Intrusion Detection Systems (IDS) are one of the most important elements of information security systems for the networks of any modern enterprise. The increase in computer security issues in recent years has led to intrusion detection systems becoming a key component of any firewall strategy very quickly. Their popularity has grown significantly over the past few years as security vendors have significantly improved the quality and compatibility of their software.

Intrusion detection systems (IDS) are called many different software and hardware tools, united by one common property – they analyze the use of resources entrusted to them and, if any suspicious or simply atypical events are detected, they are able to take some independent actions to detect, identify and elimination of their causes.

Intrusion detection systems (IDS) are called many different software and hardware tools, united by one common property – they analyze the use of resources entrusted to them and, if any suspicious or simply atypical events are detected, they are able to take some independent actions to detect, identify and elimination of their causes.

But intrusion detection systems are just one tool in the defense arsenal and should not be seen as a substitute for any of the other defense mechanisms. Information security is most effective when multilayered security is supported on the intranet. It consists of the following components:

The organization’s intranet security policy;
Host protection system in the network;
Network audit;
Router based protection;
Intrusion detection systems;
A plan to respond to identified attacks.
Therefore, to fully protect the integrity of the network, it is necessary to implement all of the above protection components. And the use of multi-layered protection is the most effective method to prevent unauthorized use of computer systems and network services. Thus, an intrusion detection system is one of the components of network security in a multi-layered network protection strategy.

Intrusion detection and prevention systems (IPS / IDS) are a set of software or hardware tools that reveal facts and prevent unauthorized access to a corporate system. They are usually divided into two main components: detection systems, IDS, and IPS – intrusion prevention systems.

IDS stands for Intrusion Detection System.IDS works similar to antivirus’s to detect malicious files or content as explained below. To understand the functioning of the Intrusion Detection System we have to understand that what is an Intrusion Or to be specific what is network intrusion?

INTRUSION:-Intrusion can be defined as the misuse of a network or a computer system via unauthorized access by an unauthorized person. That unauthorized person is called Intruder.

The intrusion compromises the data security of an organization i.e. the confidential data of the organization can be misused. Intrusion can be performed by malware or ransomware by an intruder from outside the organization or by a person who is a connection to the network and a part of the organization.

Now we can easily understand how an intrusion detection system works:-

Intrusion Detection System:-Intrusion Detection System is a tool or software which continuously monitors the network and detects that is there any malicious file or content in data packets that flows over the network.IDS also checks that the resources and privileges of the network are not being misused.

The IDS continuously works in the backend of the system and whenever it detects any malicious file in the network then it sends a flag or alert signal to the system administrator about the malicious data.

After understanding the working of IDS the next question is that how IDS detects the malicious file or content:-

IDS works on two detection methods which are given below:-

  1. Signature-based detection:- In this detection System the IDS scans for the specific malicious signatures in data packets and signatures can be defined as a specific pattern. These patterns are known as attack patterns. All known possible attack patterns or signatures are saved in the database of IDS. So that whenever any known attack is performed by an attacker then the ids can recognize the signature and can flag the attack. The only limitation of this technique is that if an attacker performs an attack with a new signature then it will not be able to detect the attack.
  2. Anomaly-based detection:- In anomaly-based detection system IDS scans for the deviation or change in behavior. Anomaly detection is designed to identify rare events or observations which are suspicious because they differ from normal behavior. whenever it detects any rare event it flags that or alerts the suspicious event to prevent data.

Intrusion detection system standards

Sharing data on suspicious activity. Many attacks on information systems are distributed in nature. At the same time, different means of active audit see the same incident from different points of view.

Sharing suspicious activity information is a major focus of the Internet Engineering Task Force (IETF) Intrusion Detection Working Group (IDWG).

The IDWG is to specify the Intrusion Detection Message Exchange Format ( IDMEF ), a format for exchanging data between IDS components. It is used to communicate suspicious event warning messages between intrusion detection systems. This format should ensure compatibility and interoperability between commercial and open source IDSs to provide the highest level of security.

IDMEF must support all suspicious activity detection mechanisms. It should be designed for IPv6, contain everything necessary for internationalization, support filtering and aggregation of messages by the response component, and their reliable delivery (including through a firewall without making any last changes to the configuration that could weaken the security perimeter).

Of course, the IDMEF format must support mutual authentication of communicating parties, non-repudiation of the fact of transmission, and the integrity and confidentiality of the message flow.

IDMEF messages should contain the date and time of suspicious events and, if possible, the date and time of the attack.

If the parser itself responded, the IDMEF messages should contain information about this. If the analyzer is able to assess the consequences of a detected attack, it is also obliged to report it.

The IDMEF format should support information about the manufacturer of the intrusion detection system that generated the message, as well as system-specific extensions.

It is expected that a list of standard attacks and methods of carrying them out will be approved. If the parser can identify the attack and the method used, it should include the relevant information in the IDMEF message. If the attack is non-standard, its name may be specific to the manufacturer of the active audit system.

The Common Intrusion Detection Framework ( CIDF ) is being developed by a group of DARPA-funded research organizations working in the area of ​​suspicious activity detection.

The CIDF has developed a language for describing suspicious activity and a method for encoding information about suspicious events. The language is adapted to describe at least three types of messages:

raw information about events (for example, log entries or network packets);
analysis results (such as detected anomalies or attacks);
recommended reactions (interrupt any activity or change the configuration of protective equipment).
In addition, the following entities can be described in the language:

relationships between events (for example, cause and effect);
the roles of objects in events (for example, the object triggered an event);
properties of objects;
connections between objects.


In conclusion, I would like to emphasize once again that IDS is just one of the tools of a good network security architecture and a multi-layered strategy for its protection. They have their advantages and disadvantages, the former can be developed and the latter can be smoothed out by using IDS in conjunction with other information security tools. IDS has some overlap in functionality, especially with firewalls, which already perform some limited intrusion detection functionality, raising an alarm when a rule is triggered. IDS are unique in that, unlike FWs, which perform many different functions (packet filtering, user authentication, caching, etc.), they have only one function, but they are well implemented. Real-time intrusion detection,