What Is an Intrusion Detection System?

An intrusion detection system (IDS) is a vigilant application or device that proactively screens, monitors, and analyze a network against malicious threats. 

The cybersecurity landscape benefits from the distinct but interconnected safety features of intrusion detection systems and intrusion prevention systems (IPS). An IDS acts as the "watchful eye" that continuously monitors network activities and provides early warning of potential threats. Meanwhile, the IPS prevents and stops detected threats from causing harm to a network. 

Read more: Cybersecurity Terms: A to Z Glossary

Types of intrusion detection systems

IDS solutions come in different forms, each with their own capabilities tailored to meet specific security requirements. Here are two prevalent types of intrusion detection systems:

• NIDS: Network intrusion detection systems are strategically placed within an organization's internal network infrastructure to actively monitor and identify any malicious or suspicious traffic originating from devices connected to the network.

• HIDS: A host intrusion detection system (HIDS) safeguards all devices that connect to both the internet and the organization's internal network. It detects internal packets and additional malicious traffic missed by NIDS. HIDS also identifies host-based threats, like malware attempting to spread within an organization's system.

How do intrusion detection systems work?

An IDS supports organizations in their cybersecurity strategies by offering assistance in one of three ways:

• Signature-based detection: The IDS examines all packets traversing an organization's network and matches them against a database of known attack signatures through string comparison.

• Anomaly-based detection: The IDS compares definitions of what is deemed normal with recorded events to spot deviations in network activity. Anomaly-based systems employ machine learning to establish a reference point for normal behavior. This detection method can prove instrumental in combating novel threats. 

• Stateful protocol analysis: The IDS analyzes observed events with predefined profiles of protocol activity that are safe or benign. The process repeats for every protocol state.

IDS vs. firewall: What’s the difference? 

An IDS passively observes network activity, alerting incident responders or security operations center (SOC) analysts to potential threats. However, it does not offer protection for endpoints or networks beyond incident response.

In contrast, a firewall actively monitors and blocks threats to prevent incidents. It acts as a barrier, selectively allowing or blocking network traffic based on preconfigured rules.

Related terms

• CIA triad

• Computer forensic investigator

• Cybersecurity analyst

• Security engineer

• Information security analyst

• Cryptanalyst

Getting started with Coursera

Take the next step toward a career in cybersecurity by enrolling in the  Google Cybersecurity Professional Certificate on Coursera. This certificate is your gateway to exploring job titles like security analyst SOC (security operations center) analyst, and more. Upon completion, you’ll have exclusive access to a job platform with over 150 employees hiring for entry-level cybersecurity roles and other resources that will support you in your job search.