How Does the Intrusion Detection System (IDS) work?

An Intrusion Detection System (IDS) is used for the purpose of detecting malicious network traffic and system misusage that otherwise conventional firewalls cannot detect. Thus, IDS detects network-based attacks on vulnerable services and applications, attacks based on hosts, like privilege escalation, unauthorized login activity and access to confidential documents, and malware infection (trojan horses, viruses, etc.). It has proven to be a fundamental need for the successful operation of a network.

The key difference between an Intrusion Prevention System (IPS) and the IDS is that while IDS only passively monitors and reports the network state, IPS goes beyond, it actively stops the intruders from carrying out malicious activities.

This guide will explore different types of IDS, their components, and the types of detection techniques used in IDS.

Historical Review of IDS

James Anderson introduced the idea of intrusion or system misuse detection by monitoring the pattern of anomalous network usage or system misuse. In 1980, based on this report, he published his paper titled “Computer Security Threat Monitoring and Surveillance.” In 1984, a new system named “Intrusion Detection Expert System (IDES)” was launched. It was the first prototype of IDS that monitors the activities of a user.

In 1988, another IDS called “Haystack” was introduced that used patterns and statistical analysis to detect anomalous activities. This IDS, however, does not have the feature of real-time analysis. Following the same pattern, the University of California Davis’s Lawrence Livermore Laboratories brought up a new IDS called “Network System Monitor (NSM)” to analyze network traffic. Afterward, this project turned into an IDS called “Distributed Intrusion Detection System (DIDS).” Based on DIDS, the “Stalker” was developed, and it was the first IDS that was commercially available.

During the mid-1990s, SAIC developed a host IDS called “Computer Misuse Detection System (CMDS).” Another system called “Automated Security Incident Measurement (ASIM)” was developed by the Cryptographic Support Center of US Air Force for measuring the level of unauthorized activity and detecting unusual network events.

In 1998, Martin Roesch launched an open-source IDS for networks called “SNORT,” which later became very popular.

Types of IDS

Based on the level of analysis, there are two major types of IDS:

  1. Network-Based IDS (NIDS): It is designed to detect network activities that are usually not detected by the simple filtering rules of firewalls. In NIDS, individual packets which pass through a network are monitored and analyzed to detect any malicious activity going on in a network. “SNORT” is an example of NIDS.
  2. Host-Based IDS (HIDS): This monitors the activities going on in an individual host or server on which we have installed the IDS. These activities can be attempts for system login, integrity check for files on the system, tracing, and analysis of system calls, application logs, etc.

Hybrid Intrusion Detection System: It is the combination of two or more types of IDS. “Prelude” is an example of such a type of IDS.

Components of IDS

An intrusion detection system is composed of three different components, as briefly explained below:

  1. Sensors: They analyze network traffic or network activity, and they generate security events.
  2. Console: Their purpose is event monitoring and to alert and control the sensors.
  3. Detection Engine: The events generated by sensors are recorded by an engine. These are recorded in a database. They also have policies for generating alerts corresponding to security events.

Detection Techniques for IDS

In a broad manner, techniques used in IDS can be classified as:

  1. Signature/pattern-based Detection: We use known attack patterns called “signatures” and match them against the network packet contents for detecting attacks. These signatures stored in a database are the attack methods used by intruders in the past.
  2. Unauthorized Access Detection: Here, the IDS is configured to detect access violations using an access control list (ACL). The ACL contains access control policies, and it uses the IP address of users to verify their request.
  3. Anomaly-based Detection: It uses a machine-learning algorithm to prepare an IDS model that learns from the regular activity pattern of network traffic. This model then acts as a base model from which incoming network traffic is compared. If the traffic deviates from normal behavior, then alerts are generated.
  4. Protocol Anomaly Detection: In this case, the anomaly detector detects the traffic that does not match the existing protocol standards.


Online business activities have risen in recent times, with companies having multiple offices located in different locations around the world. There is a need to run computer networks constantly at the internet level and an enterprise level. It is natural for companies to become targets from the evil eyes of hackers. As such, it has become a very critical issue to protect information systems and networks. In this case, IDS has become a vital component of an organization’s network, which plays an essential role in detecting unauthorized access to these systems.

About the author

Ali Imran Nagori

Ali imran is a technical writer and Linux enthusiast who loves to write about Linux system administration and related technologies. You can connect with him on LinkedIn