Network Security

Network Intrusion Detection Systems

Network Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) form the backbone of modern network defence. These systems monitor network traffic for suspicious activity, alert security teams to potential threats, and in the case of IPS, automatically block malicious traffic before it can cause harm. For Malaysian organisations facing increasingly sophisticated cyber attacks, understanding how these systems work is essential for building effective defences.

An IDS acts as a surveillance camera for your network — it watches all traffic passing through, compares it against known attack patterns or behavioural baselines, and raises alerts when something looks wrong. An IPS goes a step further by actively intervening, dropping malicious packets or blocking offending IP addresses in real time. Together, they provide the visibility and control that Security Operations Centres (SOCs) rely on to detect and respond to threats quickly.

Signature-Based vs Anomaly-Based Detection

IDS and IPS platforms use two primary detection methodologies, each with distinct strengths and weaknesses. Signature-based detection matches network traffic against a database of known attack patterns — much like antivirus software compares files against known virus signatures. This approach is highly accurate for known threats, produces few false positives, and is computationally efficient. However, it cannot detect novel attacks or zero-day exploits that lack a matching signature.

Anomaly-based detection, by contrast, establishes a baseline of normal network behaviour and flags any traffic that deviates significantly from that baseline. This approach can uncover previously unseen attacks, insider threats, and subtle reconnaissance activity that signature-based systems might miss. The trade-off is a higher rate of false positives, which can overwhelm SOC analysts if tuning is not carefully managed. Most modern IDS deployments combine both methods for comprehensive coverage.

Network-Based vs Host-Based IDS

Network-based IDS (NIDS) monitors traffic at strategic points across the network infrastructure, analysing packets as they traverse switches, routers, and network taps. NIDS deployments provide broad visibility across multiple systems and can detect attacks targeting any device on the monitored segment. Popular NIDS tools are deployed at network boundaries, datacentre perimeters, and internal network choke points.

Host-based IDS (HIDS) runs directly on individual servers or endpoints, monitoring system logs, file integrity, process activity, and local network connections. HIDS can detect attacks that encrypted traffic might hide from a network sensor, such as a compromised web server exfiltrating data over HTTPS. A well-architected security programme uses both NIDS and HIDS in layers, ensuring that an attacker evading one layer is caught by another.

Popular IDS Tools

Several open-source and commercial IDS/IPS tools have become industry standards in the cybersecurity field. Snort, created by Martin Roesch in 1998, remains the most widely deployed open-source IDS/IPS in the world. Its rule-based language allows analysts to write custom detection logic, and its large community produces regularly updated rule sets covering thousands of known exploits and malware signatures.

Suricata, developed by the Open Information Security Foundation (OISF), is a modern alternative that supports multi-threaded processing, GPU acceleration, and native file extraction. Suricata can handle high-speed networks exceeding 10 Gbps, making it suitable for large enterprise and service provider environments. Its rule syntax is compatible with Snort rules, easing migration for teams already familiar with Snort.

Zeek (formerly Bro) takes a different approach — rather than matching traffic against signatures, it logs all network activity in rich detail and provides a powerful scripting language for custom analysis. Zeek's strength lies in its ability to capture application-layer protocols, extract files transferred over the network, and generate comprehensive logs that feed into SIEM platforms for advanced correlation and threat hunting.

SOC Workflows and SIEM Integration

In a typical Security Operations Centre, IDS alerts flow into a Security Information and Event Management (SIEM) platform such as Splunk, Elastic SIEM, or Wazuh. The SIEM correlates IDS alerts with logs from firewalls, endpoints, authentication servers, and threat intelligence feeds to reduce noise and identify genuine incidents. SOC analysts triage these correlated alerts, investigate suspicious activity through packet captures and endpoint forensics, and escalate confirmed incidents for containment and remediation.

IDS Deployment Best Practices

1. Position sensors strategically — Deploy NIDS sensors at network perimeter, internal segmentation boundaries, and critical server zones. Each sensor should have clear visibility of its monitored segment.

2. Tune signatures aggressively — Start with a conservative rule set and gradually enable additional signatures based on your environment's risk profile and alert volume. Over-alerting leads to analyst fatigue.

3. Integrate with threat intelligence — Feed indicators of compromise (IoCs) from threat intelligence sources into your IDS to detect known malicious infrastructure used by targeted attack groups.

4. Establish a review cadence — Review false positive rates, missed detections, and rule coverage monthly. Adjust thresholds and retire obsolete signatures to keep the sensor fleet effective.

5. Plan for encrypted traffic — With HTTPS now accounting for over 90% of web traffic, consider SSL/TLS inspection at controlled points or augment NIDS with endpoint detection and response (EDR) agents for visibility into encrypted flows.

60%

Improvement in breach detection time when IDS is integrated with SIEM platforms

10 Gbps+

Maximum throughput Suricata can inspect on modern multi-core hardware

40,000+

Active Snort community rules covering exploits, malware, and policy violations

Challenges in IDS Operations

Running an effective IDS programme comes with significant operational challenges. Alert fatigue is perhaps the most critical — a typical enterprise IDS can generate millions of alerts per day, of which only a fraction represent genuine threats. Without proper tuning, prioritisation, and automation, SOC teams can quickly become overwhelmed, missing serious incidents in a sea of false positives.

Encrypted traffic poses another major challenge. As more applications adopt TLS encryption, network-based sensors lose visibility into packet payloads. Attackers increasingly use encrypted channels for command-and-control communication and data exfiltration, forcing organisations to either deploy SSL/TLS inspection proxies or rely more heavily on endpoint-based detection and behavioural analysis.

Resource constraints also affect many Malaysian organisations. IDS sensors require substantial compute and storage capacity, especially for full packet capture retention. Smaller enterprises may struggle to justify the cost of dedicated security staff to manage and monitor these systems 24/7. Managed security service providers (MSSPs) offer an alternative, delivering 24-hour monitoring and analysis at a fraction of the cost of building an in-house SOC.

Despite these challenges, IDS and IPS remain indispensable components of a defence-in-depth strategy. When properly deployed, tuned, and integrated with other security controls, they provide the early warning that enables organisations to detect and respond to intrusions before critical data is compromised.

Jason Wong

About the Author

Jason Wong is a Network Security Engineer with over 10 years of experience designing and operating intrusion detection infrastructure for financial institutions and government agencies in Malaysia. He specialises in high-performance IDS deployment, SOC workflow automation, and threat intelligence integration.

← Back to Articles