Intro

For years now, network security has been one of the main investments that organizations of all
sizes make to protect their networks, users and data. Much of this focus has come about to
address the sheer volume and sophistication of cyber threats in today's landscape. The rise of
malicious actors seeking to compromise data, steal information, disrupt services and cause
damage has led to the implementation of numerous defense strategies, practices and
technologies.

Encrypting data, using firewalls to prevent unauthorized traffic entering the network, employing
antimalware solutions and a variety of other tools are upheld as a standard for every
organization, and are used to detect cyber-attack s and ultimately stop them. Another tool that is
just as universal is the IDS, or intrusion detection system. Next to packet analysis, log
aggregation, proxy firewalls and similar blue team tools, IDS is an indispensable tool for defense
teams to detect and prevent attacks.

Intrusion
In cyber security, an "intrusion" refers to any unauthorized access or attempted access to a
computer system, network, or data. Intrusions are attempts by attackers to bypass security
mechanisms, exploit vulnerabilities, or otherwise gain access to protected resources without
permission.
This can also refer to a series of security events that make up an incident. An intrusion can be
passive, meaning the penetration is done without being detected, or active, meaning changes are
made to network resources.
An intrusion can jeopardize electronic election infrastructure, or the integrity, confidentiality, or
availability of information within such infrastructure. An intrusion attempt is when someone
deliberately tries to enter a computer, system, or network to access, manipulate, or render
information unreliable.

Concept

The earliest concept of intrusion detection systems was set forth in 1980 by James Anderson at
the NSA with his "Computer Security Threat Monitoring and Surveillance" report. Then, in
1986, Dorothy E. Denning wrote "An Intrusion-Detection Model"—an academic paper that
shaped the foundation for many systems still in use today. The model presented in the paper was
used to develop the Intrusion Detection Expert System, or IDES.
An intrusion detection system (IDS) is an active research topic and is regarded as one of the
important applications of machine learning. An IDS is a classifier that predicts the class of input
records associated with certain types of attacks.
IDS

Intrusion detection systems have been around for decades, and while they've gone through many
iterations and innovative advancements, the IDS still stands as a fundamental part of good cyber
hygiene. Just as a home alarm system is designed to alert you to an intruder's attempt at breaking
in, an IDS will in the same way monitor network traffic and notify you of suspicious activity.

An IDS cannot stop security threats on its own. An IDS can help accelerate and automate
network threat detection by alerting security administrators to known or potential threats, or by
sending alerts to a centralized security tool.

Working
 An IDS (Intrusion Detection System) monitors the traffic on a computer network to
detect any suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of
abnormal behaviour.
 The IDS compares the network activity to a set of predefined rules and patterns to
identify any activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert
to the system administrator.
 The system administrator can then investigate the alert and take action to prevent any
damage or further intrusion.

Placement

The most optimal and common position for an IDS to be placed is behind the firewall. Although
this position varies considering the network. The ‘behind-the-firewall’ placement allows the IDS
with high visibility of incoming network traffic and will not receive traffic between users and
network. The edge of the network point provides the network the possibility of connecting to the
extranet.
In cases, where the IDS is positioned beyond a network’s firewall, it would be to defend against
noise from internet or defend against attacks such as port scans and network mapper. An IDS in
this position would monitor layers 4 through 7 of the OSI model and would use Signature-based
detection method. Showing the number of attempted breaches instead of actual breaches that
made it through the firewall is better as it reduces the number of false positives. It also takes less
time to discover successful attacks against network.
An advanced IDS incorporated with a firewall can be used to intercept complex attacks entering
the network. Features of advanced IDS include multiple security contexts in the routing level and
bridging mode. All of this in turn potentially reduces cost and operational complexity.
Another choice for IDS placement is within the network. This choice reveals attacks or
suspicious activity within the network. Not acknowledging security inside a network is
detrimental as it may allow users to bring about security risk, or allow an attacker who has
broken into the system to roam around freely.