Intrusion detection systems, most commonly referred to as the IDS, is either a device or software application designed to monitor the network for malicious activity, policy violation or any other attack that could compromise the security of the network.
There are a couple of different IDS depending on the place of the detection and the actual purpose, classifying them as either network-based IDS or host-based IDS.
The host intrusion detection system (HIDS) monitors individual hosts or devices on the network by monitoring inbound and outbound packets from the device and alert either the user or the network administrator for suspicious activity.
IDS can also be classified depending on the detection method, separating them into signature-based IDS and anomaly-based IDS.
Signature-based IDS are looking for specific patterns of attacks, while anomaly-based IDS create a model of normal network activity and compare all the traffic. Although it might detect new threats, anomaly-based IDS could suffer from a huge amount of false positives.
The network intrusion detection system (NIDS) monitors traffic inside the network from and to all devices in the network and alerting the network administrator for any suspicious activity. Due to the quicker response of network-based IDS, as well as its ability to monitor an entire network, it is more commonly used compared to the host-based IDS.
The network-based IDS also offer easier implementation, due to the fact that existing infrastructure does not need to change. Another benefit of network-based IDS is the fact that it detects threats in real-time, logging all the possible attacks that could be otherwise altered on the host-based IDS.
While standard firewalls can show which ports and IP addresses are used between those devices on the network, network-based IDS can be set to show a specific content of the packets sent between those devices, which make them very useful in network security.
Intrusion detection systems (IDS) only monitor the network traffic but does not block or prevent any attacks, which is why the IDS is only a part of network security. Since IDS monitors the network in real time, it suffers from a huge amount of false positives. IDS also need a constant updating in order to detect latest threats and are prone to protocol-based attacks, which can force network-based IDS to crash.
Intrusion prevention systems (IPS) are similar to intrusion detection systems (IDS), except that they block potential threats.
Next generation intrusion detection systems/intrusion prevention systems
With the rising amount of network-based attacks, both IDS and IPS, have evolved in the last few years. This also goes for the rest of network security components, including firewalls, malware, e-mail and web protection, Denial of Service (DoS) protection and more.
The so-called next-generation intrusion detection and prevention systems have been updated to offer network, application, identity or behavior awareness, allowing administrators to both monitor and block any suspicious activity by generating a knowledge database of known devices, operating systems, applications and/or behavior on the network to detect/prevent network attacks.
Some of the well known next-generation IDS/IPS today include Cisco FirePOWER Next-Generation IPS (NGIPS), IBM Security Network Intrusion Prevention System, McAfee Network Security Platform and Trend Micro TippingPoint NGIPS.
The future of intrusion detection systems (IDS) and intrusion prevention systems (IPS)
As the attacks evolve, network security needs to evolve as well in order to stay ahead of those attacks. According to security analysts, machine learning is the best way to go as it is a well-proven technique that has been used in general security (facial features).
Network-security companies can and already are using machine learning, data mining and new pattern recognition algorithms in order to separate normal and malicious traffic on the network.
There is plenty of research done on the cybersecurity in the cognitive ear which mostly talks about machine learning and it is definitely the way in which IDS and IPS are going.