This article is about the computing term. For other
uses, see Burglar alarm.
An Intrusion detection system (IDS) is
software and/or hardware designed to detect unwanted
attempts at accessing, manipulating, and/or disabling
of computer systems, mainly through a network, such
as the Internet. These attempts may take the form of
attacks, as examples, by crackers, malware and/or disgruntled
employees. An IDS cannot directly detect attacks within
properly encrypted traffic.
An intrusion detection system is used to detect
several types of malicious behaviors that can compromise
the security and trust of a computer system. This includes
network attacks against vulnerable services, data driven
attacks on applications, host based attacks such as
privilege escalation, unauthorized logins and access
to sensitive files, and malware (viruses, trojan horses,
An IDS can be composed of several components: Sensors
which generate security events, a Console to monitor
events and alerts and control the sensors, and a central
Engine that records events logged by the sensors in
a database and uses a system of rules to generate alerts
from security events received. There are several ways
to categorize an IDS depending on the type and location
of the sensors and the methodology used by the engine
to generate alerts. In many simple IDS implementations
all three components are combined in a single device
1 Types of Intrusion-Detection systems
system vs. reactive system
3 IDS evasion techniques
Types of Intrusion-Detection systems
In a network-based intrusion-detection system
(NIDS), the sensors are located at choke points
in network to be monitored, often in the demilitarized
zone (DMZ) or at network borders. The sensor captures
all network traffic and analyzes the content of individual
packets for malicious traffic. In systems, PIDS
and APIDS are used to monitor the transport and
protocols illegal or inappropriate traffic or constructs
of language (say SQL). In a host-based system, the sensor
usually consists of a software agent, which monitors
all activity of the host on which it is installed. Hybrids
of these two systems also exist.
A network intrusion detection system (NIDS)
is an independent platform which identifies intrusions
by examining network traffic and monitors multiple hosts.
Network Intrusion Detection Systems gain access
to network traffic by connecting to a hub, network switch
configured for port mirroring, or network tap. An example
of a NIDS is Snort.
A protocol-based intrusion detection system (PIDS)
consists of a system or agent that would typically sit
at the front end of a server, monitoring and analyzing
the communication protocol between a connected device
(a user/PC or system). For a web server this would typically
monitor the HTTPS protocol stream and understand the
HTTP protocol relative to the web server/system it is
trying to protect. Where HTTPS is in use then this system
would need to reside in the "shim" or interface between
where HTTPS is un-encrypted and immediately prior to
it entering the Web presentation layer.
An application protocol-based intrusion detection
system (APIDS) consists of a system or agent that
would typically sit within a group of servers, monitoring
and analyzing the communication on application specific
protocols. For example; in a web server with database
this would monitor the SQL protocol specific to the
middleware/business-login as it transacts with the database.
A host-based intrusion detection system (HIDS)
consists of an agent on a host which identifies
intrusions by analyzing system calls, application logs,
file-system modifications (binaries, password files,
capability/acl databases) and other host activities
and state. An example of a HIDS is OSSEC.
A hybrid intrusion detection system combines
two or more approaches. Host agent data is combined
with network information to form a comprehensive view
of the network. An example of a Hybrid IDS is Prelude.
Passive system vs. reactive system
In a passive system, the intrusion detection system
(IDS) sensor detects a potential security breach,
logs the information and signals an alert on the console
and or owner. In a reactive system, also known as an
intrusion prevention system (IPS), the IDS responds
to the suspicious activity by resetting the connection
or by reprogramming the firewall to block network traffic
from the suspected malicious source. This can happen
automatically or at the command of an operator.
Though they both relate to network security, an intrusion
detection system (IDS) differs from a firewall in
that a firewall looks outwardly for intrusions in order
to stop them from happening. Firewalls limit access
between networks to prevent intrusion and do not signal
an attack from inside the network. An IDS evaluates
a suspected intrusion once it has taken place and signals
an alarm. An IDS also watches for attacks that originate
from within a system. This is traditionally achieved
by examining network communications, identifying heuristics
and patterns (often known as signatures) of common computer
attacks, and taking action to alert operators. A system
which terminates connections is called an intrusion
prevention system, and is another form of an application
The term IDPS is commonly used to refer to hybrid security
systems that both "detect" and "prevent".
IDS evasion techniques
Intrusion detection system evasion techniques
bypass detection by creating different states on the
IDS and on the targeted computer. The adversary accomplishes
this by manipulating either the attack itself or the
network traffic that contains the attack.
A preliminary concept of an IDS began with James P.
Anderson and reviews of audit trails. An example
of an audit trail would be a log of user access.
Fred Cohen noted in 1984 (see Intrusion Detection) that
it is impossible to detect an intrusion in every case
and that the resources needed to detect intrusions grows
with the amount of usage.
Dorothy E. Denning, assisted by Peter Neuman, published
a model of an IDS in 1986 that formed the basis for
many systems today. Her model used statistics for
anomaly detection, and resulted in an early IDS at SRI
named the Intrusion detection expert system (IDES),
which ran on Sun Workstations and could consider both
user and network level data. IDES had a dual approach
with a rule-based Expert System to detect known types
of intrusions plus a statistical anomaly detection component
based on profiles of users, host systems, and target
systems. Lunt proposed adding an Artificial neural network
as a third component. She said all three components
could then report to a resolver. SRI followed IDES in
1993 with the Next-generation Intrusion Detection Expert
The Multics intrusion detection and alerting system
(MIDAS), an expert system using P-BEST and LISP, was
developed in 1988 based on the work of Denning and Neuman.
Haystack was also developed this year using statistics
to reduce audit trails.
Wisdom & sense (W&S) was a statistics-based anomaly
detector developed in 1989 at the Los Alamos National
Laboratory. W&S created rules based on statistical
analysis, and then used those rules for anomaly detection.
In 1990, the Time-based inductive machine (TIM) did
anomaly detection using inductive learning of sequential
user patterns in Common LISP on a VAX 3500 computer.
The Network Security Monitor (NSM) performed masking
on access matrices for anomaly detection on a Sun-3/50
workstation. The Information Security Officer's Assistant
(ISOA) was a 1990 prototype that considered a variety
of strategies including statistics, a profile checker,
and an expert system. ComputerWatch at AT&T Bell
Labs used statistics and rules for audit data reduction
and intrusion detection.
Then, in 1991, researchers at the University of California
created a prototype Distributed intrusion detection
system (DIDS), which was also an expert system.
The Network anomaly detection and intrusion reporter
(NADIR), also in 1991, was a prototype IDS developed
at the Los Alamos National Laboratory's Integrated Computing
Network (ICN), and was heavily influenced by the work
of Denning and Lunt. NADIR used a statistics-based
anomaly detector and an expert system.
The Lawrence Berkeley National Laboratory announced
Bro in 1998 which used its own rule language for packet
analysis from libpcap data. Network Flight Recorder
(NFR)in 1999 also used libpcap. APE was developed
as a packet sniffer, also using libpcap, in November,
1998, and was renamed Snort one month later.
The Audit data analysis and mining (ADAM) IDS in 2001
used tcpdump to build profiles of rules for classifications.