An Intrusion Detection System (IDS) monitors a network's traffic for activities that appear to be threats and/or attempts at infiltrating a network or system. When a threat is detected the IDS sends alerts to administrators who can then take action.

There are two main types of IDS... Host Based Intrusion Detection Systems (HIDS) and Network Based Intrusion Detection Systems (NIDS). A HIDS is typically deployed to monitor internal system files such as operating systems. A NIDS monitors inbound network traffic for threats. Once an IDS is configured to understand traffic patterns specific to a particular network, both can recognize known "bad" patterns and/or detect abnormal behavior based on how "good" traffic historically behaves. 

When an IDS is network based it's usually placed within a network to analyze traffic from all external devices that touch that network. A common use for NIDS is to detect and monitor traffic leading into the firewall for the purpose of detecting a possible attempt at breaking that firewall. Although outbound traffic can also be analyzed using NIDS, this approach has been known to cause bottlenecks that negatively impact the performance of the network. 

When an IDS is host based it can run on individual devices or hosts. The main approach of a HIDS is to take snapshots of system files, analyze them for any changes, and if abnormal behavior is detected an administrator is alerted. A common use for a HIDS is to use it to alert network managers of existing threats that may already exist within a network (such as malware) or threats that originate within that network such as an insider threat. A host based IDS can continuously monitor system logs, important files and detect suspicious modifications that originate from an internal user. 

Intrusion Detection Systems can be an important part of detecting threats that already exist within a network. However, since an IDS is focused on detection and is normally a passive system (doesn't take action on the detected threat), an IDS is rarely used as a standalone system. It's many times coupled with a related system called an Intrusion Prevention System that actually takes action on the perceived threat. In fact, the IDS in many ways has been replaced by the newer versions of Intrusion Prevention Systems.

Related topics...

• The history and evolution of Network Security and where it's heading.
• How does DNS Protection work and why is it important?
• What are the most common cyber attacks and threats?