What are the types of intrusion detection in cyber security?
Intrusion detection in cyber security
The main purpose of intrusion detection is to protect the network from malware by monitoring the traffic and the network devices to prevent anomalous activities by adversaries.
Explanation
The two main types of detectors are:
Network Intrusion Detection System (NIDS)
Host-based Intrusion Detection System (HIDS)
Before discussing the detectors, the network's structure needs to be understood. The network comprises the internet, end hosts in the local network, and a border router that monitors the traffic and sends data packets (chunks of data) between the two.
In Network Intrusion Detection System (NIDS), the detector is installed on the network, between the local network and the rest of the internet.
Operation of NIDS
NIDS has a table that contains all active connections and maintains the state for each connection. If the NIDS sees a packet not associated with any known connection, it creates a new entry in the table. For example, a connection that started before the NIDS started running.
NIDS can be used for more sophisticated network monitoring. It not only detects attacks but also analyzes and understands all the network traffic.
The advantages and disadvantages of NIDS are outlined below:
Advantages and disadvantages of NIDS
Advantages | Disadvantages |
Implementation costs are low as a single detector can cover a lot of systems. | If there is a large influx of data traffic, NIDS might fail to detect an attack. |
It is easy to scale. As the network gets larger, we can add computing power to the NIDS. | Most of the features in NIDS are not compatible with modern switch-based networks. |
It is easy to install and manage a single detector. End systems are unaffected as it does not consume any resources in end systems. | NIDS cannot monitor encrypted traffic, especially from attackers using private networks. |
A smaller trusted computing base is required as only the detector needs to be trusted. | NIDS only detects the intrusion. It does not check whether the attack was successful or not. |
In a Host-based Intrusion Detection System (HIDS), the detector is installed on each end system and not on the border router.
HIDS uses certain detection methods to operate. It compares files against a database containing files that were once detected as malicious.
The advantages and disadvantages of HIDS are outlined below:
Advantages and disadvantages of HIDS
Advantages | Disadvantages |
There are fewer problems with inconsistencies as HIDS is on the end host, so it will interpret data packets exactly the same as the end. | Implementation costs are high as it needs to install one detector for every end host. |
It can monitor encrypted messages. | Information regarding HIDS resides on the host attacked. Therefore, HIDS might malfunction when the end host is attacked. |
It also protects against non-network threats. For example, malicious users inside the network. | HIDS can be disabled by denial of service attacks (DOS). |
Free Resources
