detect breach attempts before they are successful, alerting.
Although its main function is to monitor and report any suspicions, it is not the only one, as it also serves to comply with cybersecurity regulations that concern us.
European NIS2, NIST, ISO 27001 and other regulatory frameworks and best practices require continuous monitoring of networks (with protocols such as SNMP) and systems against unauthorized access and malicious activity. IDS is the piece that helps us to comply and save fines.
It is important to clarify that the IDS performs constant and passive surveillance, but only notifies, does not make decisions or initiate actions. The IDS is a spy, but not an executor.
The response to IDS alerts will depend on the security structure in the organization, which may have a SIEM connected that initiates automated actions, the IDS itself may have added response functions, or the SOC may be the one to act.

What is a cybersecurity intrusion?

Any unauthorized activity that seeks to compromise the confidentiality, integrity or availability of a system.
This can take the form of unauthorized access to sensitive data, running malware (voluntarily out of spite or unintentionally, because you thought that misspelled link would get you an iPhone), lateral movement behind a compromised perimeter, etc.

The most common methods of intrusion

Sometimes I think the real source of unlimited power is hacker ingenuity in penetrating defenses. I’ve seen some amazing things, but many intrusion attempts start with:

• Phishing. The timeless classic of malicious messages trying to get you to click on a link (or not even that, thanks to zero-click attacks), so that you run malware.
• Spoofing. Or put on one of those noses with glasses and mustache to impersonate a legitimate IP, MAC address or similar, so that the IDS does not suspect when we try to enter the club with fake ID.
• Code injection. Usually SQL or XSS, exploiting an unpatched vulnerability to execute malicious commands.
• Credential Stuffing. Elegant way to define the use of stolen credentials.
• Social engineering, shoulder surfing (spying by craning your neck over your shoulder to see passwords typed in, but it’s better to call it that) or any other method.

The IDS has the function of detecting all that and notifying, but of course, the bad guys know that too. That’s why they try to avoid our spying system with evasion maneuvers such as:

• Obfuscate patterns. Modifying the attack code, encrypting strings or with encryption to avoid IDS based on signatures (we will see what it is).
• Coordinated attacks that don’t look like attacks. Like waking up a botnet of compromised, but not yet used, zombie devices. These do not know they are infected by activating, for example, for a DDoS from apparently legitimate IPs, which were not in any malicious address database, dodging reputation-based IDS.
• Packet fragmentation. Breaking the malicious payload into smaller pieces to bypass signatures known to the IDS. If you’ve seen the movies where the bad guy sneaks a weapon by inserting its various parts into the building and then assembling it once inside, you’re watching this attack. Actually you’re watching a movie, but you get my drift.

Types of IDS: Host-Based (HIDS), Network-Based (NIDS) and other variants.

IDSs can be categorized in many ways, including their most basic nature as hardware and software. Cisco, for example, offers its Firepower (hardware firewalls with IDS features) to corporations, just as they deployed their older K9s in industrial facilities.
But with the advance of virtualization and many companies now flying around in the cloud like Goku, many options will be software-based.
So, classified by their mode of operation, we would have:

• Host-Based IDS. They monitor events on individual devices, such as a server. The IDS monitors logs, changes in critical files (/etc/passwd, for example, if the machine is Linux), processes, permissions…
• Network-based IDS (Network-based IDS). They monitor network traffic and packets, looking for threats and malicious patterns, such as port scans or SQLi attacks.
• Signature-Based IDS (Signature-Based IDS). That is, detection by known patterns of malware, intrusion or problems, such as detecting the string /etc/passwd in http traffic. This string is a bad sign, but what do we do if we are not dealing with a script-kiddie who copies and pastes what he sees around because he is bored? Then we move on to…
• Anomaly-Based IDS (Anomaly-Based IDS). With the advent of AI and the imminent creation of Skynet, the use of Machine Learning to detect anomalous behavior is our ally. It is the attempt to counter that infinite hacker ingenuity, because sophisticated malicious actors won’t use old tricks (actually, they will probably still succeed with that 12345 password that someone never changed, but hey). With these IDSs, any anomaly detected is reported.
• Policy-Based IDS. Although this type of IDS is not standard, the organization can determine that certain actions, even if they are not intrusions or breaches per se, will be notified by the IDS. For example, we all know that torrents are only used by geeks to share Linux distros (ahem), but an organization may decide not to allow p2p traffic. Even if it’s not a breach, the IDS tells on us when we download “Debian Season 7” from the corporate laptop.
• Reputation-Based IDS (Reputation-Based IDS). Blocks traffic coming from blacklisted IPs or domains that are a source of malicious actions.

