CHAPTER 1

INTRODUCTION
1.1 Introduction
For years now, network security has been one of the main investments organizations of all sizes
make to protect their networks, users and data.

Much of this focus has come about to address the sheer volume and sophistication of cyber
threats in today's landscape. The rise of malicious actors seeking to compromise data, steal
information, disrupt services and cause damage has led to the implementation of numerous
defense strategies, practices and technologies.

Encrypting data, using firewalls to prevent unauthorized traffic entering the network, employing
antimalware solutions and a variety of other tools are upheld as a standard for every
organization, and are used to detect cyber-attacks and ultimately stop them. Another tool that is
just as universal is the IDS, or intrusion detection system. Next to packet analysis, log
aggregation, proxy firewalls and similar blue team tools, IDS is an indispensable tool for defense
teams to detect and prevent attacks.

Intrusion detection systems have been around for decades, and while they've gone through many
iterations and innovative advancements, the IDS still stands as a fundamental part of good cyber
hygiene. Just as a home alarm system is designed to alert you to an intruder's attempt at breaking
in, an IDS will in the same way monitor network traffic and notify you of suspicious activity.

An Intrusion Detection System (IDS) maintains network traffic looks for unusual activity and
sends alerts when it occurs. The main duties of an Intrusion Detection System (IDS) are anomaly
detection and reporting; however, certain Intrusion Detection Systems can take action when
malicious activity or unusual traffic is discovered. In this article, we will discuss every point
about the Intrusion Detection System.

An intrusion detection system (IDS) is an active research topic and is regarded as one of the
important applications of machine learning. An IDS is a classifier that predicts the class of input
records associated with certain types of attacks.

1
1.2 Concept of Intrusion Detection System

The earliest concept of intrusion detection systems was set forth in 1980 by James Anderson at
the NSA with his "Computer Security Threat Monitoring and Surveillance" report. Then, in
1986, Dorothy E. Denning wrote "An Intrusion-Detection Model"—an academic paper that
shaped the foundation for many systems still in use today. The model presented in the paper was
used to develop the Intrusion Detection Expert System, or IDES.

The IDES model detected behaviour patterns of a potential intruder by using statistics for
anomaly detection based on profiles of users, host systems, and target systems.

From the 1980s all the way to the early 2000s, IDS was considered a security best practice. But,
at that time, the noisy and turbulent nature of networks led to many false positives from IDS,
labeling it unreliable in the eyes of many.

In recent years, however, their dominance and the challenges of cloud computing have shined a
new light on intrusion detection systems, a longtime staple of enterprise security. And while
many organizations invest in proactive security measures and other preventative strategies, they
can still fail. Detecting attacks that may occur afterwards remains crucial.

1.3 What is an Intrusion in Cybersecurity?

In cyber security, an "intrusion" refers to any unauthorized access or attempted access to a

computer system, network, or data. Intrusions are attempts by attackers to bypass security
mechanisms, exploit vulnerabilities, or otherwise gain access to protected resources without
permission.

This can also refer to a series of security events that make up an incident. An intrusion can be
passive, meaning the penetration is done without being detected, or active, meaning changes are
made to network resources.

An intrusion can jeopardize electronic election infrastructure, or the integrity, confidentiality, or

availability of information within such infrastructure. An intrusion attempt is when someone

2
deliberately tries to enter a computer, system, or network to access, manipulate, or render
information unreliable.

Cyber criminals use increasingly sophisticated techniques and tactics to infiltrate organizations
without being discovered. The primary aim of an intrusion can vary, ranging from stealing
sensitive information, causing damage to data or systems, disrupting services, to deploying
malware or conducting espionage.

1.4 What is an Intrusion Detection System?

The term IDS itself refers to the processes used for the detection of unauthorized access to and
intrusive activities on a network. An intrusion detection system, therefore, is a tool that monitors
network traffic for potential intrusions that may indicate malicious activity or a breach of
policies.

Intrusions in this sense can be defined as any type of unauthorized access with the potential to
harm the confidentiality, integrity and availability of data. An IDS issues alerts when such
activity is discovered, which is then either reported to an admin or collected through a security
information and event management system (SIEM).

Often compared and confused with a firewall, an IDS doesn't sit on the perimeter of a network
and monitor traffic with the goal of determining what should be allowed into the network the
way a firewall does. An IDS is ideally placed at strategic points within a network, where it
monitors and analyses traffic to and from endpoints on the network to detect any malicious
activity.

