An Intrusion Detection System (IDS) is designed to detect unauthorized access and potential misuse of secure systems, alerting administrators of threats to data, availability, and privacy. IDS can be anomaly-based or misuse-based, each with distinct advantages and drawbacks, such as false alarms and the need for frequent updates. Overall, IDS plays a critical role in identifying intrusions and limiting potential damage from security breaches.

2.  An IDS or Intrusion Detection System is a system which is designed to detect unauthorized
access to secure system, like by various hacking method like Cross Site Request Forgery
(CSRF), network sniffing, scripting, SQL injection etc.
 As name implies intrusion detection system basically detects possible intrusions or misuse
and alerts the authorized person who monitors the system.
 It’s basic motto is to detect if there is nay kind of unwanted interference in the system and
issue some type of alert or warning.

3.  To know IDS we should know what is the use of IDS, why use IDS you say? Main purpose of
using IDS is to protect three things which are:
i) Data
ii) Availability
iii) Privacy
 None of the system are really protected they may have security loopholes, flaws or it may be
even misused by the authorized insider so main purpose of IDS or Intrusion Detection
System is to identify those intruders and limit the possible damage that could happen.

4. (IDS) Detection
Engine
Rules
?
Match
Found
Discard
Alert
or
Logging
Packets

5.  Anomaly-Based
 Misuse-Based
 Host-Based
 Network-Based

6.  Anomaly based IDS states that intrusions can be detected by monitoring a system for abnormal
patterns of system usage.
 Examples for Anomaly Intrusion
• Abnormally high rate of password failures,
• Different login time, location or connection type,
• Login at unusual time,
• Trying to get access of restricted resources,
• Execution of unwanted programs,

7.  Merits
• Can detect an attack without previous knowledge about it,
• Can avoid previous unseen attacks
• It can detect abuse of privileges types of attacks which generally do not involve
exploiting any security vulnerabilities,
• It can recognize unusual network traffic based on network packed characteristics.
 Demerits
• These generates many false alarms and hence compromise the effectiveness of the IDS,
• Affects Privacy of users,

8.  It is also known as signature based detection because it this system It is equipped with a
number of attacks description or we can say signatures and when intrusion occurs it is
matched against the audit data to detect attacks.
 These signatures must be updated over time to time because everyday new methods of hacks,
malware and viruses are deployed by intruders in order to compromise system.

9.  Merits
• It can be deployed very quickly because there is no need for IDS to learn behavior before
it can be use,
• Its gives freedom to administrator to write their own signature for benefits of
organizational rules and policy,
• Fewer False alarms will be generated in comparisons to other IDS methods
 Demerits
• Hackers of Intruders develops new methods frequently to exploit system so they must be
frequently updated with attack signatures,
• Sometimes in order to make system more secure we make tightly defined signatures
which will result in failure of tackling variants of common attacks.

10.  Its is based on monitoring activity on the local host computer.
 This monitoring can include network traffic to the host or local object like file processes,
services on the host.
 It can be used to analyze all the networks traffic transmitted to the computer and pass
only the packets that is safe onto the computer.
 It periodically examines the system security logs for suspicious activity.

11.  Merits
• Since it exist in host system it can direct access local system resources for intrusion.
• It can also provide detailed information of the state of the system during attack.
• Low resource utilization since it deals with inspection of traffic on local host.
 Demerits
• It can get very complex in large networking systems,
• The host may cease to function resulting in a stop on all logging activity
• If the IDS system is compromised and logging still continues to function the trust on
such log data is severely diminished.

12.  Network based IDS includes following process
• Deploying sensors at strategic locations,
• Watch for violation of network protocols and unusual connecting patterns,
• Check into data portions of the packets for malicious command sequences,
• Encryption of data portions and header information.
 A filter is usually applied to determine which traffic will be discarded or passed on to an
attack recognition module.

13.  Merits
• Easy Deployments
• It can be configured to be invisible to attackers,
• Can view intrusive activity that is targeting several hosts,
• Provides greater details into the nature of traffic,
• It can interact with firewall technology to dynamically block recognized intrusion
behaviors.
 Demerits
• High speed and large volume monitoring is needed.

14.  Therefor an IDS alerts us to the sophisticated attacks described last time.
 It helps to detect malicious packets or intrusion action by comparing it with signatures and
rules that was made by observing the intrusive activities form past logs.