Intrusion Detection Part — 1

Update: This article is part of a series. Check out the full series: Part 1, Part 2, Part 3, Part 4, Part 5!

NIST Says: “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices” (, 2014)

Okay, let us quickly make you understand what IDS is, “it’s nothing but a mechanism that helps you in detecting something abnormal i.e. intrusion into your defined boundaries which constitute a system.”

The teaching part is the methodology on which your intrusion detection system mainly works.

Intrusion Detection Methodology

There are three types of methodologies used to gear up your intrusion detection system, and commonly intrusion detection systems rely on any of these types of approaches or sometimes a combination of these technologies.

1.Stateful protocol analysis

2.Anomaly based detection

3.Signature based detection

Signature Based Detection

The simplest and very effective method of detecting known threats. Signature is a pattern that corresponds to a known threat; it’s a process of comparing signatures against observed events to identify possible incidents.

Anomaly based detection is the process of comparing the definitions of what activity is considered normal against the observed events to detect or identify the significant deviation. Anomaly based intrusion detection systems used profiles that represent the normal behavior of such things as users, hosts, network connections or applications (, 2014). Monitoring of typical activity over a period of time basically develops these profiles.

The most major benefit of anomaly-based detection systems is that they can be much effective at detecting previously unknown threats. For example, suppose that a computer becomes infected with a new type of malware.

However, signature based detection system does not support this technique of detecting previously unknown threats.

Stateful Protocol Analysis

In comparison with Anomaly based intrusion detection systems, which uses the host or networkspecific profiles, the Stateful Protocol Analysis methodology basically relies on vendor-developed comprehensive profiles that identify how particular protocols should or should not be used.

Therefore, we can define Stateful Protocol Analysis as a basic process, which compares the predetermined profiles of generally accepted definitions to identify deviations.

The Types of Intrusion Detection & Prevention Systems

So far we have spoken about the methods on which these systems works. Based on the types of intrusions they monitor, IDS & IPS can be categorized into:

3.Network Behavior Analysis

The most common and widely used are host and network based intrusion detection systems, and in our workshop we will explore Network Based Intrusion Detection System i.e. Snort!

Host Based Intrusion Detection System (HIDS)

Host based intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device only rather than on network.

HIDS generally involves an agent installed on each system, monitoring and alerting on local OS and application activity, uses a combination of signatures, rules, and heuristics to identify unauthorized activity. The role of a host IDS is passive, only gathering, identifying, logging, and alerting.

Network Based Intrusion Detection System [NIDS}

Network based intrusion detection identify unauthorized, illicit, and anomalous behavior based solely

They use a network tap, span port, or hub and collect packets that traverse a given network and use the captured data and flag any suspicious traffic. An intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.

What is Intrusion Prevention System?

So far, we have been explaining to you more on intrusion detection systems. If you have a clear concept of how intrusion detection system works, then it’s much easy for you to understand how intrusion prevention system works.

Intrusion prevention system is a step ahead of intrusion detection systems. The role of intrusion detection prevention system is to stop any invasion. However, on the other side intrusion detection system alerts when there is any intrusion in the system.

“Intrusion prevention follows the same process of gathering and identifying data and behavior, with the added ability to block (prevent) the activity. This can be done with Network and Host based intrusion detection systems” (, 2014).

Architecture of Intrusion Detection & Prevention Systems

The main question is how these systems are designed or how they work? The architecture of the intrusion detection systems comprises of different essential components.

There are four (4) main components of the architecture:

Their job is to monitor and analyze activities. The term sensor applies for both intrusion detection and prevention systems, which control networks. There can be multiple sensors configured within one network, and i.e. based on the system architecture.

A management server is a device, which works centrally receiving information from the sensor and manages them.

Its job is to store the events information recorded by the sensors to be used later at the time of reporting and performing different analysis for any security purposes.

Provides access to intrusion detection and prevention system; can further be described as an interface for administration or related activities and tasks.

Most consoles offer many features to assist administrators in their daily tasks. For example, drilldown capabilities where users examine alerts. For senior management presentation, different types of graphs with available information in layers are drawn.

What is usually logged or detector IDS & IPS

This can be customized based on the type and features of your device. However, intrusion detection and prevention systems, usually, store the following types of information.

* Timestamp (usually date and time)

* Connection or session ID (typically a consecutive or unique number assigned to each TCP connection or to like groups of packets for connectionless protocols)

* Rating (e.g., priority, severity, impact, confidence)

* Network, transport, and application layer protocols

* Source and destination IP addresses

* Source and destination TCP or UDP ports, or ICMP types and codes

* Number of bytes transmitted over the connection

* Decoded payload data, such as application requests and responses

* State-related information (e.g., authenticated username)

* Prevention measured which they performed in case of IPS

Keeping your Box up to date

It is important to ensure that your intrusion detection and prevention systems are up to date with the newest feed released by your vendor. This could include both software update fixes for your IDS or IPS itself or it can be a new update in their signatures to detect more new threats and attack vector. An intrusion detection or prevention system without the latest feeds cannot help you in securing your network or systems.

This is an introduction to the types, design and methodologies which intrusion detection and prevention systems comprise of. It provides you with a clear concept into the forms and core systems on which these devices work. The best industry leaders in the field of information security weights what we have explained in this module. Upcoming module will cover Snort as an example product, which is used as intrusion detection and prevention system. However, we will focus on the architecture and design part of snort in module 2.

Originally published at



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store