This allows an IDS to act as a second layer of security, in case a threat slips through the firewall,
as well as in cases of threats that originated inside the network. A good analogy would be
thinking of the firewall as the front door of your house, allowing or blocking what's going in and
coming out, and the IDS would be the security camera watching the door.

It's also important to differentiate between IDSs and IPSs, or intrusion prevention systems.
Whereas an IDS is concerned with informative and reactive intrusion detection, an IPS is a

3
preventative measure that prevents threats before they reach the network. We'll be exploring IPSs
a bit more in the future.

A system called an intrusion detection system (IDS) observes network traffic for malicious
transactions and sends immediate alerts when it is observed. It is software that checks a network
or system for malicious activities or policy violations. Each illegal activity or violation is often
recorded either centrally using an SIEM system or notified to an administration. IDS monitors a
network or system for malicious activity and protects a computer network from unauthorized
access from users, including perhaps insiders. The intrusion detector learning task is to build a
predictive model (i.e. a classifier) capable of distinguishing between ‘bad connections’
(intrusion/attacks) and ‘good (normal) connections’.

An IDS can help accelerate and automate network threat detection by alerting security
administrators to known or potential threats, or by sending alerts to a centralized security tool. A
centralized security tool such as a security information and event management (SIEM) system
can combine data from other sources to help security teams identify and respond to cyberthreats
that might slip by other security measures.

IDSs can also support compliance efforts. Certain regulations, such as the Payment Card Industry
Data Security Standard (PCI-DSS), require organizations to implement intrusion detection
measures.

An IDS cannot stop security threats on its own. Today IDS capabilities are typically integrated
with—or incorporated into—intrusion prevention systems (IPSs), which can detect security
threats and automatically act to prevent them.

4
 CHAPTER 2
WORKING OF INTRUSION DETECTION SYSTEM
2.1 WORKING OF IDS:
 An IDS (Intrusion Detection System) monitors the traffic on a computer network to
detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of
abnormal behaviour.
 The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert
to the system administrator.
 The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

Diagram depicting the functionality of an intrusion detection system.

5
IDS solutions excel in monitoring network traffic and detecting anomalous activity. They are
placed at strategic locations across a network or on devices themselves to analyze network traffic
and recognize signs of a potential attack.
An IDS works by looking for the signature of known attack types or detecting activity that
deviates from a prescribed normal. It then alerts or reports these anomalies and potentially
malicious actions to administrators so they can be examined at the application and protocol
layers.
This enables organizations to detect the potential signs of an attack beginning or being carried
out by an attacker. IDS solutions do this through several capabilities, including:
1. Monitoring the performance of key firewalls, files, routers, and servers to detect, prevent,
and recover from cyberattacks.
2. Enabling system administrators to organize and understand their relevant operating
system audit trails and logs that are often difficult to manage and track.
3. Providing an easy-to-use interface that allows staff who are not security experts to help
with the management of an organization’s systems
4. Providing an extensive database of attack signatures that can be used to match and detect
known threats.
5. Providing a quick and effective reporting system when anomalous or malicious activity
occurs, which enables the threat to be passed up the stack.
6. Generating alarms that notify the necessary individuals, such as system administrators
and security teams, when a breach occurs.
7. In some cases, reacting to potentially malicious actors by blocking them and their access
to the server or network to prevent them from carrying out any further action

The increasingly connected nature of business environments and infrastructures means they
demand highly secure systems and techniques to establish trusted lines of communication. IDS
has an important role within modern cybersecurity strategies to safeguard organizations from
hackers attempting to gain unauthorized access to networks and stealing corporate data.

6
2.2 PLACEMENT OF IDS

The most optimal and common position for an IDS to be placed is behind the firewall. Although
this position varies considering the network. The ‘behind-the-firewall’ placement allows the IDS
with high visibility of incoming network traffic and will not receive traffic between users and
network. The edge of the network point provides the network the possibility of connecting to the
extranet.
In cases, where the IDS is positioned beyond a network’s firewall, it would be to defend against
noise from internet or defend against attacks such as port scans and network mapper. An IDS in
this position would monitor layers 4 through 7 of the OSI model and would use Signature-based
detection method. Showing the number of attempted breaches instead of actual breaches that
made it through the firewall is better as it reduces the number of false positives. It also takes less
time to discover successful attacks against network.
An advanced IDS incorporated with a firewall can be used to intercept complex attacks entering
the network. Features of advanced IDS include multiple security contexts in the routing level and
bridging mode. All of this in turn potentially reduces cost and operational complexity.
Another choice for IDS placement is within the network. This choice reveals attacks or
suspicious activity within the network. Not acknowledging security inside a network is
detrimental as it may allow users to bring about security risk, or allow an attacker who has
broken into the system to roam around freely.

