What Is Intrusion Detection?

Intrusion detection deals with noticing unauthorized attempts to access a computer network or physical computer system. Its purpose is to detect any threats that could allow access to unauthorized information, negatively affect data integrity or result in a loss of access within a network. It is usually implemented through the use of an intrusion detection system (IDS) that detects, records and logs various information about others connecting to the network or accessing a physical host. These systems can range from software solutions that simply log traffic information to physical systems that involve security guards, cameras and motion sensors.

There are three primary types of intrusion detection, including network-based, host-based and physical methods. Network-based methods try to flag suspicious network traffic and typically use programs that record the traffic and packets flowing through a network. Host-based methods look for possible intrusions on a physical computer system and check for file integrity, identify rootkits, monitor local security policies and analyze logs. Physical methods also deal with identifying security issues on physical devices and use physical controls, such as people, security cameras, firewalls and motion sensors. In many business with confidential data and critical systems, a combination of these methods is desirable for the best possible security.

Intrusion detection systems do not usually prevent intrusions from happening; instead, they simply log events that occur so others can gather and analyze the information. Although this is especially true for network-based and host-based intrusion detection methods, this may not be true for some physical methods, such as firewalls and security personnel. Firewalls often provide the ability to block suspicious traffic and can learn what is and is not allowed access. Security personnel also can prevent people from physically breaking into a company or data center, and monitored traps and access control systems are other physical methods that can prevent someone from breaking in.

The limitations of intrusion detection systems mean many organizations also use an intrusion prevention system (IPS) to take action when suspicious activity occurs. Many of these systems include the functions of an intrusion detection system and provide a more well-rounded security system that is helpful when responding to security breaches is critical. When the IPS detects suspicious traffic or policy violations, it takes the action configured in its policies. Information security employees or system administrators usually configure the policies the IPS uses to respond to each event.