Network security

What is intrusion detection?

Mark Viglione
February 25, 2022 by
Mark Viglione

The concept of intrusion detection has been around for many years and will continue to be needed so long as malicious actors try to breach networks and steal sensitive data. New advancements in technology and “buzz words” can sometimes make intrusion detection sound extremely complex, confusing you with where to start and how to implement a proper intrusion detection framework.

While the methodology behind intrusion detection is vast, the concepts stay the same. Intrusion detection is essentially the following: A way to detect if any unauthorized activity is occurring on your network or any of your endpoints/systems. 

We use intrusion detection to identify any unwanted activity occurring on our network or endpoints to catch a threat actor before they cause harm to our network or the business.

There are many topics to cover when dealing with intrusion detection, but in this article, we will focus on breaking down the methodology into three categories:

  1. Types of intrusion detection systems
  2. Intrusion detection vs. intrusion prevention 
  3. Types of free intrusion detection software

Types of intrusion detection systems 

Let's start with the types of intrusion detection. If you've ever Google searched "intrusion detection," you might have been flooded with vendors, scholar papers and articles on cybersecurity and detection technology. While it's great that there are so many resources on the topic, sometimes it's hard to find some of the basics.

When you boil it down, you can break intrusion detection into two main categories: signature-based and signature-less (anomaly-based) detection. There are many forms of signature-based and anomaly detection; however, we will only touch on the basics for the sake of this article.

Signature-based detection involves detecting known bad vulnerabilities and attacks. You must have a list of rules (aka "signatures") of known threats to detect for this to work. Signature-based detection is probably the most common and oldest type of detection. While this might cover the basics, it's also good to implement some form of anomaly detection. This is where the system detects threats that have NOT been previously identified before. This type of detection is more complex and usually involves some form of machine learning algorithm to accomplish.

Intrusion detection vs. intrusion prevention

Now that we’ve talked a bit about types of intrusion detection let's discuss some common misconceptions. As you go about your journey in cybersecurity, you will hear the terms IDS (intrusion detection system) and IPS (intrusion prevention system) interchangeably. 

These terms and technologies are similar in almost every way except one. An IDS only detects and alerts threats; it does NOT block anything. On the other hand, an IPS will attempt to block the traffic or threat once it's identified. Many vendor products include both IDS and IPS capabilities in their offerings. 

We will dive into what's available from a technology perspective in further articles and place these tools. For now, know that if you are using an IDS, it only detects activity and will not take any action. 

IDS or IPS? Decisions, decisions. Initially, the recommendation is that you start with IDS. With an IDS, you can learn more about your network (or host if you're using a host-based IDS). If you jump straight into IPS and start blocking things, you might end up blocking something mission-critical for the business. Then you might get an angry call from the powers that be asking why employees can't access specific resources. Even if you purchase a product with IDS and IPS capabilities, most organizations will run the IPS in IDS mode for a few weeks to ensure they are not blocking legitimate traffic.  

Types of free intrusion detection software

You can use many different open-source tools for intrusion detection. We will only cover a few network intrusion detection tools in this article, but we will go into more depth on what tools do what, how to install/use them and use-cases for each in the following articles. 

  • Snort: Probably one of the most common network IDS and what many vendors build on top of.
  • Suricata: Another popular open-source network detection tool. It has both IDS and IPS capabilities.
  • Zeek: An open-source, network monitoring tool.

Getting started with intrusion detection

Hopefully, this article provided you with some basic knowledge behind intrusion detection and why it's crucial for network and endpoint security. To properly defend your network from malicious hackers and spot intruders before it's too late, some form of intrusion detection is necessary. 

Implementing an intrusion detection system or an intrusion prevention system can help your overall security posture so long as the system is properly maintained and tuned. A cybersecurity engineer or security analyst needs to be involved in the system's setup, configuration, and maintenance to effectively deploy and gain value from these tools. 

Join us in the next blog on intrusion detection best practices, where we cover who is typically responsible for implementing, tuning and maintaining an IDS within an organization. 

Want to learn more? Take my Advanced Intrusion Detection courses in Infosec Skills.

Mark Viglione
Mark Viglione

Mark Viglione is a graduate of Penn State University. He has experience working at a Fortune 500 company as a cybersecurity engineer. Mark is the founder of Enigma Networkz, a SaaS cybersecurity data analytics company helping small to midsized organizations protect their environment from cyber threats. He is a member of Ben Franklin Technology Partner's client portfolio program and has been a speaker at Penn State Berks LaunchBox events. He has also authored various cybersecurity related coursework and labs.

Mark holds multiple cybersecurity certificates: SSCP (Systems Security Certified Practitioner), SANS GCIA (Certified Intrusion Analyst) and CompTIA CySA+ (Cybersecurity Analyst).