← Lessons

quiz vs the machine

Gold1460

Networking

Network Intrusion Detection

Watching traffic for signs of attack.

5 min read · core · beat Gold to climb

Eyes On The Wire

A network intrusion detection system, or NIDS, inspects traffic to spot malicious activity. It typically sits on a mirrored or tapped link so it sees a copy of traffic without sitting in the forwarding path.

Detection Approaches

There are two main ways to recognize attacks.

  • Signature based detection matches traffic against known bad patterns, like a specific exploit string. It is precise for known threats but blind to novel ones.
  • Anomaly based detection learns a baseline of normal behavior and flags deviations. It can catch new attacks but tends to produce more false alarms.

Many systems combine both to balance coverage and noise.

Detection Versus Prevention

The distinction between watching and acting matters.

  • A detection system only alerts, leaving response to humans or other tools.
  • A prevention system sits inline and can drop offending traffic, but it adds latency and risks blocking legitimate flows if it misfires.

Living With Alerts

The hard part is operations, not detection.

  • False positives waste analyst time and breed alert fatigue.
  • False negatives are missed real attacks.
  • Tuning rules and baselines to the environment is continuous work.

Key idea

A network intrusion detection system watches mirrored traffic using signature and anomaly methods to raise alerts, while an inline prevention system can also block, and both demand constant tuning against false positives and negatives.

Check yourself

Answer to earn rating on the learn ladder.

1. How does signature based detection work?

2. What is the key difference between detection and prevention systems?

3. Why is anomaly based detection noisier?