7
 CHAPTER 3
CLASSIFICATION OF INTRUSION DETECTION SYSTEM

Intrusion detection systems come in different variations and can detect suspicious activity using
different methods and capabilities. Usually, the different flavors of IDSs can be classified by five
types:

3.1 NETWORK INTRUSION DETECTION SYSTEM (NIDS):

Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network. It performs an observation of passing traffic on
the entire subnet and matches the traffic that is passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator. An example of a NIDS is installing it on the subnet where firewalls are located in
order to see if someone is trying to crack the firewall.

NIDS

8
 Network Intrusion Detection System
3.2 HOST INTRUSION DETECTION SYSTEM (HIDS):

Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. A
HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected. It takes a snapshot of existing system
files and compares it with the previous snapshot. If the analytical system files were edited or
deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be
seen on mission-critical machines, which are not expected to change their layout.

HIDS

Host Intrusion Detection System

9
3.3 PROTOCOL-BASED INTRUSION DETECTION SYSTEM (PIDS):

Protocol-based intrusion detection system (PIDS) comprises a system or agent that would
consistently reside at the front end of a server, controlling and interpreting the protocol between
a user/device and the server. It is trying to secure the web server by regularly monitoring the
HTTPS protocol stream and accepting the related HTTP protocol. As HTTPS is unencrypted and
before instantly entering its web presentation layer then this system would need to reside in this
interface, between to use the HTTPS.

PIDS

Protocol-based Intrusion Detection System

10
3.4 APPLICATION PROTOCOL-BASED INTRUSION DETECTION SYSTEM (APIDS):

An application Protocol-based Intrusion Detection System (APIDS) is a system or agent that

generally resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols. For example, this would
monitor the SQL protocol explicitly to the middleware as it transacts with the database in the
web server.

APIDS

11
 Application Protocol-based Intrusion Detection System

3.5 HYBRID INTRUSION DETECTION SYSTEM:

Hybrid intrusion detection system is made by the combination of two or more approaches to the
intrusion detection system. In the hybrid intrusion detection system, the host agent or system data
is combined with network information to develop a complete view of the network system. The
hybrid intrusion detection system is more effective in comparison to the other intrusion detection
system. Prelude is an example of Hybrid IDS.

Hybrid IDS

12
 Hybrid Intrusion Detection System

CHAPTER 4
DETECTION METHOD OF IDS

An Intrusion Detection System (IDS) is a network security technology originally built for
detecting vulnerability exploits against a target application or computer.

13
The IDS is also a listen-only device. The IDS monitors traffic and reports results to an
administrator. It cannot automatically take action to prevent a detected exploit from taking over
the system.

Attackers are capable of exploiting vulnerabilities quickly once they enter the network.
Therefore, the IDS is not adequate for prevention. Intrusion detection and intrusion prevention
systems are both essential to security information and event management.

IDSs are categorized into three groups, i.e., anomaly-based detection, signature-based detection,
and specification-based detection. To summarize the taxonomy, we show a conceptual diagram
in figure.

4.1 SIGNATURE-BASED METHOD:

Signature-based IDS detects the attacks based on the specific patterns such as the number of
bytes or a number of 1s or the number of 0s in the network traffic. It also detects based on the
already known malicious instruction sequence that is used by the malware. The detected patterns
in the IDS are known as signatures. Signature-based IDS can easily detect the attacks whose

14
pattern (signature) already exists in the system, but it is quite difficult to detect new malware
attacks as their pattern (signature) is not known.

Signature-based detection analyzes network packets for attack signatures—unique characteristics

or behaviors that are associated with a specific threat. A sequence of code that appears in a
particular malware variant is an example of an attack signature. \

A signature-based IDS maintains a database of attack signatures against which it compares

network packets. If a packet triggers a match to one of the signatures, the IDS flags it. To be
effective, signature databases must be regularly updated with new threat intelligence as new
cyberattacks emerge and existing attacks evolve. Brand new attacks that are not yet analyzed for
signatures can evade signature-based IDS.

