Intrusion Detection Systems

An Intrusion Detection System (IDS) is used to detect unauthorized attempts at accessing and manipulating computer systems locally, through the Internet or through an intranet. It can detect several types of attacks and malicious behaviors that can compromise the security of a network and its computers. This includes network attacks against vulnerable services, unauthorized logins and access to sensitive data, and malware (e.g. viruses, worms, etc.). An IDS also detects attacks that originate from within a system. In most cases, an IDS has three main components: Sensors, Console, and Engine. Sensors generate security events. A console is used to alert and control sensors and to monitor events. An engine is used to record events and to generate security alerts based on received security events. In many IDS implementations, these three components are combined into a single device. Basically, the two following types of IDS are used :

Network-based IDS: A Network-based Detection System (NIDS) analyzes data packets flowing through a network. It can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. It is responsible for detecting anomalous or inappropriate data that may be considered ‘unauthorized’ on a network. An NIDS captures and inspects all data traffic, regardless of whether it is permitted for checking or not.

Pass 312-50 exam in the first attempt. Full featured Tests. 495 questions with answers and 372 study notes articles and exam tips:

Download link: https://www.ucertify.com/exams/EC-Council/312-50.html

Host-Based IDS: Host-based IDS (HIDS) is an Intrusion Detection System that runs on the system to be monitored. HIDS monitors only the data that is directed to or originating from that particular system on which HIDS is installed. Besides network traffic for detecting attacks, it can also monitor other parameters of the system such as running processes, file system access and integrity, and user logins for identifying malicious activities. BlackIce Defender and Tripwire are good examples of HIDS. Tripwire is an HIDS tool that automatically calculates the cryptographic hashes of all system files as well as any other files that a Network Administrator wants to monitor for modifications. It then periodically scans all monitored files and recalculates the information to see whether the files have been modified or not. It raises an alarm if changes are detected.

IDS Responses

The following are types of responses generated by an IDS:

  1. True Positive: A valid anomaly is detected, and an alarm is generated.
  2. True Negative: No anomaly is present, and no alarm is generated.
  3. False Positive: No anomaly is present, but an alarm is generated. This is the worst case. If any IDS response is a false positive high rate, IDS is ignored and not used.
  4. False Negative: A valid anomaly is present, but no alarm has been generated.

IDS Detection Methods


Anti-x is a component of Cisco Adaptive Security Appliance (ASA). Anti-x provides an in-depth security design that prevents various types of problems such as viruses. The security provided by the tool includes the following:

The Cisco ASA appliance can be configured for a network-based role for all functions of Anti-x.