Types of IDS:

There are following types of intrusion detection systems:

1. Host-based IDS.
2. Network-based IDS.
3. Application-based IDS.

1. Host-Based IDS (HIDS):

Definition: A Host-Based Intrusion Detection System (HIDS) is a security mechanism deployed on individual hosts (such as servers or endpoints) to monitor and analyze their internal activities, system logs, and configurations for signs of malicious behavior or security policy violations. HIDS operates by comparing observed events against known attack signatures or behavioral baselines to detect and alert on suspicious activities.

Advantages:

1. Granular Visibility: HIDS provides granular visibility into the activities and events occurring on individual hosts, allowing for detailed monitoring and analysis of system behavior.
2. Insider Threat Detection: HIDS can effectively detect insider threats, including unauthorized access attempts, malicious software installations, and suspicious user activities, by monitoring host-level events and behaviors.
3. Low False Positive Rate: HIDS typically has a lower false positive rate compared to network-based intrusion detection systems (NIDS), as it analyzes events within the context of the host environment, reducing the likelihood of false alarms.
4. Comprehensive Coverage: HIDS offers comprehensive coverage of host-based security events, including file integrity monitoring, log analysis, registry changes, and system configuration changes, providing a holistic view of host security.

Disadvantages:

1. Limited Scope: HIDS is limited to monitoring activities occurring on individual hosts where it is deployed, which may result in blind spots for network-level attacks or threats targeting other hosts in the network.
2. Resource Overhead: HIDS can impose a performance overhead on the host system, particularly during intensive monitoring and analysis activities, which may impact system performance and responsiveness.
3. Complexity of Management: Managing and maintaining HIDS across a large number of hosts can be complex and resource-intensive, requiring ongoing configuration, tuning, and updates to ensure effective detection and response.
4. Dependence on Host Integrity: HIDS relies on the integrity of the host system to accurately monitor and analyze security events. If the host system is compromised or disabled, the effectiveness of HIDS may be compromised.
5. Limited Visibility in Virtualized Environments: In virtualized environments, HIDS may face challenges in monitoring activities across virtual machines (VMs) or containers, especially if they are not properly integrated with virtualization platforms.

2. Network-based IDS:

Definition:
A Network-Based Intrusion Detection System (NIDS) is a security mechanism deployed at strategic points within a network infrastructure to monitor and analyze network traffic for signs of malicious behavior or security policy violations. NIDS examines packets traversing network segments, looking for patterns indicative of known attacks or anomalous activities. It operates by comparing observed network traffic against a database of attack signatures or behavioral baselines to detect and alert on suspicious activities.

Advantages:

1. Visibility Across the Network: NIDS provides comprehensive visibility into network traffic flowing across the entire network infrastructure, including traffic between internal hosts and traffic entering or leaving the network perimeter.
2. Centralized Monitoring: NIDS offers centralized monitoring and analysis of network traffic, allowing security personnel to monitor multiple network segments and locations from a single management console.
3. Early Detection of Network-Based Threats: NIDS can detect a wide range of network-based threats, including malware infections, intrusion attempts, denial-of-service attacks, and suspicious network activities, in real-time or near real-time.
4. Scalability: NIDS is scalable and can be deployed at multiple points within the network infrastructure to accommodate the size and complexity of the network, providing effective threat detection and response across large-scale deployments.

Disadvantages:

1. Limited Visibility into Host-Level Activities: NIDS primarily focuses on monitoring network traffic and may have limited visibility into host-level activities or events occurring within individual hosts, potentially missing host-based attacks or insider threats.
2. Potential for False Positives: NIDS may generate false positive alerts due to the inherent complexity of network traffic and the possibility of legitimate activities resembling attack patterns or anomalies, leading to alert fatigue and decreased effectiveness.
3. Encrypted Traffic: NIDS may face challenges in inspecting encrypted traffic, as it cannot decipher encrypted payloads without decryption keys, limiting its ability to detect threats concealed within encrypted communications.
4. Network Performance Impact: NIDS can impose a performance overhead on network devices, particularly during intensive packet inspection and analysis, which may impact network throughput, latency, and overall performance.
5. Blind Spots in Encrypted or Fragmented Traffic: NIDS may have blind spots in encrypted or fragmented traffic, where malicious activities may go undetected if they are not properly decrypted or reassembled for inspection.

3. Application-based IDS:

Application-Based Intrusion Detection System (IDS) is a security mechanism that focuses on monitoring and analyzing application-layer traffic for signs of malicious behavior or security policy violations. Unlike network-based IDS (NIDS), which examines network traffic at the packet level, application-based IDS operates at the application layer of the OSI model, providing deep visibility into application-level protocols and behaviors.

Definition:

Application-Based Intrusion Detection System (IDS) is a security mechanism deployed within the application layer of the OSI model to monitor and analyze application-level traffic for signs of malicious behavior or security policy violations. It focuses on inspecting and analyzing application-layer protocols, messages, and behaviors to detect and alert on suspicious activities.

Advantages:

1. Granular Visibility into Application Layer: Application-based IDS provides granular visibility into application-layer traffic, allowing for deep inspection and analysis of application protocols, messages, and behaviors.
2. Detection of Application-Level Threats: It can effectively detect application-level threats, such as SQL injection, cross-site scripting (XSS), command injection, and other web application vulnerabilities, by analyzing application-layer traffic for signs of malicious behavior.
3. Protection for Web Applications and Services: Application-based IDS offers protection for web applications, APIs, and other online services by monitoring and analyzing HTTP/HTTPS traffic for signs of malicious activity, unauthorized access attempts, and web application attacks.
4. Customized Rule Sets: It allows organizations to define customized rule sets tailored to their specific applications, protocols, and security requirements, providing flexibility and granularity in threat detection and response.

Disadvantages:

1. Resource Intensive: Application-based IDS can be resource-intensive, particularly when analyzing complex application-layer protocols and messages, which may impact system performance and responsiveness.
2. Complexity of Configuration: Configuring and managing application-based IDS can be complex, requiring expertise in application protocols, message formats, and security policies, as well as ongoing updates and maintenance to ensure effective threat detection and response.
3. Limited Coverage Beyond Application Layer: Application-based IDS primarily focuses on monitoring and analyzing application-layer traffic and may have limited visibility into lower-level network or host-based activities, potentially missing threats occurring outside the application layer.