4.2 ANOMALY-BASED METHOD:

Anomaly-based IDS was introduced to detect unknown malware attacks as new malware is
developed rapidly. In anomaly-based IDS there is the use of machine learning to create a trustful
activity model and anything coming is compared with that model and it is declared suspicious if
it is not found in the model. The machine learning-based method has a better-generalized

15
property in comparison to signature-based IDS as these models can be trained according to the
applications and hardware configurations.

Anomaly-based detection methods use machine learning to create—and continually refine—a

baseline model of normal network activity. Then it compares network activity to the model and
flags deviations—such as a process that uses more bandwidth than normal, or a device opening a
port.

Because it reports any abnormal behavior, anomaly-based IDS can often catch new cyberattacks
that might evade signature-based detection. For example, anomaly-based IDSs can catch zero-
day exploits—attacks that take advantage of software vulnerabilities before the software
developer knows about them or has time to patch them.

But anomaly based IDSs may also be more prone to false positives. Even benign activity, such as
an authorized user accessing a sensitive network resource for the first time, can trigger an
anomaly-based IDS.

In this study, we are interested in an anomaly-based IDS. Therefore, we create the following sub-
taxonomy of such systems:

 Statistical-based anomaly IDS The statistical-based anomaly IDS matches the

periodically captured statistical features from the traffic with a generated stochastic

16
 model of the normal operation or traffic. The attack is reported as the deviation between
the two statistical patterns, i.e., the normal memorized one and the current captured one.
 Knowledge-based anomaly IDS In knowledge-based anomaly detection, numerous rules
are provided by experts in the form of an expert system or fuzzy-based system to define
the behavior of normal connections and attacks. In fuzzy-based anomaly detection, the
rule-based is connected to inputs. A subset of the rules is enabled based on the input
values, sometimes heuristics or an UML-based description of the attack’s behavior is
provided.
 Machine learning-based anomaly IDS An explicit or implicit model of the analyzed
patterns is developed in a machine learning-based anomaly IDS. These models are
revised regularly to boost intrusion detection efficiency based on past results.

4.3 SPECIFICATION-BASED METHOD:

17
A specification-based technique uses the specification or constraints to describe a certain
program’s operation and report any violation of such specification or constraints based on
matching with the prior determined and memorized specification and constraints.

LESS COMMON DETECTION METHODS

18
Reputation-based detection blocks traffic from IP addresses and domains associated with
malicious or suspicious activity. Stateful protocol analysis focuses on protocol behavior—for
example, it might identify a denial-of-service (DoS) attack by detecting a single IP address,
making many simultaneous TCP connection requests in a short period.
Whatever method(s) it uses, when an IDS detects a potential threat or policy violation, it alerts
the incident response team to investigate. IDSs also keep records of secu-rity incidents, either in
their own logs or by logging them with a security information and event management (SIEM)
tool (see 'IDS and other security solutions' below). These incident logs can be used to refine the
IDS’s criteria, such as by adding new attack signatures or updating the network behavior model.

Diagram depicting reputation-based intrusion detection system.

CHAPTER 5

19
 EVASION TECHNIQUES

Like any other system, IDS have vulnerabilities that can be exploited by attackers to evade
them.

Fragmentation:

Dividing the packet into smaller packet called fragment and the process is known as
fragmentation. This makes it impossible to identify an intrusion because there can’t be a malware
signature. Splitting malware or other malicious payloads into small packets, obscuring the
signature and avoiding detection. By strategically delaying packets or sending them out of order,
hackers can prevent the IDS from reassembling them and noticing the attack.

Packet Encoding:

Encoding packets using methods like Base64 or hexadecimal can hide malicious content from
signature-based IDS.

Traffic Obfuscation:

By making message more complicated to interpret, obfuscation can be utilised to hide an attack
and avoid detection.

Encryption:

Several security features, such as data integrity, confidentiality, and data privacy, are provided by
encryption. Unfortunately, security features are used by malware developers to hide attacks and
avoid detection.

Distributed denial-of-service (DDoS) attacks:

Taking IDSs offline by flooding them with obviously malicious traffic from multiple sources.
When the IDS’s resources are overwhelmed by the decoy threats, the hackers sneak in.

