Intrusion Detection Systems: Types, Detection Methods and Challenges

For years now, network security has been one of the main investments organizations of all sizes make to protect their networks, users and data. Much of this focus has come about to address the sheer volume and sophistication of cyber threats in today's landscape. The rise of malicious actors seeking to compromise data, steal information, disrupt services and cause damage has led to the implementation of numerous defense strategies, practices and technologies. Encrypting data, using firewalls to prevent unauthorized traffic entering the network, employing anti-malware solutions and a variety of other tools are upheld as a standard for more or less every organization, and are used to detect cyber attacks and ultimately stop them. Another tool that is just as universal is the IDS, or intrusion detection system. Next to packet analysis, log aggregation, proxy firewalls and similar blue team tools, IDS is an indispensable tool for defense teams to detect and prevent attacks. Intrusion detection systems have been around for decades, and while they've gone through many iterations and innovative advancements, the IDS still stands as a fundamental part of good cyber hygiene. Just as a home alarm system is designed to alert you to an intruder's attempt at breaking in, an IDS will in the same way monitor network traffic and notify you of suspicious activity. In this post we'll explore the history and concept of intrusion detection, its importance in network security, the different types and detection methods of IDS, as well as some of the challenges they face that may require solving with next-gen technologies. Concept of intrusion detection The earliest concept of intrusion detection systems was set forth in 1980 by James Anderson at the NSA with his "Computer Security Threat Monitoring and Surveillance" report. Then, in 1986, Dorothy E. Denning wrote "An Intrusion-Detection Model", an academic paper that shaped the foundation for many systems still in use today. The model presented in the paper was used to develop the Intrusion Detection Expert System, or IDES. The IDES model detected behavior patterns of a potential intruder by using statistics for anomaly detection based on profiles of users, host systems, and target systems. From the 1980s all the way to the early 2000s, IDS was considered a security best practice. But, at that time, the noisy and turbulent nature of networks led to many false positives from IDS, labeling it unreliable in the eyes of many. In recent years, however, their dominance and the challenges of cloud computing have shined a new light on intrusion detection systems, a longtime staple of enterprise security. And while many organizations invest in proactive security measures and other preventative strategies, they can still fail. Detecting attacks that may occur afterwards remains crucial. What are intrusion detection systems? The term IDS itself refers to the processes used for the detection of unauthorized access to and intrusive activities on a network. An intrusion detection system, therefore, is a tool that monitors network traffic for potential intrusions that may indicate malicious activity or a breach of policies. Intrusions in this sense can be defined as any type of unauthorized access with the potential to harm the confidentiality, integrity and availability of data. An IDS issues alerts when such activity is discovered, which is then either reported to an admin or collected through a security information and event management system (SIEM). Often compared and confused with a firewall, an IDS doesn't sit on the perimeter of a network and monitor traffic with the goal of determining what should be allowed into the network the way a firewall does. An IDS is ideally placed at strategic points within a network, where it monitors and analyses traffic to and from endpoints on the network to detect any malicious activity. This allows an IDS to act as a second layer of security, in case a threat slips thro...