Intrusion detection systems (IDS) are self-sufficient systems that detect intruders and prevent attacks on IT systems and networks. IDS monitoring systems should not be known, provide services, log attacks, detect intrusions and initiate countermeasures if possible. Anything abnormal in the network should be detected and logged by the IDS system.
Misuse detection or signature-based IDS is based on the comparison of patterns or signatures. In this method, a signature is derived from the content of each individual data packet in the application layer, which is then compared with the available signatures. With this method, pattern matching, only already known attack patterns are detected. New attacks, of which no pattern is yet available, remain undetected.
With anomaly detection, on the other hand, any behavior pattern that moves outside of normal data traffic is considered an attack. This means that deviations from previous attacks are also detected. There is no need to maintain the attack patterns in a database. However, with anomaly detection, it must be defined which pattern belongs to normal data traffic, which can increase the threshold for false alarms. The two methods illustrate the evolution from IDS systems to intrusion prevention systems( IPS), which prevent certain data packets from passing through in the first place. For IDS technology, there are network-based solutions, Network Intrusion Detection System( NIDS), and host-based, Host-Based Intrusion Detection System( HIDS).