20
Spoofing:

Faking IP addresses and DNS records to make it look like their traffic is coming from a
trustworthy source.

Operator fatigue:

Generating large numbers of IDS alerts on purpose to distract the incident response team from
their real activity.

Traffic Timing:

Attackers might slow down or distribute their attacks over longer periods to avoid triggering IDS
thresholds based on traffic volume or frequency.

Polymorphic Attacks:

These are attacks that change their appearance with each iteration, making it difficult for IDS to
detect a consistent signature or pattern.

Protocol Level Evasion:

By manipulating the protocol headers or using non-standard protocol options, attackers can craft
packets that appear legitimate to IDS but carry malicious payloads.

Session Splicing:

This technique involves breaking a malicious payload into smaller pieces and sending them at
different times or within legitimate traffic sessions to avoid detection.

Protocol Tunneling:

Attackers can encapsulate malicious traffic within legitimate protocols or tunnel them through
protocols that are less likely to be inspected by IDS.

21
Zero-Day Exploits:

Exploiting vulnerabilities that are unknown to the IDS or have no known signatures can allow
attackers to evade detection until the vulnerability is discovered and patched.

Avoiding defaults:

A port utilized by a protocol does not always provide an indication to the protocol that’s being
transported. If an attacker had reconfigured it to use a different port, the IDS may not be able to
detect the presence of a trojan.

Coordinated, low-bandwidth attacks:

Coordinating a scan among numerous attackers, or even allocating various ports or hosts to
different attackers. This makes it difficult for the IDS to correlate the captured packets and
deduce that a network scan is in progress.

Pattern change evasion:

IDS rely on pattern matching to detect attacks. By making slight adjust to the attack architecture,
detection can be avoided.

22
 CHAPTER 6
COUNTERMEASURES
Anomaly-based Detection:

Instead of relying solely on signatures, anomaly-based detection systems look for deviations
from normal behavior. This can help detect new or unknown attacks.

Deep Packet Inspection:

This involves inspecting the content of packets beyond just the headers. It can help in detecting
malicious payloads even when they are encrypted or obfuscated.

SSL/TLS Decryption:

Implementing SSL/TLS decryption to inspect encrypted traffic for malicious content.

Regular Updates:

Keeping IDS signatures and rules updated to detect new attack patterns and vulnerabilities.

Multi-Layered Defense:

Combining multiple detection techniques, such as signature-based, anomaly-based, and heuristic

based detection, to improve overall detection capabilities.

Network Segmentation:

Segmenting the network to contain and isolate potential threats, making it harder for attackers to
move laterally within the network.

User Education: Educating users about the importance of security best practices, such as
avoiding suspicious links or attachments, can help in preventing successful attacks.

Note: No single technique can provide complete protection against all evasion techniques. A
combination of multiple strategies and continuous monitoring is essential for effective intrusion
detection and prevention.

23
 CHAPTER 7
CAPABILITIES & BENEFITS OF IDS

7.1 Capabilities of Intrusion Detection System:

Intrusion detection systems monitor network traffic in order to detect when an attack is being
carried out by unauthorized entities. IDSes do this by providing some -- or all -- of the following
functions to security professionals:

 Monitoring the operation of routers, firewalls, key management servers and files that are
needed by other security controls aimed at detecting, preventing or recovering from
cyberattacks.
 Providing administrators a way to tune, organize and understand relevant OS audit trails
and other logs that are otherwise difficult to track or parse.
 Providing a user-friendly interface so nonexpert staff members can assist with managing
system security.
 Including an extensive attack signature database against which information from the
system can be matched.
 Recognizing and reporting when the IDS detects that data files have been altered.
 IDS can analyse the behaviour of users and systems to detect deviations from normal
patterns, which may indicate unauthorized access or malicious activity.
 Generating an alarm and notifying that security has been breached; and
 Reacting to intruders by blocking them or blocking the server.
 IDS can log detailed information about detected events, including packet captures and
metadata, to support forensic analysis and investigation of security incidents.
 IDS can integrate with other security tools and systems, such as firewalls, SIEM
(Security Information and Event Management) systems, and threat intelligence feeds, to
enhance overall security posture and response capabilities.

These capabilities collectively enable IDS to play a crucial role in identifying and mitigating
security threats in networks, helping organizations maintain the confidentiality, integrity, and
availability of their systems and data.

