IDS (Intrusion Detection System) and Its Detailed Working Function – SOC/SIEM


IDS (Intrusion Detection System) and Its Detailed Working Function – SOC/SIEM

An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or through security policy violations.

An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered. While anomaly detection and reporting is the primary function, some intrusion detection systems are capable of taking actions when malicious acitivity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.

An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and conducting an analysis of patterns based on already known attacks.






Detection Methods


An IDS can only detect an attack. It cannot prevent attacks. In contrast, an IPS prevents attacks by detecting them and stopping them before they reach the target.

An attack is an attempt to compromise confidentiality, integrity, or availability.

The two primary methods of detection are signature-based and anomaly-based. Any type of IDS(HIDS or NIDS) can detect attacks based on signatures, anomalies, or both.

The HIDS monitors the network traffic reaching its NIC, and the NIDS monitors the traffic on the network.



Detect an Attack




Host-based intrusion detection system (HIDS)


A host-based intrusion detection system (HIDS) is additional software installed on a system such as a workstation or a server.

It provides protection to the individual host and can detect potential attacks and protect critical operating system files. The primary goal of any IDS is to monitor traffic.

The role of a host IDS is passive, only gathering, identifying, logging, and alerting. Examples of HIDS:


  • OSSEC – Open Source Host-based Intrusion Detection System
  • Tripwire
  • AIDE – Advanced Intrusion Detection Environment
  • Prelude Hybrid IDS

The primary goal of any IDS is to monitor traffic. For a HIDS, this traffic passes through the network interface card (NIC).Many host-based IDSs have expanded to monitor application activity on the system.

It’s worth stressing that a HIDS can help detect malicious software (malware) that traditional anti-virus software might miss.

Because of this, many organizations install a HIDS on every workstation as an extra layer of protection, in addition to traditional anti-virus software. Just as the HIDS on a server is used primarily to monitor network traffic, a workstation HIDS is primarily used to monitor network traffic reaching the workstation. However, a HIDS can also monitor some applications and can protect local resources such as operating system files. In other organizations, administrators only install a HIDS when there’s a perceived need.






Network-based intrusion detection system (NIDS)


A network-based intrusion detection system (NIDS) monitors activity on the network. An

administrator installs NIDSs sensors on network devices such as routers and firewalls.

These sensors gather information and report to a central monitoring server hosting a NIDS console.A NIDS is not able to detect anomalies on individual systems or workstations unless the anomaly causes a significant difference in network traffic.

Additionally, a NIDS is unable to decrypt encrypted traffic. In other words, it can only monitor and assess threats on the network from traffic sent in plaintext or nonencrypted traffic.






Signature-Based Detection


Signature-based IDS s (also called definition-based) use a database of known vulnerabilities or known attack patterns. For example, tools are available for an attacker to launch a SYN flood attack on a server by simply entering the IP address of the system to attack.

The attack tool then floods the target system with synchronize (SYN) packets, but never completes the three-way Transmission Control Protocol (TCP) handshake with the final acknowledge (ACK) packet. If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash.

If the attack isn’t blocked, it can consume resources on a system and ultimately cause it to crash. However, this is a known attack with a specific pattern of successive SYN packets from one IP to another IP.

The IDS can detect these patterns when the signature database includes the attack

definitions. The process is very similar to what antivirus software uses to detect malware. You need to update both IDS signatures and antivirus definitions from the vendor on a regular basis to protect against current threats.



Signature-based IDS



Anomaly-Based Detection


Anomaly-based (also called heuristic-based or behavior-based) detection first identifies normal operation or normal behavior. It does this by creating a performance baseline under normal operating conditions.

The IDS provides continuous monitoring by constantly comparing current network behavior against the baseline. When the IDS detects abnormal activity (outside normal boundaries as identified  the baseline), it gives an alert indicating a potential attack.

Anomaly-based detection is similar to how heuristic-based antivirus software works. Although the internal methods are different, both examine activity and make decisions that are outside the scope of a signature or definition database.







Physical (Physical IDS)

Physical intrusion detection is the act of identifying threats to physical systems. Physical intrusion detection is most often seen as physical controls put in place to ensure CIA. In many cases physical intrusion detection systems act as prevention systems as well. Examples of Physical intrusion detections are:


  • Security Guards
  • Security Cameras
  • Access Control Systems (Card, Biometric)
  • Firewalls
  • Man Traps
  • Motion Sensors


Physical intrusion






Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses: