What Is an Intrusion Detection System?

Written by Coursera Staff • Updated on

Explore how intrusion detection systems strengthen network security and safeguard against potential cyber threats.

[Featured image] A cybersecurity analyst is on their laptop learning about the different intrusion detection systems.

An intrusion detection system (IDS) is a vigilant application or device that proactively screens, monitors, and analyze a network against malicious threats. 

The cybersecurity landscape benefits from the distinct but interconnected safety features of intrusion detection systems and intrusion prevention systems (IPS). An IDS acts as the "watchful eye" that continuously monitors network activities and provides early warning of potential threats. Meanwhile, the IPS prevents and stops detected threats from causing harm to a network. 

Read more: Cybersecurity Terms: A to Z Glossary

Types of intrusion detection systems

IDS solutions come in different forms, each with their own capabilities tailored to meet specific security requirements. Here are two prevalent types of intrusion detection systems:

  • NIDS: Network intrusion detection systems are strategically placed within an organization's internal network infrastructure to actively monitor and identify any malicious or suspicious traffic originating from devices connected to the network.

  • HIDS: A host intrusion detection system (HIDS) safeguards all devices that connect to both the internet and the organization's internal network. It detects internal packets and additional malicious traffic missed by NIDS. HIDS also identifies host-based threats, like malware attempting to spread within an organization's system.

How do intrusion detection systems work?

An IDS supports organizations in their cybersecurity strategies by offering assistance in one of three ways:

  • Signature-based detection: The IDS examines all packets traversing an organization's network and matches them against a database of known attack signatures through string comparison.

  • Anomaly-based detection: The IDS compares definitions of what is deemed normal with recorded events to spot deviations in network activity. Anomaly-based systems employ machine learning to establish a reference point for normal behavior. This detection method can prove instrumental in combating novel threats. 

  • Stateful protocol analysis: The IDS analyzes observed events with predefined profiles of protocol activity that are safe or benign. The process repeats for every protocol state.

IDS vs. firewall: What’s the difference? 

An IDS passively observes network activity, alerting incident responders or security operations center (SOC) analysts to potential threats. However, it does not offer protection for endpoints or networks beyond incident response.

In contrast, a firewall actively monitors and blocks threats to prevent incidents. It acts as a barrier, selectively allowing or blocking network traffic based on preconfigured rules.

Getting started with Coursera

Take the next step toward a career in cybersecurity by enrolling in the  Google Cybersecurity Professional Certificate on Coursera. This certificate is your gateway to exploring job titles like security analyst SOC (security operations center) analyst, and more. Upon completion, you’ll have exclusive access to a job platform with over 150 employees hiring for entry-level cybersecurity roles and other resources that will support you in your job search.

Keep reading

Updated on
Written by:

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.