An Intrusion Detection System (IDS) monitors network traffic or system activity for malicious behavior and policy violations. When suspicious activity is detected, the IDS generates alerts for security analysts to investigate. Unlike firewalls that block traffic, IDS observes and reports without directly preventing attacks.
Network-based IDS (NIDS) monitors network segments, while host-based IDS (HIDS) monitors individual systems. Detection methods include signature-based (matching known attack patterns), anomaly-based (identifying deviations from baselines), and behavior-based (detecting suspicious activities regardless of specific signatures).
CISSP Relevance
Domain 4 (Communication and Network Security) and Domain 7 (Security Operations) cover IDS concepts. Understand the difference between IDS and IPS, detection methodologies, placement strategies, and how IDS fits into security monitoring programs. Know limitations including false positives and the need for analyst investigation.
NIST covers intrusion detection in SP 800-94 Guide to Intrusion Detection and Prevention Systems.
Related terms: Intrusion Prevention System, SIEM