24
Benefits of Intrusion Detection System:

Detects malicious activity:

IDS can detect any suspicious activities and alert the system administrator before any significant
damage is done.

Improves network performance:

IDS can identify any performance issues on the network, which can be addressed to improve
network performance.

Compliance requirements:

IDS can help in meeting compliance requirements by monitoring network activity and generating
reports.

Provides insights:

IDS generates valuable insights into network traffic, which can be used to identify any
weaknesses and improve network security.

Understanding risk:

An IDS tool helps businesses understand the number of attacks being targeted at them and the
type and level of sophistication of risks they face.

Shaping security strategy:

Understanding risk is crucial to establishing and evolving a comprehensive cybersecurity

strategy that can stand up to the modern threat landscape. An IDS can also be used to identify
bugs and potential flaws in organizations’ devices and networks, then assess and adapt their
defenses to address the risks they may face in the future.

25
Cost saving:

While the initial investment in IDS deployment and maintenance is required, the potential cost
savings from preventing security breaches and minimizing their impact can outweigh these
expenses in the long run.

Regulatory compliance:

Organizations now face an ever-evolving list of increasingly stringent regulations that they must
comply with. An IDS tool provides them with visibility on what is happening across their
networks, which eases the process of meeting these regulations. The information it gathers and
saves in its logs is also vital for businesses to document that they are meeting their compliance
requirements.

Faster response times:

The immediate alerts that IDS solutions initiate allow organizations to discover and prevent
attackers more quickly than they would through manual monitoring of their networks. The
sensors that an IDS uses can also inspect data in network packets and operating systems, which
is also faster than manually collecting this information.

Forensic Analysis and Investigation:

IDS logs detailed information about detected events, including packet captures and metadata,
enabling forensic analysis and investigation of security incidents for root cause analysis and
remediation.

Improved Incident Response:

By promptly alerting administrators to potential security incidents, IDS enables rapid response
and mitigation measures, minimizing the impact of attacks and reducing downtime.

Detection of Insider Threats:

IDS can identify unauthorized access and misuse of resources by legitimate users within the
network, helping to detect insider threats and malicious insider activity.

26
 CHAPTER 8
CHALLENGES OF INTRUSION DETECTION SYSTEMS

Implementing and managing an Intrusion Detection System (IDS) is crucial for enhancing
network security, but it is not without its hurdles. From navigating the complexities of fine-
tuning to grappling with the relentless onslaught of alerts, IDS administrators face a myriad of
challenges that require careful navigation and proactive strategies to ensure effective threat
detection and response.

IDSes are prone to false alarms -- or false positives. Consequently, organizations need to fine-
tune their IDS products when they first install them. This includes properly configuring their

27
intrusion detection systems to recognize what normal traffic on their network looks like
compared to potentially malicious activity.

However, despite the inefficiencies they cause, false positives don't usually cause serious damage
to the actual network and simply lead to configuration improvements.

A much more serious IDS mistake is a false negative, which is when the IDS misses a threat and
mistakes it for legitimate traffic. In a false negative scenario, IT teams have no indication that an
attack is taking place and often don't discover until after the network has been affected in some
way. It is better for an IDS to be oversensitive to abnormal behaviors and generate false positives
than it is to be under sensitive, generating false negatives.

False negatives are becoming a bigger issue for IDSes -- especially SIDSes -- since malware is
evolving and becoming more sophisticated. It's hard to detect a suspected intrusion because new
malware may not display the previously detected patterns of suspicious behavior that IDSes are
typically designed to detect. As a result, there is an increasing need for IDSes to detect new
behavior and proactively identify novel threats and their evasion techniques as soon as possible.

Fine-tuning the IDS to the specific network environment and balancing sensitivity to detect
threats without overwhelming administrators with false alerts requires expertise and ongoing
maintenance.

In large networks or environments with high traffic volumes, IDS can generate a significant
number of alerts, making it challenging for administrators to prioritize and respond to genuine
threats effectively.

Adequately trained personnel with expertise in IDS deployment, configuration, and analysis may
be scarce, posing challenges for organizations in effectively managing and optimizing their IDS
deployments.

With the increasing use of encryption for securing communications, IDS may face challenges in
inspecting encrypted traffic for malicious activity without compromising privacy and compliance
requirements.

