Types of IDS/IPS

An intrusion detection system (IDS) is a device that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.
A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

If this devices denies active the access or traffic we speak of a intrusion prevention system (IPS).

The most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS).
A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS.

It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and anomaly-based detection (detecting deviations from a model of “good” traffic, which often relies on machine learning).

Some IDS/IPS have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.

Detection method


Signature-based

Signature-based IDS refers to the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This terminology originates from anti-virus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.

Anomaly-based

Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious.

DN-Systems helps to deploy combined systems with the best of both worlds, a combination of Singaure- and Anomality-Based combined with User-Bahaviour and Policy-Definition.

For Example, Finace should not access files from the Development Departments after 5pm and on Weekends, it is possible to generate a Policy that triggers a alarm if some User from Finance is trying to access outside working houers.