INTRUSION

AND
DETECTION
(IDS)
01
WHAT IS INTRUSION DETECTION SYSTEM (IDS)?
An intrusion detection system (IDS) is a network security tool
that monitors network traffic and devices for known malicious
activity, suspicious activity or security policy violations.

02
WHAT IS INTRUSION PREVENTION SYSTEMS (IPS)?
An Intrusion Prevention System (IPS) is a network security
device or software that monitors network activity and prevents
potential threats. IPS looks for traffic patterns or attack
characteristics and when identified, IPS generates alerts and
blocks detected attacks.

03
SIMILARITIES OF IDS AND IPS
Intrusion detection systems (IDS) and intrusion prevention
systems (IPS) are both network security tools that share some
similarities, including:

Detection techniques
• Both IDS and IPS use similar techniques to identify
malicious activity, such as signature-based detection and
anomaly-based detection.

04
SIMILARITIES OF IDS AND IPS
Logs and reports
• Both IDS and IPS can generate logs and reports that help
investigate the source and impact of an attack.
Security policy enforcement
• Both IDS and IPS can help enforce security policies at the
enterprise network level.
Network traffic visibility
• Both IDS and IPS provide administrators with increased visibility
into network traffic and security events.
05
DIFFERENCE OF IDS AND IPS
The main difference between an Intrusion Detection System
(IDS) and an Intrusion Prevention System (IPS) is that an IDS
only detects intrusions, while an IPS can both detect and prevent
them

06
FUNDAMENTAL IDEAS OF IDS
The fundamental ideas behind Intrusion Detection Systems
(IDS) revolve around identifying, analyzing, and responding
to potential security threats in a proactive way. Key principles
include:

07
TYPES OF
IDS
08
TYPES OF IDS
Network intrusion detection system (NIDS)
• NIDS monitors and controls all incoming and outgoing traffic at a
network component.

Host intrusion detection system (HIDS)

• Installed on individual networked devices, HIDS monitors
incoming and outgoing traffic to detect suspicious activity. HIDS
can perform log analysis, check file integrity, monitor policy, detect
rootkits, and provide real-time alerts.

09
TYPES OF IDS
Signature-based intrusion detection systems (SIDS)
• Signature-based IDSs use previous attack signatures to
detect attacks. However, they can be ineffective against new
attacks.

Anomaly-based intrusion detection systems (AIDS)

• Anomaly-based IDSs detect changes in protocol behavior
caused by an attack.

10
TYPES OF IDS
Hybrid intrusion detection (HID)
• A hybrid intrusion detection system is used to provide
increased detection capabilities. HNID integrates a neural
network detection component with a basic pattern matching
engine to detect anomalies in the network traffic. This
approach efficiently detects known classes of attacks, and
also the unknown ones.

11
DIFFERENCE BETWEEN NIDS AND HIDS
The main difference between network-based intrusion detection systems
(NIDS) and host-based intrusion detection systems (HIDS) is the scope of
what they monitor:

NIDS
• Monitors network traffic for suspicious activity. NIDS is installed at
strategic points in the network to analyze data flowing across the entire
network.

HIDS
• Monitors activities on individual devices or hosts, such as system logs,
file integrity, and user behavior. HIDS is installed on individual hosts and
12

collects local logs.

 IDS
ARCHITECTURAL
DESIGNS

13
IDS ARCHITECTURAL DESIGNS
An Intrusion Detection System (IDS) is a security tool that
monitors network traffic for malicious activity. It analyzes network
traffic data and system logs to identify potential security threats.
There are two primary architectural designs for IDS:

14
IDS ARCHITECTURAL DESIGNS
1. Network-Based IDS (NIDS)
How it works:
• Passive Monitoring: NIDS operates in promiscuous mode,
capturing all network traffic on a specific network segment.
• Traffic Analysis: It analyzes network packets for suspicious
patterns, anomalies, or known attack signatures.
• Alert Generation: Upon detection of a potential threat, it
generates alerts, logs the incident, and may take automated
actions like blocking traffic or notifying administrators.

