An intrusion detection system (IDS) is a security tool that monitors network traffic, system activity, or both, and generates alerts when it observes patterns that match known attack signatures or deviate from a baseline of normal behaviour. An IDS observes; it does not block. A system that observes and blocks is an intrusion prevention system (IPS).
Network IDS versus host IDS
Network IDS (NIDS) is deployed at choke points (typically via a SPAN port or network tap) and inspects every packet that crosses the monitored segment. Examples include Suricata, Snort, and Zeek (formerly Bro). NIDS sees activity across many hosts but cannot decrypt traffic encrypted before reaching the sensor.
Host IDS (HIDS) runs on individual endpoints and watches file integrity, process behaviour, log entries, and registry changes. Examples include Wazuh, OSSEC, and modern endpoint detection and response (EDR) products. HIDS sees inside the host but only on systems where an agent is installed.
Signature, anomaly, and heuristic detection
Signature-based detection matches traffic or system events against a library of known indicators. It is fast and precise but blind to novel attacks.
Anomaly-based detection learns a baseline of normal behaviour and flags deviations. It can detect novel attacks but produces more false positives and requires tuning to the local environment.
Heuristic and behavioural detection sits between the two, using rules and machine learning to flag suspicious combinations of events (a process spawning a shell, a service writing to an unusual location, an unexpected outbound connection pattern).
Operational considerations
An IDS is only useful when alerts are reviewed. Many organisations invest in sensors but lack staff or processes to triage the output, leaving alerts to accumulate untouched. Effective deployments route alerts into a SIEM, define severity thresholds, and integrate with an incident-response runbook. Regular tuning reduces noise and keeps the high-signal alerts visible.
Related terms
See also: intrusion prevention system (IPS), firewall, and port scanning.
Leave a Reply