The classifications can be endless, such as differentiating between Protocol-Based IDS or even Application Protocol-Based IDS, which monitor network or application layer protocols (HTTP, DNS…). However, these typologies, for example, are considered within network-based IDS and anomaly detection.
As many will have guessed, some of the best IDSs operate in a hybrid way. That is, adopting the Borg philosophy and assimilating the best of each world by using several of the above methods for comprehensive protection.
Yes, I’m going to fill everything with Star Trek references until I’m kicked out, but let’s continue to dig deeper.

How does an IDS work? Methods of detection and post-alert response

Imagine an IT administrator who has authority over the organization’s systems, so he does what he always wanted to do, exercise it with an iron fist to compensate for his shortcomings in all other aspects of life. So he creates his “spy network”.
Instead of deploying pizza vans with satellite dishes on the roof, or guys in trench coats reading a newspaper with holes at eye level, he deploys an IDS solution that snitches on anything that doesn’t look right to him.
Depending on the organization, he will likely opt for a network-based IDS that opens every packet to see if it has a gift inside and, on sensitive assets, he will deploy host-based IDSs. Many load rule files (which are updated) with patterns, suspicious IPs, etc., so a lot of the workload is carried by the IDS.
But it’s not enough. The power has gone to his head and he also decides to set additional policies, such as notifying VPN IPs known as RiseUp or torrent traffic except for one machine (his own).
With that, the administrator feels like Odin and his crows Hugin and Munin (his IDS actually, but let him dream) bring him all the news in the world, like Thor’s father.
So, there is an alert from the IDS because the intern has tried to drive traffic over p2p ports, while another one arrives of strange packets that look like a port scan. Soon after, someone visits our site from a VPN and, of course, there is an endless supply of humans clicking where they shouldn’t as if the world is coming to an end.
These would be common patterns detected by signature-based IDSs. But our administrator wants to keep his job, because it’s his only chance to feel like somebody every morning, so he deploys a hybrid solution, with additional anomaly-based detection and Machine Learning.
Then, several things happen that, by themselves, don’t seem like much.
On a Windows machine someone has run Powershell. It’s not malware, so a signature-based IDS would remain silent. But from there an attempt is made to access a backup server. Again, it might not be a breach, but the pieces start to get oddly shaped. Soon after, there is traffic to a benign domain, such as Google Drive.
Anomaly-based IDS would understand that this is unusual. The average accountant doesn’t know what Powershell is and screams in terror when a terminal appears, or traffic to Google Drive is common, but these three things smell like exfiltration, so alarm bells ring.
Odin’s crows (much better name than IDS) have done their job, but the answer remains.
If the IDS is connected to a SIEM (Security Information and Event Management) like Pandora, for example, it will respond with possible automatic measures and alert the SOC to address the incident.
You can block outgoing traffic from the copy server as a preventative measure, for example. Or trace who is doing these things and explain to them that a well-protected technology infrastructure works like a police state…. And they are always watching you.

IDS vs IPS: How do they differ?

An IPS (Intrusion Prevention System) goes beyond a detection system. While IDSs are spies that observe and report, the IPS has a “license to act”. Some consider them the next evolution, as they work in the same way (by signatures, anomalies, etc), but the IPS adds the ability to act.
For example, an administrator installs an IPS like Fortigate, which, similar to the IDS, detects something suspicious, let’s imagine a zero-day attack that is obviously not in signatures, but has detected as an anomaly.
Instead of just reporting, it also acts, applying a “virtualpatch ” that, for the time being, limits the damage, such as cutting off traffic.
And why not just use IPS instead of IDS? In fact, many IDSs implement response capabilities to a greater or lesser extent, so the boundary between IDS and IPS is becoming increasingly blurred. However, it is not always “better” to have an IPS or to enable response capabilities, especially automated ones.
For example, in certain situations, IPS actions in the face of false positives can cut off services which, in critical environments (imagine a hospital) are a disaster, no matter how little downtime they involve. For this reason, we will always want IDS features in our security strategy, but we must plan well how to respond.
So it all depends. An IPS may be ideal for a machine with zero tolerance to intrusions and where possible downtime will not endanger lives, such as a redundant personal data backup server.
Obviously, a combination of IPS and IDS may be ideal, for example, installing the IPS on the outer perimeter to block known threats and possible zero days, while using an IDS on the internal network.