15
IDS ARCHITECTURAL DESIGNS
2. Host-Based IDS (HIDS)
How it works:
• Local Monitoring: HIDS monitors the activity on a specific
host, analyzing system logs and file system changes.
• Behavior Analysis: It compares system behavior to
established baselines to identify anomalies.
• Alert Generation: Upon detection of suspicious activity, it
generates alerts and may take automated actions like
blocking processes or notifying administrators.

16
IDS ARCHITECTURAL DESIGNS
Hybrid IDS
A combination of NIDS and HIDS can provide comprehensive
security coverage. By leveraging the strengths of both
approaches, organizations can enhance their security posture
and detect a wider range of threats.

17
 INTRUSION
DETECTION
TECHNIQUES

18
INTRUSION DETECTION TECHNIQUES
Signature-based detection
• A foundational method that searches for known indicators,
such as IP addresses or text strings, to identify malicious
behavior

Network intrusion detection system (NIDS)

• A common tool that helps prevent malicious attacks on a
network. NIDS can be classified as signature-based or
anomaly-based.

19
INTRUSION DETECTION TECHNIQUES
Host intrusion detection system (HIDS)
• A software application that monitors a host for suspicious
activity, such as inappropriate use of resources or data.

Anomaly detection
• A recent approach that uses machine learning techniques to
detect intrusions and stop attacks.

20
INTRUSION DETECTION TECHNIQUES
Hybrid intrusion detection
• A system that combines two or more IDS techniques, such as
NIDS and HIDS, to increase efficiency and detect both known
and unknown attacks.

Stateful protocol analysis

• An approach that evaluates the protocols in packets
traversing a network.

21
 NETWORK
PROTOCOLS
AND TRAFFIC
ANALYSIS
22
WHAT IS NETWORK PROTOCOLS?
Network protocols are a set of rules that allow devices to
communicate with each other across a network. They are a
common language that enables devices to communicate
regardless of differences in software, hardware, or internal
processes.

23
WHAT IS NETWORK TRAFFIC ANALYSIS?
Network traffic analysis (NTA) is a process that involves
monitoring and examining network data to understand and
improve network performance, security, and availability.

24
IDS/IPS TOOLS
AND
TECHNOLOGIES

25
IDS/IPS TOOLS AND TECHNOLOGIES
Intrusion detection and prevention systems
(IDS/IPS) are essential tools for IT security
that monitor network traffic to alert or block
suspicious activities. Here are some IDS/IPS
tools and technologies:

Snort
• A popular open-source NIDS application
that typically runs on Linux
26
IDS/IPS TOOLS AND TECHNOLOGIES
Suricata
• Uses signature and anomaly-based
detection methods to identify intrusions,
and can examine TLS/SSL certificates,
HTTP requests, and DNS transactions.

Zeek
• An IDS and network monitoring tool that
can identify behavior anomalies, such as
suspicious or threat activity. 27
IDS/IPS TOOLS AND TECHNOLOGIES
OSSEC
• A host-based IDS that can also be
installed as an IPS, blocking attacks in
real-time as they are detected.

Palo Alto Networks

• A security platform that brings together
key network security functions, including
IDS/IPS, firewall, advanced threat
protection, and URL filtering. 28
 INCIDENT
RESPONSE AND
FORENSIC
ANALYSIS
29
INCIDENT RESPONSE AND FORENSIC ANALYSIS
Digital forensics and incident response (DFIR) is a specialized
field focused on identifying, remediating, and investigating
cybersecurity incidents. As the name suggests, DFIR consists of
two related components: Digital forensics involves collecting,
preserving, and analyzing forensic evidence.

30
INCIDENT RESPONSE
The process of stopping a cyberattack as quickly as possible to
minimize damage. This includes isolating infected systems,
containing the spread of malware, and restoring data.

31
FORENSIC ANALYSIS
The process of collecting, preserving, and analyzing evidence left
behind by a cyberattack. This evidence can include malware files,
log data, or deleted files. The goal is to understand the scope and
impact of the incident.

32
THANK
YOU

33