The document explains the concept and functionality of Intrusion Detection Systems (IDS), highlighting their role in monitoring network traffic for suspicious activity and alerting system administrators. It details the components of IDS, types such as network-based and host-based, as well as a comparison with firewalls. Additionally, it addresses the advantages and limitations of IDS, including early threat detection and challenges like false positives and resource consumption.

1. Intrusion
Detection
System(IDS)
NFC
Maowaz
22-CS-52
Hussnain
22-CS-50
Ahmed
22-CS-53
Maaz Anwar
22-CS-51
Hammad
22-CS-49
PRESENTATION BY: Presented by group b-5

3. Introduction

4. Introduction
What Is IDS? Purpose of IDS

6. What Is IDS
?

8. What is Purpose of
IDS ?

9. How IDS works ?

10. An IDS (Intrusion
Detection System)
monitors the traffic on
a computer network
to detect any
suspicious activity.
It analyzes the data
flowing through the
network to look for
patterns and signs of
abnormal behavior.

11. The IDS compares the
network activity to a
set of predefined
rules and patterns to
identify any activity
that might indicate an
attack or intrusion.
If the IDS detects
something that
matches one of these
rules or patterns, it
sends an alert to the
system administrator.

12. The system
administrator can
then investigate the
alert and take action
to prevent any
damage or further
intrusion.

13. Components
of IDS

14. Components of IDS

15. Components of
IDS

16. Sensors

17. Sensors
Sensors – Sensors monitor
network traffic, system logs,
and other data sources for
suspicious activity. They are
the first component of an IDS.
These sensors, can either be
host- or network-based. They
provide alerts when potential
breaches are detected.

18. Analysis
Engine

19. Analysis Engine
After the sensors generate alerts,
the IDS’s analysis engine examines
them to determine whether they
reflect actual threats. To identify
potential threats, this component
uses various techniques like
signature-based detection,
anomaly detection, and behavioral
analysis.

20. Central
Console

21. Central Console
The central console is the IDS
component is responsible for
receiving and managing warnings
from sensors and the analysis
engine. The security team can view
and manage alerts, investigate
problems, and respond
appropriately.

22. Response
Mechanism

23. Response
Mechanism
Finally, an IDS should provide a
reaction mechanism for dealing
with discovered threats to mitigate
the effects of the intrusion. This
can include restricting traffic,
quarantining affected systems, or
triggering automated actions.

25. Types of Intrusion
Detection System

26. Network-based IDS:
A NIDS is deployed at a strategic
point or points within the
network. It monitors inbound
and outbound traffic to and from
all the devices on the network
Host-based IDS:
A HIDS runs on all computers or
devices in a network that have direct
access to both the internet and the
enterprise's internal network. In some
cases, these systems are better able to
detect anomalies than a NIDS.

27. Signature-based intrusion detection:
A SIDS monitors all packets
traversing the network and
compares them against a
database of attack signatures or
attributes of known malicious
threats
Anomaly-based intrusion detection :
Anomaly-based IDS monitors network
traffic and compares it with an established
baseline to determine what's considered
normal for the network with respect to
bandwidth, protocols, ports and other

28. Firewall vs ids/ips
Firewalls and intrusion detection systems (IDS) are
cybersecurity tools that can both safeguard a network or
endpoint. Their objectives, however, are very different
from one another.
IDS: Intrusion detection systems are passive monitoring
tools that identify possible threats and send out
notifications to analysts in
security operations centers (SOCs). In this way, incident
responders can promptly look into and address the
potential event.

29. Firewall: A firewall, on the other hand,
analyzes the metadata contained in network
packets and decides whether to allow or
prohibit traffic into or out of the network
based on pre-established rules. A firewall
essentially creates a barrier that stops
certain traffic from crossing through it.

30. Advantages
and
Limitations
Of IDS

31. Advantages Limitations

33. Early Threat
Detection: IDS
continuously monitor
network traffic or
system activity,
allowing them to
detect suspicious
behavior in real-time.
This provides earlier
warning signs of
potential attacks
compared to simply
waiting for negative
Improved Incident
Response: By
identifying suspicious
activity, IDS can help
security personnel
prioritize and respond
to incidents more
quickly and effectively.
The information
provided by IDS alerts
can be crucial for
investigating the
nature and scope of

34. •Security
Visibility: IDS offer
valuable insights into
network traffic and
system activity. This
can help security
teams better
understand potential
vulnerabilities within
their systems and
identify areas where
they might need to
4
•Reduced Risk of
Data Breaches: By
detecting and alerting
on suspicious activity,
IDS can help prevent
attackers from
gaining access to
sensitive data or
compromising
systems. This can
significantly reduce
the risk of data

35. Security
Awareness: Even
basic IDS can raise
awareness of
security issues within
an organization.
Alerts and reports
generated by IDS can
highlight potential
security risks and
encourage a more
security-conscious
culture.

37. Limitations

38. 1
False positives and
negatives
One of the main challenges
of IDPS is to reduce the
number of false positives
and false negatives. False
positives are alerts that
indicate an attack when
there is none, while false
negatives are attacks that
go unnoticed by the IDPS.
Both can have negative
consequences for your
2
Evasion techniques
Another limitation of IDPS
is that they can be evaded
by attackers who use
various techniques to
bypass or deceive them.
Some of the common
evasion techniques are
encryption,
fragmentation,
obfuscation, spoofing,
and polymorphism.
Encryption can hide the
content of the network
traffic from the IDPS,

39. 3
Resource
consumption
A third limitation
of IDPS is that
they can consume
a lot of resources,
such as
bandwidth,
memory, CPU, and
disk space. This
can affect the
performance and
availability of your
4
Legal and
ethical issues
A fourth limitation
of IDPS is that they
can raise some
legal and ethical
issues, such as
privacy, liability,
and compliance

40. 5
Human factors
A fifth limitation of IDPS is
that they depend on human
factors, such as skills,
knowledge, and awareness.
IDPS are not fully automated
or intelligent systems that
can operate without human
intervention or supervision.
They require human input,
output, and feedback to

41. Common IDS
Tools

42. • Snort
• Suricata
• Bro(Zeek)
• Ossec
• Security
Onion

43. 1
Snort
An open-source
network IDS that
performs real-time
traffic analysis and
packet logging.
2
Surivata
An advanced IDS with
multi-threading
capabilities, providing
real-time intrusion
detection, intrusion
prevention (IPS), and
network security
monitoring.

44. 3
Bro(Zeek)
A powerful network
analysis framework
that monitors traffic,
detects anomalies,
and performs real-
time logging.
4
OSEEC
An open-source host-
based IDS that
monitors system logs,
file integrity, rootkits,
and registry changes
for suspicious
activities.

45. 5
Security Onion
A Linux distribution
designed for network
security monitoring,
intrusion detection,
and log management
using tools like Snort,
Zeek, and Suricata

46. IDS Detection Methods(IDS) and Prevention(IPS)

47. Conclusion

48. Conclusion
IDS play a crucial role in modern cybersecurity by
providing real-time monitoring and analysis of network
traffic to detect and respond to potential threats. By
leveraging advanced technologies such as machine
learning and behavior analysis, IDS can enhance an
organization’s ability to protect sensitive data and
maintain operational integrity. It is essential for
organizations to implement robust IDS solutions, regularly
update their systems, and conduct thorough training for
their personnel.