The best Open Source and commercial IDS solutions

If we have convinced ourselves of the need for an IDS, we have quite a few options, both open source and commercial. Here is a small comparison, to start exploring which one is best suited to our situation.

Tool	Type	Key Features	Use Cases	License
Snort	NIDS/IPS	– Based on IPS-capable signatures. – Customizable rules. – Low resource consumption.	SMEs, networks with moderate traffic.	Open Source (GPLv2)
Suricata	NIDS/IPS	– Multi-threading (high performance). – JSON and encrypted protocols (TLS) are supported. – It has IPS mode.	High throughput (>10 Gbps) enterprise networks. Suricata is very good, but will burden modest infrastructures.	Open Source (GPLv2)
Zeek NSM	NIDS	– Forensic approach( detailedlogs ). – Flexible and adaptable, but requires knowledge. – Custom scripting.	Post-incident forensic analysis, large companies, universities, organizations dedicated to research or requiring an exhaustive analysis of the network.	Open Source (BSD).
OSSEC	HIDS/IPS	– Log and file integrity monitoring. – Client-server architecture. -Use of Machine Learning. – Ability to create custom active responses with scripts.	Being host-based, it is ideal for monitoring critical endpoints (servers, network equipment…).	Open Source (GPLv2)
Cisco Firepower	NIDS/IPS	– Physical firewall. – Real-time threat prevention with the power of Cisco.	Typically used by large corporations (although certain models such as the 1000 series are designed for SMBs) and multi-cloud environments.	Commercial
Trellix IPS	NIDS/IPS	– Capabilities beyond signature-based analysis. – Threat detection with AI. – Local and multi-cloud capabilities. – Encrypted traffic analysis (SSL/TLS).	It is positioned as a complete solution, not just IDS, comparable to Crowstrike or Sentinel One.	Commercial

Implementing an IDS in a security strategy

Integrating an IDS into our security strategy is not a plug-and-play project, so it requires:

• Analyze needs.
• Select the appropriate IDS according to these.
• Decide on the location of the IDS (usually at the outer perimeter, critical points inside the network and HIDS on critical machines).
• Integrate it with the rest of the infrastructure, such as a SIEM, which can perform actions, correlate and unify everything.
• Configure the IDS.
• Test and adjust, basically so that we don’t miss anything and we don’t get flooded with false positives.

The network topology will determine where it is best to place the IDS and how we will monitor:

• With TAP (Network TAP), we capture all traffic and it is ideal for critical networks, but the cost is high, as it uses dedicated hardware that copies such traffic for monitoring without losing network performance.
• With Port Mirror we reduce this cost and facilitate the implementation, as many switches allow this, but we can lose packets with a lot of traffic and introduce latency.

In order to reduce false positives, we should:

• Review the rules and alert thresholds, because what is normal for some is a sign of threat for others.
• Monitor and review, especially at the beginning, to see if these rules are adapted.
• Train personnel to interpret these rules and decide on actions.
• Update regularly. With the latest signatures and rules of the chosen IDS.

Advantages and disadvantages of a cybersecurity IDS

The great advantage of an IDS is that it provides us with an enormous amount of information, while its great disadvantage is that, if we do not manage it well, it can overwhelm us with noise, affecting the operation of the IT infrastructure with false positives and deployment of unnecessary measures that cause interruptions.
However, the benefits of an IDS are clear:

• It gives us Odin’s total vision of what is happening.
• We comply with safety regulations.
• We reduce incident response time.

Meanwhile, its main challenges and limitations, in addition to false positives, are:

• It is complex to integrate with other security systems.
• They are only as good as their signature files, rules and the Machine Learning they apply.

In the end, turning our IT infrastructure into a police state is not simple, but today there is no alternative and, with all this, George Orwell will look down on us, because he wrote a warning and not an instruction manual…. Except when it comes to cybersecurity. So, we’d better imitate Big Brother with an IDS.