Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
Intrusion Detection System

Intrusion Detection System

26.08.2022

An Intrusion Detection System (IDS) is a component of an organization’s information security system. It detects malicious, incorrect, or abnormal activity originating from within or outside the device or the network infrastructure.

The IDS operates based on the assumption that the behavior of an intruder is different enough from that of a legitimate user to be detected by analyzing usage statistics.

An IDS model attempts to create user behavior patterns with respect to the use of software, files, and devices, in the short, medium, and long term, to make the detection effective. It also uses a system of predefined patterns (“signatures”) of known attacks.

Operation

The operation of an Intrusion Detection System is based on the detailed analysis of network traffic or the use of devices. It compares the traffic against signatures of known attacks or suspicious behavior patterns.

Most IDSs tend to have a database of “signatures” of known attacks which allow them to distinguish between normal use and malicious use of a device, as well as between normal network traffic and attack traffic.

In a communications network, an IDS not only analyzes what type of traffic is used, but also monitors its content and behavior. Moreover, it checks for port scanning or transmission of malformed data packets, among other things.

Generally, an IDS is included with a firewall, preferably in a device that functions as a network gateway. This solution is very effective, since it combines the intelligence of the IDS with the blocking power of the firewall at the point where packets have to pass and can be blocked before entering the network.

Anomaly Detection

The underlying concept of IDS functioning is based on the fact that an intrusion constitutes a set of anomalies (abnormal or suspicious activities). In case of unauthorized access to the system, the intruder does not act like a compromised user, but their behavior differs from that of a normal one.

Most intrusions are usually a sum of other individual activities that do not constitute intrusive behavior themselves. Thus, intrusions can be classified into:

  • Intrusive but not anomalous, known as false negatives (the system erroneously identifies behavior as non-intrusive). In this case, intrusive activity is not detected since it is not anomalous. False negatives are undesirable because they give a false sense of security.
  • Non-intrusive but anomalous, known as false positives (the system erroneously identifies behavior as intrusive). In this case, the system believes normal activity to be intrusive since it is anomalous. They should be avoided because otherwise system warnings will be ignored, even when successful.
  • Neither intrusive nor anomalous, known as true negatives. Non-intrusive activity is correctly identified as such.
  • Intrusive and anomalous, known as true positives. Intrusive activity is detected.

Anomaly-based intrusion detection requires an extensive analysis of various statistics to determine how far the user deviates from what is considered normal behavior.

IDS Features

Any intrusion detection system, regardless of its type and operation mechanism, should have the following features:

  • It must be able to run continuously without human supervision. The system must be reliable enough to run in the background of the device or network being monitored.
  • It must be fault tolerant, meaning that it must be able to survive a system crash.
  • It must resist subversion, meaning that it must be able to monitor itself to ensure that it has not been subverted.
  • It must impose minimum extra load on the system. A system that consumes too much processing resources would be useless.
  • It must observe deviations from normal behavior.
  • It must be easily adaptable to the installed operating system. Different systems have different operation patterns and the defense mechanism should be able to adapt to them easily.
  • It must cope with changes in the system behavior as new applications are added to it.
  • It must help identify where attacks are coming from and gather evidence that can be used to identify intruders.
  • It must be difficult to fool and give security specialists some peace of mind.

IDS Types

Intrusion detection systems can be classified by the type of events they monitor and methods of their implementation.

  • Network-based IDS: A network intrusion detection system monitors network traffic for particular segments or devices and analyzes the network and protocols to identify suspicious activity. This system can also detect numerous types of events of interest and is generally implemented in a security topology at the boundary between two networks through which the traffic is routed. The IDS is often integrated directly into the firewall.
  • Host- or subscriber-based IDS: A host-based intrusion detection system monitors a particular computer system or its parts. In this context, a user’s personal device or an application server is considered a host. Intrusion detection in this format monitors the device characteristics and events that occur with it for suspicious activity. Usually, host-based IDSs can be installed individually, both for office computers within a corporate network and for personal terminals. Their main features include the network traffic on the device, running processes, system logs, access to, and changes in files and applications.
  • Knowledge-based IDS: This system references a database of already known system vulnerability profiles to identify active intrusion attempts. In this case, it is extremely important that the structure has a policy that continuously updates the database (signatures) to maintain the security of the environment, since what is not known will literally not be protected.
  • Behavior-based IDS: This system analyzes traffic behavior using a baseline profile or pattern of normal system activity to identify intrusion attempts. When there are deviations from this pattern or baseline, certain actions can be taken, such as blocking the traffic temporarily or issuing network alarms, allowing the abnormality to be further investigated, accepted, or blocked permanently.
  • Active IDS: An IDS is defined as active from the moment it is set to automatically block known attacks or suspicious activities without any human intervention. Even though it is potentially a very interesting model, it is important to adjust parameters to the protected environments to minimize false positives, since blocking legitimate connections could disrupt business.
  • Passive IDS: This system monitors the traffic passing through it, identifies potential attacks or abnormalities, and generates alerts for administrators and security teams. However, it does not interfere with the communication at all. Although it does not prevent intrusions directly, it serves as an excellent tool to identify attacks and unauthorized access to the company’s infrastructure.

IDS Importance

New threats and methods of compromising computer systems arise every day, and it is a great challenge for information security even to keep up with them, let alone remain at the forefront to act proactively.

Implementing a good IDS policy is essential in a security architecture because this resource, if constantly updated, can protect the infrastructure from opportunistic attacks, both from the network and from the exposure of the device itself.

When implementing an intrusion detection system, you should take into account that you can opt for a hardware solution, a software solution, or even a combination of the two.

Introduction of a hardware element provides high data processing throughput for networks with a lot of traffic. Signatures and databases of possible attacks, on the other hand, require a large amount of storage.

Moreover, the development of security strategies for devices and networks has led to the emergence of a new type of protection to be considered: IPS (Intrusion Prevention System) which can be viewed as the next step in the evolution of the traditional IDS.

Back to list

Blog

Blog
Why Systems Are Vulnerable — and Why It Matters to Fix Them
12.08.2025
No system is perfect. Whether it’s a hospital’s patient database, a bank’s online platform, or the apps we use daily, every system has weak spots. These weaknesses, or vulnerabilities are what cybercriminals look for. And the truth is, they don’t need to target you personally. They can scan thousands of systems at once, waiting for one to give them easy access.
Read more
Blog
MDM: Mobile Device Management
18.08.2025
The development of mobile devices and wireless technologies in recent years has revolutionized the way we work and communicate. The growing use of these technologies makes mobile devices one of the main targets of cyber threats.
Read more
Blog
VoIP Security
28.07.2025
As the popularity of telephony via the Internet, or VoIP grows, there are growing concerns about communication security. In this sense, as VoIP is a technology that is necessarily supported by many protocols and equipment of data networks, it inherits certain security problems that they present, with some threats being most important to VoIP classic security problems affecting the world of data networks.
Read more