AN Intrusion Detection System (IDS) is a device or software application that supports the network firewall and then scans any traffic passing through the firewall for potential attacks.

Intrusion detection is considered passive, it identifies an intrusion is taking place and informs the administrator who can then deal with the threat accordingly. However, they can also be reactive to the attack and in most cases blocking the any further packets sent from that IP address.

There are two main types of Intrusion Detection Systems; signature based and behavioural based.

Signature-based IDS is the most popular type of IDS that is utilised today, and their effectiveness depends upon regularly updating the software with new signatures. Signature based are weak against new types of attacks because it can only recognise the ones that have been previously identified and have had signatures written for them.

This approach is useful for minimising the occurrences of legitimate activity being identified as suspicious.

READ MORE: Review your events log on a regular basis

Behavioural-based IDS products do not use predefined signatures, but rather are put in a learning mode to build a profile of an environment’s “normal” activities. The longer it is in learning mode the more accurate the detections will be.

Whenever there is a mismatch between the user’s activities and a normal use pattern the system will flag the activity and assume that an attack is under way.

The benefit of using a behaviour-based IDS is that it is able to detect “0 day” attacks, which means an attack is new to the world and no signature or fix has been developed yet.

Of course, a potential disadvantage of this approach would be that some legitimate activities might be incorrectly identified as being suspicious, which may cause slight disruption, however with attentive network administrators this would not pose an issue.