28
 CHAPTER 9
COMPARISONS

9.1 IDS WITH FIREWALLS

IDS and firewall both are related to network security but an IDS differs from a firewall as a
firewall looks outwardly for intrusions in order to stop them from happening. Firewalls restrict
access between networks to prevent intrusion and if an attack is from inside the network it
doesn’t signal. An IDS describes a suspected intrusion once it has happened and then signals an
alarm.

IDSs and firewalls are complementary. Firewalls face outside the network and act as barriers by
using predefined rulesets to allow or disallow traffic. IDSs often sit near firewalls and help catch
anything that slips past them. Some firewalls, especially next-generation firewalls, have built-in
IDS and IPS functions.

IDses and Next-Generation Firewalls are both network security solutions. What differentiates an
IDS from a firewall is its purpose.

An IDS device monitors passively, describing a suspected threat when it’s happened and
signaling an alert. IDS watches network packets in motion. This allows incident response to
evaluate the threat and act as necessary. It does not, however, protect the endpoint or network.

A firewall monitors actively, looking for threats to prevent them from becoming incidents.
Firewalls are capable of filtering and blocking traffic. They allow traffic based on preconfigured
rules, relying on ports, destination addresses and the source.

Firewalls reject traffic that does not follow firewall rules. However, if an attack is coming from
inside the network, the IDS will not generate an alert.

29
An IDS provides no actual protection to the endpoint or network. A firewall, on the other hand,
is designed to act as a protective system. It performs analysis of the metadata of network packets
and allows or blocks traffic based upon predefined rules.

Firewalls and intrusion detection systems (IDS) are cybersecurity tools that can both safeguard a
network or endpoint. Their objectives, however, are very different from one another.

1. IDS: Intrusion detection systems are passive monitoring tools that identify possible
threats and send out notifications to analysts in security operations centers (SOCs). In this
way, incident responders can promptly look into and address the potential event.

2. Firewall: A firewall, on the other hand, analyzes the metadata contained in network
packets and decides whether to allow or prohibit traffic into or out of the network based
on pre-established rules. A firewall essentially creates a barrier that stops certain traffic
from crossing through it.

An IDS is focused on detecting and generating alerts about threats, while a firewall inspects
inbound and outbound traffic, keeping all unauthorized traffic at bay.

30
 Diagram depicting the functionality of an intrusion detection system and a firewall.

9.2 IDS WITH SIEM (Security Information and Event Management)

IDSs alerts are often funneled to an organization’s SIEM, where they can be combined with
alerts and information from other security tools into a single, centralized dashboard. Integrating
IDS with SIEMs enables security teams to enrich IDS alerts with threat intelligence and data
from other tools, filter out false alarms, and prioritize incidents for remediation.

9.3 IDS WITH IPS (Intrusion Prevention Systems)

As noted above, an IPS monitors network traffic for suspicious activity, like an IDS, and
intercepts threats in real time by automatically terminating connections or triggering other
security tools. Because IPSs are meant to stop cyberattacks, they’re usually placed inline,
meaning that all traffic must pass through the IPS before it can reach the rest of the network.

31
Some organizations implement an IDS and an IPS as separate solutions. More often, IDS and
IPS are combined in a single intrusion detection and prevention system (IDPS) which detects
intrusions, logs them, alerts security teams and automatically responds.

Diagram depicting the difference between an IPS and an IDS

Why intrusion detection systems are important?

In today's interconnected digital landscape, where cyber threats continue to evolve in

sophistication and frequency, Intrusion Detection Systems (IDS) play a vital role in safeguarding
the integrity, confidentiality, and availability of networks and sensitive data. Here's why IDS is
important:

Cyberattacks are always increasing in complexity and sophistication, and Zero Day Attacks are
common. As a result, network protection technologies must keep pace with new threats, and
businesses must maintain high levels of security.

An intrusion detection system provides an extra layer of protection, making it a critical element
of an effective cybersecurity strategy. You can use it alongside your other cybersecurity tools to

32
catch threats that are able to penetrate your primary defenses. So even if your main system fails,
you are still alerted to the presence of a threat.

A healthcare organization, for example, can deploy an IDS to signal to the IT team that a range
of threats has infiltrated its network, including those that have managed to bypass its firewalls. In
this way, the IDS helps the organization to stay in compliance with data security regulations.

The objective is to assure secure, trusted communication of information. Therefore, an IDS is

important to the security ecosystem. It operates as a defense for systems security when other
technologies fail.

