The IT Law Wiki


An intrusion detection system (IDS) is

[a] software application that can be implemented on host operating systems or as network devices to monitor activity that is associated with intrusions or insider misuse, or both.[1]
[a] security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.[2]


Intrusion detection systems detect inappropriate, incorrect, or anomalous activity on a network or computer system. Intrusion prevention systems build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Security event correlation tools monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred.[3]

An IDS collects information on a network, analyzes the information on the basis of a preconfigured rule set, and then responds to the analysis. IDS ensure that unusual activity such as new open ports, unusual traffic patterns, or changes to critical operating system files is brought to the attention of the appropriate security personnel.

The implementation of an IDS might be valuable for the following reasons:

Type of Intrusion detection systems[]

There are three common types of IDS, classified by the source of information they use to detect intrusions: network-based, host-based, and application-based.

An additional type of IDS is a