10.8 Types of IDSs

There are either host- (and multihost-) based IDSs or networked-based IDSs. The networked-based systems are a specialized type of network sniffers. A sniffer monitors and reports on the movement of data packets in a network. A network IDS sits between a host and a gateway or clients, viewing the traffic moving, looking for evidence of unauthorized activity. A common practice is to have a centralized IDS providing logging and alert functions based on the data provided by multiple remote sensors, each located in different segments of a local area network. Sensors are placed in multiple ports, all reporting to the centralized networked IDS. Host-based IDSs tend to be more expensive because more devices are monitored and, hence, tend to be more accurate with fewer false positives and catch a higher number of intrusions.

IDSs can also be categorized based on the type of intrusions they issue alerts on; some detect specific events (misuse), while others report on changes in patterns (anomaly), the two main intrusion detection types. Event or misuse IDSs monitor for specific sequences of events, or sequences that are characteristic of attempts to gain unauthorized access to a system. An example is issuing an alert when a specific number of failed login attempts take place. This type of IDS detects intrusions by looking for activity that corresponds to known intrusion techniques (signatures) or system vulnerabilities.