An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious or unauthorized behavior and produces reports to a management station. IDS come in a variety of “flavors” including network-based (NIDS) and host-based (HIDS). Network intrusion detection systems monitor traffic on the network for suspicious activity. A host-based intrusion detection system runs on individual hosts and monitors system calls, application logs, file-system modifications and other activities for malicious or unauthorized behavior. Intrusion detection systems are categorized as being either network-based or host-based, depending on where they are deployed.

A network intrusion detection system (NIDS) monitors and analyzes network traffic for suspicious activity. NIDS are placed at strategic locations within the network to maximize their ability to monitor traffic. Common locations for NIDS include network perimeter devices such as routers and firewalls, as well as key servers within the network.

A host-based intrusion detection system (HIDS) is deployed on individual hosts and monitors activity on that host. HIDS typically monitor system calls, application logs, file-system modifications and other activities for signs of malicious or unauthorized behavior.

 Intrusion detection systems are a critical component of any security infrastructure. IDS provide organizations with the ability to detect and respond to attacks in progress, as well as identify attacks that have already occurred.

IDS are not a panacea for all security ills, however. IDS can generate a large number of false positives, which can overwhelm security personnel and lead to important events being missed. In addition, IDS can be defeated by attackers who have a deep understanding of how the IDS works and how to exploit its weaknesses.

Despite these limitations, IDS remain an important part of the security landscape and have been shown to be an effective deterrent to many types of attacks.