An Intrusion Detection System (IDS) is used to monitor traffic to a computer or network looking for signs of a security breach.

Quidfoabro is correct in the assessment of Host versus Network-based IDSs, but is incorrect in saying that these are "types" of IDSs. (They're more like infrastructure placement.) There are, in fact, two types of IDSs: signature-based, and anomaly-based.

A signature-based IDS works almost exactly like a virus scanner. Any traffic that hits the IDS is compared to a definitions file held by the IDS. If a certain pattern is detected by the SIG IDS, it will sound alarms and block access from the attacking address. Like a virus scanner, the definitions file must be kept up-to-date to be sure it is covering the latest attacks.

SIG IDSs are weak in this regard. Exploits are developed and deployed rapidly, and a lot of times, the definitions file is either not updated immediately by the vendor, or the user doesn't always keep it up-to-date. This causes problems, as newer attacks are overlooked by the IDS, and presumed to be benign traffic.

That's where anomaly-based systems come in. Anomaly-based IDSs monitor all traffic to a given network or host, and dump it to disk. These logs are then analyzed, and are run through a series of user-defined filters to eliminate the log entries of traffic that is expected to traverse the network. By removing the common traffic, the log files are left with anomalous traffic. This traffic is then processed by a human analyst.

An anomaly-based IDS is much stronger than a signature-based IDS in that it doesn't search for attacks; it only cares about filtering out the expected traffic. Their weakness comes in the attacks that are destined for those services and/or hosts that have been filtered. (If there's a webserver on the network, traffic is expected to hit port 80 and is thus filtered. However, if a new webserver attack is introduced, the human analyst will never see that traffic.)

Log in or register to write something here or to contact authors.