What are the Detection Methods of IDS?

Did you know there are actually several different IDS detection types used by different intrusion detection systems? Most IDS tools are classified in one of two ways and use one of three different detection methods. This blog covers those different classifications and methods while also highlighting how to evaluate an IDS for effectiveness and which threats your IDS will miss.

What are the detection methods of IDS?

There are three different IDS detection methods: Anomaly-based, Signature-based, and Hybrid. These methods define how the IDS analyzes data to identify potential intrusions.

Anomaly-Based IDS: Anomaly-based IDS focuses on identifying deviations from normal behavior within a network or system. It works by establishing a baseline for normal activity by statistically analyzing network traffic or system activity over time. This baseline becomes a reference for identifying anomalies. The IDS then continuously monitors network traffic or system activity and compares the real-time data to the established baselines. Significant deviations from these baselines are flagged as potential intrusions.
Signature-Based IDS: Signature-based IDS relies on a predefined database of attack signatures to identify malicious activity. These signatures represent known patterns or fingerprints of network attacks or suspicious system behavior. The IDS continuously monitors network traffic or system activity and compares this data against the database of attack signatures. Any matches trigger an alert, indicating a potential intrusion attempt.
Hybrid IDS: A hybrid IDS combines both anomaly-based and signature-based detection methods to address the limitations of each approach. A hybrid system leverages signature-based detection for known threats and anomaly-based detection for novel attacks. This enhances the overall effectiveness of intrusion detection.

Each of these three detection methods (Anomaly-based, Signature-based, Hybrid) offers different strengths and weaknesses. Choosing the most suitable approach depends on factors like the specific security requirements of the network, the resource availability for managing the IDS, and the acceptable level of false positives.

What are the different ways to classify an IDS?

Most IDS tools, regardless of the type of IDS detections, are classified in one of two ways, either as a network-based IDS or a host-based IDS. Each of these has its own benefits and challenges.

1. Network Intrusion Detection System (NIDS): NIDS act as network monitoring devices deployed at strategic points within a computer network. Their primary function is to continuously capture and analyze network traffic data traversing a specific network segment. NIDS can be implemented in two primary ways:

Dedicated hardware appliances: These are specialized devices solely designed to perform NIDS functions.
Software applications on network servers: Existing network servers can be leveraged to host NIDS software, enabling them to perform network traffic analysis alongside other server functionalities.

NIDS typically utilizes network adapter promiscuous mode. This mode allows the NIDS to capture all network traffic on the attached network segment, regardless of its intended recipient. NIDS employs two main techniques for analyzing captured network traffic data: signature-based detection and anomaly-based detection.

2. Host-Based Intrusion Detection System (HIDS): In contrast to NIDS which focuses on network traffic analysis, HIDS provides security for individual devices (hosts) within the network. HIDS function as software agents deployed directly on the operating system of the host device itself. Their primary function is to monitor and analyze activity occurring on the host device. HIDS are deployed as software agents on individual servers, desktops, or laptops within the network. A single HIDS agent is typically installed on each host device for dedicated monitoring.

HIDS collect data from various sources on the host device, including:

System logs: These logs record events and activities within the operating system of the host device.
File access attempts: HIDS monitor attempts to access files on the host device, including successful and failed attempts.
Running processes: HIDS maintain a record of processes currently running on the host device.

HIDS primarily utilizes anomaly-based detection techniques. By analyzing the collected data, HIDS establishes baselines for typical host activity. Significant deviations from these baselines, such as unusual file access attempts or unexpected processes running, can indicate potential intrusions or suspicious behavior.

What are the three main methods used when evaluating IDS for effectiveness?

The three main methods used when evaluating intrusion detection systems for effectiveness are the detection/false positive rate, false negative/time to detect rate, and scenario-based testing. Let’s take a look at each:

1. Detection Rate and False Positive Rate:

This method focuses on the intrusion detection system’s ability to accurately identify true threats. It involves analyzing two key metrics:

Detection Rate (DR): This measures the percentage of actual attacks successfully detected by the IDS. A high DR indicates good sensitivity in catching threats.
False Positive Rate (FPR): This measures the percentage of normal activities mistakenly flagged as suspicious by the IDS. A low FPR is crucial to avoid overwhelming security personnel with unnecessary alerts.

Evaluating these metrics together helps assess the trade-off between catching threats and generating false alarms. A good IDS should have a high DR and a low FPR.

2. False Negative Rate and Time to Detection:

This method focuses on the speed and accuracy of the IDS in identifying threats. It involves analyzing two additional metrics:

False Negative Rate (FNR): This measures the percentage of actual attacks that the IDS misses entirely. A low FNR is essential to avoid leaving your system vulnerable.
Time to Detect (TTD): This measures the time taken by the IDS to detect and raise an alert for an attack. A low TTD allows for faster response and minimizes potential damage.

Evaluating these metrics helps assess the IDS's responsiveness and ability to minimize the window of opportunity for attackers.

3. Scenario-Based Testing:

This method involves simulating real-world attack scenarios against the IDS. This can be done using pre-recorded attack data or specialized testing tools. Scenario-based testing helps assess the IDS's effectiveness against various attack types and its ability to adapt to evolving threats.

By combining these three methods, security professionals can gain a comprehensive understanding of an IDS's strengths and weaknesses, allowing them to choose the most suitable solution for their specific needs.

What will an IDS not detect?

While IDS is incredibly effective at detecting many types of threats, some more nuanced and subtle attack types are routinely missed by even the best network intrusion detection system:

Homoglyph Attacks (Look-alike domains): These attacks use characters that appear similar to legitimate website addresses but are actually different. An IDS relies on matching traffic patterns to known threats, and these cleverly disguised domains might bypass signature-based detection.
Malware C2 Beaconing (Command and Control Communication): Malware that communicates with a remote command center (C2) might use encryption or obfuscation techniques. An IDS focused on analyzing traffic content might miss such encrypted communication, allowing the malware to operate undetected.
Anomalous Network Activity (Zero-Day Exploits): Anomalous network activity can be a sign of an attack, but it can also be caused by legitimate network maintenance or new applications. An IDS might struggle to distinguish between the two, especially for novel attacks (zero-day exploits) that haven't been defined as threats yet.
Suspicious User Behavior (Insider Threats): An IDS is primarily focused on analyzing network traffic. It might not be able to detect suspicious behavior within a network, such as authorized users accessing unauthorized data or exceeding their privileges. This is where monitoring user activity and implementing strong access controls become crucial.

Explore a modern alternative

You need a network security platform that doesn’t generate an endless stream of useless alerts across part of your network, and instead automatically identifies alerts of interest and notifies you of only serious and imminent threats. Your organization deserves response-ready detection with visibility into your entire network regardless of the environment with easy access to all the contextual evidence you need to stop an attack before it can cause damage. Replace your legacy IDS with a modern network detection and response platform that gives you these features and more.

The Stamus Security Platform™ is a network-based threat detection and response solution that eliminates the challenges of legacy IDS while lowering your response time. Stamus Security Platform harnesses the full potential of your network, bringing state-of-the-art threat detection, automated event triage, and unparalleled visibility to the security team.

Book a demo to see if the Stamus Security Platform is right for your organization.

To learn more about replacing your legacy IDS, check out the following resources:

To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.