Intrusion detection system
An intrusion detection system (IDS) monitors network traffic or system activity, detects attacks and anomalies using signatures or behavioural patterns, and reports suspicious events without actively blocking them itself.
An intrusion detection system (IDS) is a security component that continuously monitors traffic in a network or the activity on individual systems in order to detect attacks, misuse and anomalies. A distinction is made between network-based systems (NIDS), which analyse traffic at central points, and host-based systems (HIDS), which evaluate log files, file integrity and processes on a specific system. Unlike an intrusion prevention system (IPS), which actively blocks detected attacks, a classic IDS is purely detective and alerting.
Detection typically relies on two approaches. Signature-based detection compares observed events with known attack patterns; it is highly accurate against known threats but fails against novel attacks. Anomaly-based detection learns the normal behaviour of systems and users and raises an alarm on deviations; it can also reveal unknown attacks but is more prone to false positives. In practice, IDS alerts are often fed into a SIEM and a security operations centre (SOC) so that they can be correlated, prioritised and channelled into a structured incident response process.
From a compliance perspective, attack detection is no longer an optional extra but increasingly a legal requirement. The NIS2 Directive and its German implementing law require affected entities to take risk-appropriate technical measures, which expressly include concepts and procedures for detecting security incidents. Operators of critical infrastructures have been obliged under Section 8a(1a) BSIG to deploy attack detection systems since May 2023. The BSI IT-Grundschutz (module DER.1 "Detection of security-relevant events") and ISO/IEC 27001, with its logging and monitoring controls, also address this requirement. An IDS is therefore a central building block for demonstrably establishing the required detection capability.
Legal Basis
Art. 21(2)(b) NIS2 Directive (EU) 2022/2555; Section 8a(1a) BSIG; BSI IT-Grundschutz module DER.1; ISO/IEC 27001 Annex A (A.8.15, A.8.16)
Practical Example
A mid-sized machinery manufacturer qualifies as an important entity under NIS2 and must demonstrate its detection capability. The information security officer introduces a network-based IDS at the boundaries between the office and production networks and adds host-based sensors on the critical servers. The alerts flow into the existing SIEM, where the SOC correlates them and prioritises them by severity. When the IDS reports an unusual nightly data outflow to an unknown IP address, a ticket is automatically created in the incident response process, the incident is assessed within the NIS2 deadlines, and the documented setup provides clear evidence for the next audit.