07-09-2016, 10:22 AM
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any detected activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms. There is a wide spectrum of IDS, varying from virus scanning software to hierarchical systems that monitor the traffic of an entire backbone network[citation needed]. The most common classification is either in network (NIDS) or host-based (HIDS) intrusion detection systems, in reference to what is monitored by the IDS. A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning). Some IDS have the ability to respond to detected intrusions, which are typically referred to as an intrusion prevention system.