 Identify security incidents.

 Analyze the quantity and types of attacks.
 Help identify bugs or problems with device configurations.
 Support regulatory compliance (by means of better network visibility and IDS log
documentation).
 Improve security responses (by means of inspecting data within network packets, rather
than manual census of systems).

While IDSes are useful, they are extended in impact when coupled with IPSes. Intrusion
Prevention Systems (IPS) add the ability to block threats. This has become the dominant
deployment option for IDS/IPS technologies.

Better still is the blend of multiple threat prevention technologies to form a complete solution.
An effective approach is a combination of:

 Vulnerability protection
 Anti-malware
 Anti-spyware

These technologies combined constitute advanced threat protection. The service scans all traffic
for threats (including ports, protocols and encrypted traffic). Advanced threat prevention
solutions look for threats within the cyberattack lifecycle, not just when it enters the network.
This forms a layered defense — a Zero Trust approach with prevention at all points.

33
Overall, IDS is essential for organizations of all sizes and industries to proactively detect and
respond to security threats, protect critical assets, and maintain the trust and confidence of
customers, partners, and stakeholders in an increasingly interconnected digital world.

CHAPTER 10
CONCLUSION

In conclusion, the implementation and management of an Intrusion Detection System (IDS) are
paramount for organizations seeking to fortify their cybersecurity defenses in the face of ever-
evolving threats. Throughout this documentation, we have explored the capabilities, benefits, and
challenges inherent in IDS deployment, highlighting its pivotal role in safeguarding network
integrity, protecting sensitive data, and ensuring regulatory compliance.

By leveraging advanced detection techniques, such as anomaly detection, signature-based

detection, and behavioral analysis, IDS empowers organizations to detect and respond to security
incidents with agility and precision. The early identification of unauthorized access attempts,
malware infections, and insider threats enables proactive mitigation strategies, minimizing the
impact of cyber-attacks and reducing the risk of financial losses and reputational damage.

34
Furthermore, IDS serves as a cornerstone of compliance efforts, helping organizations meet
regulatory requirements and industry standards for data protection and privacy. Its ability to
generate comprehensive logs and alerts facilitates forensic analysis and investigation, enabling
organizations to identify root causes, implement remediation measures, and strengthen resilience
against future threats.

As the cybersecurity landscape continues to evolve, the importance of IDS in maintaining a

robust security posture cannot be overstated. By embracing best practices in configuration,
tuning, and integration, organizations can harness the full potential of IDS to stay ahead of
emerging threats, adapt to changing environments, and safeguard their digital assets with
confidence.

In essence, IDS represents a vital component of a comprehensive cybersecurity strategy, offering

unparalleled visibility, detection, and response capabilities to defend against a wide range of
cyber threats. By investing in IDS deployment and ongoing maintenance, organizations can
mitigate risks, protect critical assets, and uphold the trust and integrity of their operations in an
increasingly interconnected and dynamic digital world.

REFERENCES

https://www.geeksforgeeks.org/intrusion-detection-system-ids/

https://www.geeksforgeeks.org/types-of-evasion-technique-for-ids/

https://www.ibm.com/topics/intrusion-detection-system

https://www.paloaltonetworks.com/cyberpedia/what-is-an-intrusion-detection-system-ids

https://www.techtarget.com/searchsecurity/definition/intrusion-detection-system

https://securitytrails.com/blog/intrusion-detection-systems

https://learn.saylor.org/mod/book/view.php?id=29755&chapterid=5450

35
https://www.researchgate.net/figure/Signature-based-intrusion-detection-
system_fig3_354083895

https://www.mdpi.com/2079-9292/9/1/173

https://www.semanticscholar.org/topic/Application-protocol-based-intrusion-detection/11133957

https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/ids-ips.png?
imwidth=1366

https://www.mdpi.com/2073-8994/13/6/1011

https://www.fortinet.com/resources/cyberglossary/intrusion-detection-system#:~:text=An
%20intrusion%20detection%20system%20(IDS)%20is%20an%20application%20that
%20monitors,any%20security%20risks%20and%20threats.

https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/functionality-of-
an-ids.png?imwidth=1366

https://www.researchgate.net/figure/6-Taxonomy-of-intrusion-detection-systems-according-to-
proposed-six-criteria_fig4_232623012

36