An Intrusion Detection System (IDS) is a cybersecurity tool that monitors network or system activity for signs of
malicious behaviour, unauthorized access, misuse, or abnormal activity.
Think of an IDS as a burglar alarm for a network:
Monitors activity in real time (or near real time)
Detects suspicious events
Generates alerts for administrators
Does not normally block traffic (unlike a firewall)
IDS is a key component of a Defence-in-Depth strategy, working alongside firewalls, access control, and other
security technologies.
Figure – Intrusion Detection Systems monitor network and host activity to identify suspicious or unauthorized behaviour.
Purpose of an IDS
An IDS monitors:
Network traffic
User logins
System events
File modifications
Configuration changes
Process activity
Its objective is to identify:
Unauthorized access
Malware activity
Suspicious communications
Insider threats
Policy violations
Network reconnaissance or scanning
Types of IDS
Network Intrusion Detection System (NIDS)
A Network IDS monitors traffic travelling across the network.
Characteristics
Observes communications between devices
Uses passive packet sniffing
Does not introduce latency
Generates alerts without blocking traffic
Detection Methods
Signature-based Detection
Matches traffic against known attack signatures
Effective against known threats
Heuristic / Anomaly-based Detection
Learns normal network behaviour
Detects deviations from the baseline
Identifies unknown or emerging attacks
Can Detect
Port scanning
Lateral movement
Unauthorized communications
Malware traffic
Suspicious protocol activity
Host Intrusion Detection System (HIDS)
A Host IDS is installed directly on individual devices such as:
Engineering workstations
Servers
Operator stations
Critical endpoints
Monitors
File integrity
User logins
Process activity
Configuration changes
Registry changes (Windows)
Privilege escalation
System logs
Detection Methods
Signature-based Detection
Detects known malicious patterns
Heuristic / Behaviour-based Detection
Detects unusual activity
Identifies changes to critical files
Detects abnormal processes or privilege changes
Operation
Uses a software agent installed on each host
Sends alerts to a centralized management system
IDS in Industrial Control Systems (ICS)
Industrial IDS solutions are designed to protect:
PLCs
HMIs
SCADA systems
Historians
Engineering workstations
Legacy industrial devices
Unlike traditional IT IDS, industrial solutions understand industrial communication protocols and operational
behaviour.
Modern ICS IDS platforms can:
Monitor industrial protocols
Establish a baseline of normal operations
Detect abnormal control commands
Identify unauthorized device communications
Detect changes to industrial configurations
Common industrial platforms include:
Nozomi Networks
Claroty
Dragos
Detection Techniques
Signature-Based Detection
Looks for known attack patterns.
Advantages
High accuracy for known attacks
Low false alarm rate
Limitations
Cannot detect new or unknown attacks
Requires regular signature updates
Heuristic / Anomaly-Based Detection
Learns normal behaviour and detects deviations.
Advantages
Detects unknown threats
Detects insider attacks
Identifies zero-day behaviour
Limitations
Higher false positive rate
Requires tuning and baselining
Benefits of IDS
Continuous security monitoring
Early threat detection
Detects unauthorized access
Supports incident response
Improves network visibility
Helps identify compromised devices
Complements firewalls and access control
Supports Defence-in-Depth
IDS Challenges and Limitations
1. False Positives
Legitimate activity may trigger alerts
Can result in alert fatigue
Important alerts may be overlooked
2. Deployment and Operational Costs
Hardware and software licensing costs
Skilled personnel required
Ongoing maintenance and support
3. Legacy ICS Protocol Support
Older IDS solutions had limited understanding of industrial protocols
Modern ICS platforms have significantly improved protocol support
Less of a concern with current industrial IDS products
4. Continuous Maintenance
IDS is not a "set-and-forget" solution.
Effective operation requires:
Regular signature updates
Rule tuning
Baseline adjustments
Monitoring of alerts
Periodic review to reduce false positives
IDS vs Firewall
Feature
Firewall
IDS
Primary Function
Controls and filters traffic
Monitors and detects suspicious activity
Blocks Traffic
Yes
No (alerts only)
Detects Attacks
Limited
Yes
Generates Alerts
Limited
Yes
Network Visibility
Moderate
High
Defense Role
Prevention
Detection
Key Takeaways
An Intrusion Detection System (IDS) monitors networks and systems for suspicious activity and unauthorized access.
IDS acts as a burglar alarm, generating alerts rather than blocking traffic.
NIDS monitors network traffic, while HIDS monitors activity on individual hosts.
Detection methods include signature-based and anomaly-based (heuristic) analysis.
Modern ICS IDS platforms (e.g., Nozomi, Claroty, Dragos) understand industrial protocols and baseline normal operational behaviour.
IDS strengthens a Defence-in-Depth strategy but requires continuous tuning, updates, and monitoring to remain effective.