An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or security policy violations.

An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and analyzing patterns based on already known attacks. It also automatically monitors the Internet to search for any of the latest threats which could result in a future attack.

Detection Methods

An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.

An attack is an attempt to compromise confidentiality, integrity, or availability.
The two primary methods of detection are signature-based and anomaly-based. Any type of IDS (HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.

The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.

Host Based intrusion detection system (HIDS)

A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.

It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.

The role of a host Intrusion Detection System is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:

The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC). Many host-based IDSs have expanded to monitor application activity on the system.

As one example, you can install a HIDS on different Internet-facing servers, such as web servers, mail servers, and database servers. In addition to monitoring the network traffic reaching the servers, the HIDS can also monitor the server applications.

It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.

Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is mainly used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.

For example, if an administrator is concerned that a specific server with proprietary data is at increased risk of an attack, the administrator might choose to install a HIDS on this system as an extra layer of protection.

Each uncompleted session consumes resources on the server, and if the SYN flood attack continues, it can crash the server.

Some servers reserve a certain number of resources for connections, and once the attack consumes these resources, the system blocks additional connections. Instead of crashing the server, the attack prevents legitimate users from connecting to the server.

IDSs and IPSs can detect an SYN flood attack and respond to block the attack. Additionally, many firewalls include a flood guard that can detect SYN flood attacks and take steps to close the open sessions.

Network-Based Intrusion Detection System (NIDS)

An Introduction to Intrusion Detection Systems