Intrusion Detection Systems (IDS)

A firewall is a gate. An IDS is a guard.

The gate blocks entry. The guard watches for trouble that got through—or trouble that started inside. An Intrusion Detection System monitors network traffic or system activities, looking for suspicious behavior, policy violations, or signs of compromise. When it spots something wrong, it raises an alarm.

The key word is watches. An IDS doesn't block anything. It observes and reports. This distinction matters more than it might seem.

Why Watch Instead of Block?

If blocking is better than watching, why not block everything suspicious?

Because "suspicious" is subjective. A firewall blocks based on clear rules: this port is closed, that IP is banned. But detecting an attack in progress requires interpretation. Is that port scan malicious reconnaissance or a legitimate network diagnostic tool? Is that unusual login an attacker or an employee working late from a new location?

Get it wrong with a firewall, and you block something that should have been allowed. Annoying, but recoverable. Get it wrong with an inline blocking system, and you might shut down business-critical traffic based on a false alarm.

IDS takes the conservative approach: watch everything, alert on anything suspicious, let humans decide what to do about it. The trade-off is obvious—an IDS won't stop an attack, only detect it. But detection with high confidence beats blocking with low confidence.

Network-Based IDS (NIDS)

A network-based IDS watches traffic flowing across the network. It typically connects to a switch's mirror port, receiving copies of all packets without sitting in the traffic path.

From this vantage point, NIDS sees everything traversing that network segment: connection attempts, data transfers, protocol anomalies, attack signatures. A single well-placed NIDS can monitor traffic for hundreds of systems.

What NIDS catches:

• Port scans: Attackers probing for open services
• Exploitation attempts: Traffic matching known attack patterns
• Data exfiltration: Unusually large outbound transfers
• Command-and-control traffic: Malware phoning home to attacker servers
• Protocol violations: Traffic that doesn't follow expected patterns

What NIDS misses: encrypted traffic contents. NIDS can see that encrypted traffic exists—the connection metadata, the volume, the timing—but not what's inside. As more traffic becomes encrypted by default, this blind spot grows.

Host-Based IDS (HIDS)

A host-based IDS runs directly on a computer or server, watching that specific system from the inside.

HIDS monitors what NIDS cannot: system logs, file changes, running processes, registry modifications, system calls. It sees attacks that never touch the network—a malicious USB drive, a local privilege escalation, an insider threat.

HIDS also sees encrypted traffic after decryption. The endpoint is where encryption ends, so HIDS watches what NIDS is blind to.

The cost is scale. Every system needs its own HIDS installation. Every installation generates its own logs. In large environments, this creates management complexity and consumes resources on every protected machine.

How Detection Works: Signatures vs. Anomalies

Signature-based detection compares observed activity against a database of known attack patterns. An attack that sends a specific malformed packet, malware that uses a particular command protocol, exploitation that generates distinctive traffic—each gets a signature, and the IDS watches for matches.

Signatures work well against known threats. When one matches, you know exactly what you're dealing with. False positives are low for well-crafted signatures.

The limitation is fundamental: signatures only detect what's already been seen and cataloged. New attacks, custom malware, and creative variations slip through. An IDS with outdated signatures provides false confidence.

Anomaly-based detection learns what "normal" looks like, then alerts when something deviates significantly. Normal network traffic patterns, typical resource usage, expected user behaviors—the system builds baselines and watches for outliers.

Anomaly detection can catch attacks that don't match any signature, simply because they behave unusually. But "unusual" isn't "malicious." A scheduled backup, an employee working odd hours, a new application—all trigger alerts. Anomaly-based systems generate more false positives and require careful tuning.

Most serious IDS deployments use both approaches.

The Alert Fatigue Problem

Here's the uncomfortable truth about IDS: most organizations drown in alerts.

A busy network generates thousands or tens of thousands of IDS alerts daily. Most are false positives or low-severity events. The actual threats—the alerts that matter—hide in the noise.

This creates a perverse outcome. The IDS technically "detects" the breach. The alert fires. But it's alert number 4,847 that day, and the security team is already overwhelmed. Nobody investigates until the damage is done.

Effective IDS deployment requires alert management:

• Correlation: Combining related alerts to reveal patterns. Individual alerts might seem insignificant; together they show a coordinated attack.
• Prioritization: Not every alert deserves immediate attention. Focus on high-confidence, high-severity events.
• Tuning: Reducing false positives over time so real threats stand out.
• SIEM integration: Security Information and Event Management systems aggregate alerts from multiple sources, providing centralized analysis.

Without this, IDS becomes the security tool that cried wolf.

IDS vs. IPS

An Intrusion Prevention System (IPS) is an IDS that fights back.

Where IDS watches from a mirror port, IPS sits inline in the traffic path. When it detects an attack, it can drop the malicious packets, reset the connection, or block the source IP entirely.

IPS provides more complete protection—it prevents attacks rather than just detecting them. But false positives hit harder. An IDS false positive is an unnecessary alert. An IPS false positive blocks legitimate traffic, potentially disrupting business operations.

Many modern systems offer both modes. Run in IDS mode while tuning and building confidence. Switch to IPS mode once you trust the detection accuracy.

Attackers Know IDS Exists

Sophisticated attackers design their attacks with IDS in mind.

Encryption hides attack traffic from NIDS entirely. Fragmentation splits attacks across packets in ways IDS might not reassemble correctly. Polymorphic malware changes its code with each execution, evading signature matching. Slow attacks spread activity over days or weeks, staying under anomaly thresholds.

This isn't a reason to skip IDS—it's a reason to layer defenses. IDS catches the attacks that aren't carefully designed to evade it, which is most of them. The sophisticated attacks that evade IDS might trip other defenses, or leave traces in logs, or eventually make enough noise to trigger anomaly detection.

Perfect detection is impossible. Useful detection isn't.

Placement Strategy

Where you put IDS determines what you see.

Network perimeter: Detect inbound attacks before they reach internal systems. Monitor outbound traffic for data exfiltration or malware callbacks.

Between segments: Watch traffic crossing internal boundaries. Detect lateral movement—attackers who got in and are now exploring.

Critical servers: HIDS on systems handling sensitive data provides host-level visibility where it matters most.

DMZ: The semi-trusted zone between your network and the Internet deserves dedicated monitoring.

Layered placement provides defense in depth. An attack that evades perimeter detection might trigger alerts when it moves laterally.

Monitoring the Monitor

IDS itself needs watching.

A sudden drop in alert volume might mean improved security. It might also mean the IDS failed silently. Monitor system health—CPU, memory, disk, network connectivity. Verify signature databases are updating. Check that packet capture rates match expected traffic volumes.

For monitoring services, IDS operational status is as important as the alerts it generates. A blind guard is worse than no guard—it creates false confidence.