The term "intrusion detection" refers to the automated detection and analysis of suspicious or unauthorized activities in IT systems, networks, or applications. The goal is to identify attacks, misuse, or security breaches at an early stage in order to limit damage, meet compliance requirements, and strengthen the overall security posture. Technically, this is typically implemented by intrusion detection systems (IDS) that monitor network traffic, system events, and logs.
Real-time Monitoring: Continuous analysis of network traffic, system calls, log files, and user activities to detect anomalies at an early stage.
Signature-based Attack Detection: Matching events and data packets against known attack patterns (signatures), e.g., for malware, exploits, or port scans.
Anomaly and Behavior-based Detection: Identifying unusual patterns in the behavior of users, endpoints, or applications, such as suspicious login attempts or data volumes.
Log and Event Analysis: Centralized collection and evaluation of system, network, and application logs to detect security-relevant events.
Alerting and Notification: Automatically triggering alerts via email, dashboards, ticketing systems, or SIEM when attacks or anomalies are detected.
Correlation and Rule Engine: Combining multiple events (e.g., many failed logins followed by a successful one) into an overall picture to detect complex attacks.
Forensics and Detailed Analysis: Providing in-depth information about incidents, including packet captures, timestamps, and affected systems for later investigation.
Integration with Security Solutions: Connecting to firewalls, endpoint security, SIEM, and SOAR platforms for automated processing and response.
Policy and Rule Management: Central definition, adjustment, and versioning of detection rules, thresholds, and policies.
Dashboards & Reporting: Overview and detailed reports on incidents, trends, attack types, and affected systems for security teams and management.
A company uses a Network Intrusion Detection System (NIDS) to detect port scans, DDoS attempts, and known exploits in network traffic.
A Host Intrusion Detection System (HIDS) monitors critical servers for suspicious changes to system files, configurations, and registry data.
A cloud provider analyzes login attempts and API calls to detect unusual access from unknown regions or with atypical usage patterns.
A bank correlates IDS alerts with a SIEM system to identify multi-stage attacks (e.g., phishing, compromised accounts, data exfiltration attempts).
An industrial company monitors its OT/ICS networks with a specialized IDS to identify unauthorized access to controllers and production assets.