Editing Intrusion detection system (section)

{{Short description|Network protection device or software}}
{{Redirect-distinguish|Intrusion Detection|intruder detection|Security alarm}}
{{more citations needed|date=September 2018}}
An '''intrusion detection system''' ('''IDS''') is a device or [[software]] application that monitors a network or systems for malicious activity or policy violations.<ref name=IDS_1>{{cite web| title=What is an Intrusion Detection System (IDS)?| url=https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-detection-system-ids| publisher=Check Point Software Technologies| date=2023| access-date=27 December 2023}}</ref> Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a [[Security information and event management|security information and event management (SIEM)]] system. A SIEM system combines outputs from multiple sources and uses [[alarm filtering]] techniques to distinguish malicious activity from [[false alarm]]s.<ref>{{Cite book|url=https://books.google.com/books?id=klE8DwAAQBAJ&q=siem+alarm+filtering&pg=PA31|title=Cyber and Chemical, Biological, Radiological, Nuclear, Explosives Challenges: Threats and Counter Efforts|last1=Martellini|first1=Maurizio|last2=Malizia|first2=Andrea|date=2017-10-30|publisher=Springer|isbn=9783319621081|language=en}}</ref>

IDS types range in scope from single computers to large networks.<ref>Axelsson, S (2000). [http://neuro.bstu.by/ai/To-dom/My_research/Paper-0-again/For-research/D-mining/Anomaly-D/Intrusion-detection/taxonomy.pdf "Intrusion Detection Systems: A Survey and Taxonomy"] (retrieved 21 May 2018)</ref> The most common classifications are '''network intrusion detection systems''' ('''NIDS''') and '''[[host-based intrusion detection system]]s''' ('''HIDS'''). A system that monitors important operating system files is an example of an HIDS, while a system that analyzes incoming network traffic is an example of an NIDS. It is also possible to classify IDS by detection approach. The most well-known variants are [[signature-based detection]] (recognizing bad patterns, such as [[Exploit (computer security)|exploitation attempts]]) and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on [[machine learning]]). Another common variant is reputation-based detection (recognizing the potential threat according to the reputation scores). Some IDS products have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an '''intrusion prevention system''' ('''IPS''').<ref name=CS_1>{{cite book| title=Computer Security: Protecting Digital Resources| author=Newman, R.C.| url=https://books.google.com/books?id=RgSBGXKXuzsC| publisher=Jones & Bartlett Learning| date=23 June 2009| access-date=27 December 2023| isbn=978-0-7637-5994-0}}</ref> Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.<ref>{{Cite book|url=https://books.google.com/books?id=lPQYCwAAQBAJ&q=IDS+honeypot&pg=PA122|title=Honeypots and Routers: Collecting Internet Attacks|last1=Mohammed|first1=Mohssen|last2=Rehman|first2=Habib-ur|date=2015-12-02|publisher=CRC Press|isbn=9781498702201|language=en}}</ref>